How We Can 'Free' Our Facebook Friends
from the data-portability-to-the-rescue dept
In the wake of the recent privacy controversy over Facebook and Cambridge Analytica, internet users and policymakers have had a lot of questions on the topic of “data portability”: Is my social network data really mine? Can I take it with me to another platform if I’m unhappy with Facebook? What does the new European privacy law, the General Data Protection Regulation (GDPR), demand in terms of my being able to export my data? What even counts as my data that I should be able to download or share, and as my friends’ data that I shouldn’t?
There’s a growing consensus that being able to easily move your data between social platforms, and perhaps even being able to communicate between different platforms, is necessary to promote competition online and enable new services to emerge. But that raises some difficult technical and policy questions about how to balance such portability and interoperability with your and your friends’ privacy interests—and how to guarantee that new privacy efforts don’t have the unintended consequence of locking in current platforms’ dominance by locking down their control over your data.
To investigate a potential path forward, New America’s Open Technology Institute partnered with Mozilla to host an event earlier this month, “A Deep Dive Into Data Portability: How Can We Enable Platform Competition and Protect Privacy at the Same Time.” It included a tutorial from OTI’s senior policy technologist Ross Schulman on the basic terminology and technologies at issue—for instance, distinguishing between “data portability” and “interoperability,” and explaining what the heck an “Application Programming Interface,” or “API,” is.
The event opened with a forceful keynote from David Cicilline, who’s a congressman for Rhode Island and the top Democrat on the House Judiciary Committee’s Antitrust Subcommittee. “We need pro-competitive policies that give power back to Americans in the form of more rights and greater control over their data,” Cicilline argued. “This starts by taking on walled gardens that block startups and other competitors from entering the market through high switching costs.”
Echoing a Wired op-ed he had previously co-authored, Cicilline highlighted how “[p]eople who may want to leave Facebook are less likely to do so if they aren’t able to seamlessly rebuild their network of contacts, photos, and other social graph data on a competing service or communicate across services.” Just as Congress gave cellphone users the right to “number portability”—lessening the switching cost of changing your cell carrier by giving you the ability to take your phone number with you—Cicilline argued that social network users should have the right to portability of their social media data. Unless we “free the social graph,” as one commentator put it, we may find ourselves locked into the current platform ecosystem with no chance of meaningful competitors emerging.
Importantly, Facebook has offered a feature called “Download Your Information” (DYI) since 2010. This lets users download all of the content they’ve ever posted on Facebook as a browsable HTML archive. (As described in our tech tutorial, other providers like Twitter and Google offer similar options.) However, Facebook’s download feature was originally designed as a personal archiving tool, rather than for easy porting of your data to another service. Indeed, when it was launched, Facebook clearly stated that “[t]his file and the information contained within it, is designed for an individual’s use and not for developers or other services.” That said, over the past couple of months, in response to both the Cambridge Analytica scandal and its data portability obligations under the GDPR, Facebook has revamped the DYI tool to be more portability-friendly. Most notably, Facebook now allows users to download their data in the structured JSON data format (see the tutorial for what that is!) instead of in unstructured HTML, making it much easier to move the data between different services.
But here comes the irony: The one thing you can’t download from Facebook is the one thing you’d most need if you wanted to move to a competing social network—your friends’ contact information, or any other unique information that would help you reconnect with them on another service. Instead, all you get is a list of their names, which isn’t very helpful for re-identifying specific individuals, considering how common many names are. Indeed, as was highlighted during the event, Facebook has long treated its possession of your friends’ contact information as a key competitive advantage, making it difficult for users to collect or export it.
For example, when users were first able to share an email address with friends on their profile page, it was displayed as a graphic rather than as text so that it couldn’t be cut and pasted. Some users may also recall when Facebook, in 2012, temporarily replaced users’ non-Facebook addresses with new “@facebook.com” addresses by default, making it harder to obtain off-Facebook contact information about your friends. And although there’s a hard-to-find setting where Facebook users can allow their friends to download their contact information, it is by default set not to allow such downloading—one of the rare Facebook settings that defaults away from, rather than toward, more sharing with friends.
Facebook has consistently justified its attempts to restrict sharing contact info as a privacy and security measure, but the alignment with its own business goals was always more than a little convenient. In addition, it’s also rather ironic, considering that a huge part of Facebook’s meteoric growth was driven by importing contact information from other services, especially Gmail (which led to a dispute between Google and Facebook back in 2010, when Google briefly cut off Facebook’s ability to access Google contacts over its API because Facebook wasn’t reciprocally allowing other services to access contact information on Facebook). Convenient and ironic or not, Facebook’s reticence to share contact information has only been bolstered by recent events: It was, of course, users’ ability to export data about their friends to outside apps that was at the root of the Cambridge Analytica scandal that has put Facebook in the privacy hot-seat. Meanwhile, thanks to GDPR’s privacy requirements, Facebook would now probably need to get affirmative consent from your friends before letting you export their email addresses, even if they arguably didn’t have to before.
There were no easy answers to this privacy-versus-portability conundrum coming out of our panel discussion. However, there were a few critical takeaways in terms of things that Facebook can and should do now to promote portability—and which are in its own interest to do, as it may face unwanted regulatory action if it doesn’t.
Help Set Clear Technical Standards. Easy portability of data between services will require open standards that everyone can use. Facebook’s offering downloadable data in the JSON file format is a good start, but it and other social networks should consider using the Activity Streams 2.0 open standard, a particular JSON-based format for exporting social media items. Facebook helped develop the standard at the World Wide Web Consortium, but right now only decentralized social network tools like Mastodon use it. On top of that, Facebook and all the other major cloud and social platforms should contribute to the open source Data Transfer Project, which aims to establish a common framework for easily moving data directly between services with just a few clicks and without having to download the data yourself. Google and Microsoft are already participating; others should, too.
Solve the Graph Portability Problem. Social platforms should allow you to export your friends’ contact information—or, if they can’t due to privacy restrictions, otherwise provide unique identifiers or other information sufficient to easily re-identify your friends on another platform. Your social graph is yours, and we need a standardized way to move that graph around. Some ideas that came out of the panel: Facebook could ask all users to give consent for their friends to export their contact information as part of Download Your Information—or at least give friends the power to ask each other for that permission. Or, Facebook could allow users to download some other unique piece of a friend’s data, like the URL of their profile or their unique Facebook user ID number. If that raises security concerns, the data could perhaps be “hashed” to obscure it while maintaining its usefulness as a unique identifier, as Josh Constine at TechCrunch has suggested. Facebook and others could maybe even petition the European Data Protection Board for an interpretation of the GDPR that would clearly allow such sharing for competition purposes. There are a range of possible solutions; the only certainty is that Facebook needs to start identifying and testing approaches now.
Allow Competitive Apps to Use the Facebook Platform. Data portability—letting someone download their data and transfer it elsewhere—isn’t the only way that people can leverage their Facebook data on another service. There’s also interoperability—the ability to use the Facebook Platform API to run an app that can make use of your Facebook data on an ongoing basis. The problem is that Facebook’s policy for app developers has long required that in order to make full use of the API, apps “must not replicate core Facebook features or functionality, and must not promote [their] other apps that do so.” For example, “your app is not eligible… if it contains its own in-app chat functionality or its own user generated feed” akin to Facebook’s messaging product or Facebook’s newsfeed. If Facebook doesn’t want to continue to be viewed by the public and by regulators as a platform monopolist, it needs to remove this anti-competitive provision and allow users to easily make use of their Facebook data on interoperable competing services.
Some of these steps would be easy for Facebook to take. Others would be more challenging. But all are worthwhile, and ultimately necessary, for ensuring an internet ecosystem that continues to be open, innovative, and competitive.
Reposted from New America’s Weekly Newsletter.
Filed Under: competition, data portability, privacy
Companies: facebook
Comments on “How We Can 'Free' Our Facebook Friends”
It's not enough
If you exported all your friends’ contact data, and imported it into another service, you wouldn’t have accomplished much. You’d be able to look at your social graph, maybe get the email address and phone number of each friend… but you wouldn’t be able to see the stuff they post on Facebook without a Facebook account. You wouldn’t be able to send them private messages, photos, etc. Realistically, you already have the contact information for each friend — their Facebook account ID — and you can’t do a damn thing with it.
Really, this data-export will only work if
a) all your friends move to the competing service, or
b) Facebook becomes interoperable with the competing service.
Or—and hear me out on this—we could burn Facebook to the ground and act like it never existed. I mean, it’s not like anyone but Zuckerberg is gonna miss it, right?
/s
Re: Re:
Masnick will miss the paychecks.
Why does Facebook care?
(Emphasis, and interpolation, obviously.)
Why does Facebook care whether it’s viewed by the public and by regulators as a platform monopolist?
The public has very little actual power. So the public’s views don’t matter. Not really.
The current “regulators” have ideological commitments predisposing them against regulation. So while the regulators’ views do matter, their view is that everything is copacetic.
Bottom line, why does Facebook care?
Google: Don’t be evil.
Facebook: Don’t even bother pretending we’re not evil.
Good article!
Thanks very much for this exceptionally informative (re)post. It’s interesting that Facebook’s lack of easy access to social data (for users, at least) is a major factor in locking-in its users. Few articles (and, one might guess, legislators) understand this particular subtlety.
Activity Streams is a fascinating idea. As Kevin notes, the challenge of mapping “activity” between arbitrary platforms is a big one, but this is a concrete attempt to solve it.
I can only sigh in disbelief when I read stuff like this:
“There’s a growing consensus that being able to easily move your data between social platforms, and perhaps even being able to communicate between different platforms, is necessary to promote competition online and enable new services to emerge.”
Look, you cannot have it both wayss. If you want to put personal information out there, be accessible to lists of friends, move that data between platforms even, be popular, etc., you voluntarily gave up your privacy and personal data. I have never been on facebook or myspace or social media because this was so damn obvious. If you want privacy, don’t seek out popularity. Period. You cannot control information you provide to others anymore than you can control what someone else does with something told to him or her in confidence in the real world.
If you use social media, your data will not be yours to control. Believing otherwise is just as silly as beliving you can have secure encryption that only law enforcement can access.
Re: Re:
I think it’s a misconception. I’m fairly sure you use e-mail. Does it mean you gave up your privacy to your mail provider? Or do you use GPG and the likes (which I must remind you have been shown to have critical vulnerabilities pretty recently)?
You are not giving up your privacy and personal data. You are allowing the service to see part of your data, your friends to see another part of that data (that may or may not be the same percentage) and the public at large to see another portion of your data (that can be 0%). It’s not always about popularity but rather about social interactions. Not everything has to be entirely private and this is the point. As you pointed out, once you say something about your life to someone it’s not entirely private anymore but it doesn’t mean you gave up your privacy. You didn’t announce in a megaphone or something (even though sometimes it may have the same effect if the person has a loose tongue or if there’s a breach in the service).
It’s about those trade-offs. Even when I used Facebook I’d segment what a portion of my contacts could see. Reality is more complicated than “you are giving up your privacy”.
Re: Re: Re:
Yes (if you’re not running your own server). Even with GPG et al. they get to see all the metadata: dates, senders/recipients, threading, even subject lines. It’s almost as revealing as the content, and not nearly as hard to datamine.
Re: Re: Re:
“I think it’s a misconception. I’m fairly sure you use e-mail. Does it mean you gave up your privacy to your mail provider?”
——
Yup. I have no way of knowing who will read it nor what they might do with what they read, so I use throwaway accounts and take that into consideration when using email.
——
“Or do you use GPG and the likes (which I must remind you have been shown to have critical vulnerabilities pretty recently)?”
——–
This is a red herring. Encryption will always suffer from a threat of some vulnerability. What matters is whether or not what you have encrypted is worth the effort of breaking the encryption to someone. This is also irrelevant to social media.
———
“You are not giving up your privacy and personal data. You are allowing the service to see part of your data,”
———-
Yes, you are and the “service” can see all of your data, no matter what you might wish to the contrary. If you use social media, you have to accept everything that goes along with it, including the likelyhood that you are being lied to regarding your data. You are trusting your data to complete strangers about whom you know nothing.
———–
“Not everything has to be entirely private and this is the point.”
———-
Of course not, but we aren’t talking about data that you don’t mind sharing with the world. We are talking about not being naive and not expecting things like facebook to use what you handed them to further whatever their business goals are.
———-
” You didn’t announce in a megaphone or something (even though sometimes it may have the same effect if the person has a loose tongue or if there’s a breach in the service).”
———
I assume that if I am going to tell someone something, that I quite possibly may be using a megaphone to tell the world and adjust my expectations of the person I am telling it to accordingly before saying anything.
———
“It’s about those trade-offs. Even when I used Facebook I’d segment what a portion of my contacts could see. Reality is more complicated than “you are giving up your privacy”.”
——–
Facebook can see it all and you know the people there less well than any of your contacts.
At some level, you have to take responsibility for what you are giving up for convenience. Facebook is not about soicializing. Talking to people in person is about socializing. Facebook is about avoiding that.
If you are explicit of what’s being done then things get simpler. Take the interoperability for instance. If both platforms make it clear what they will be accessing and when it is being accessed then it should not be too much of a problem.
Maybe add multi-factor authentication steps. I’m thinking something in the lines you’d have to provide specific tokens to each provider that are sent to a secure channel such their own 2FA codes that would be confirmed by the other service or some authentication key via e-mail (not very secure I know but it is one way).
Anyway, as the article says “the only certainty is that Facebook needs to start identifying and testing approaches now” but I’d argue that it’s not only Facebook, it’s everybody.
As a side note, when I see all this discussion I always remember how my psyche improved after I stopped using social networks, how it felt like a burden was lifted from my shoulders. And how all of this is basically a non-issue to me.
What does this do..
Sharing data..
What does it do?
What is SHARED??
What happens..
Part of this is Wonderful and MUCH of it isnt..depends on how we look at it..
Its great having DATA, friends, references, and All kinds of knowledge that we can Find..(try using the Library system, and NOT knowing all of it)
The Worse and BEST part of all of this LOST DATA.. Is Confusion, but for Whom? NOT REALLY YOU.
Corporations and Gov. LOVE having this knowledge. If it was All gathered up and cross connected between ALL those with the Name of ‘john smith’, you would have all the J. Smiths and know Everything about them all..
Anyone understand the Pro/Con of sharng info, WE ARE GOING ON VACATION, on facebook? you and your insurance company are going to have a BIG DISCUSSION..(better read the new contract about being an INTERNET IDIOT).
Corps might LOVE this, but that also adds to the confusion. ALL your numbers and addresses are out there. and HOW can you Prove “THAT aint you” 2 states or 2 countries over.
YOUR Credit card corp is REALLY going to hate this, IF; all this knowledge is taken ADVANTAGE OF..
WE could add another 1000 ‘John Smiths’
BAD part of all this. Is HOW we used to Disappear, 30+ years ago. And people dont get the IDEA that All those records that WERE PRIVATE, including Birth and death records(many many times NOT cross referenced) CAN BE USED AGAINST US.. We can now have 1,000,000 more Invisible people, ALIVE OR NOT…that can Vote. That can send letters to congress/FCC/FTC/anyplace THEY WISH.. using your name, at a location NOT NEAR YOU, or even your REAL address..
NOW they also have reason to Take DATA PICTURES FOR EVERY LICENSE IN THE USA…WITH PROOF OF WHO THE F… YOU ARE..
Which is not good either, as they are ALL going into the Computer recognition system..
IF you really ever wanted to hide, you BETTER MAKE a false ID, NOW..in another state/country.. Because soon, if the corp/police/gov..or your EX WIFE/HUSBAND wishes to track you.. Ever Public location WILL be able to, as well as your phone..
Who can see, THAT as you enter a public location, a Computer Tags your phone and gets your phone number and TAKES your picture…AND YOU DINT KNOW..Cross references it with the 50 states and gov. data bases, Calls your Ex spouse and tells them all WHERE YOU ARE.. GOT KIDS??
|And the Insurance company will know that 30 min before you reported the accident, YOU WERE IN 3 BARS.
I can’t believe we are even having this discussion.
If you use a free service your data is not yours. Anyone who uses social media and thinks they own their data clearly doesn’t understand how that service operates and makes money.
You wanna keep in touch with friends? Exchange emails or phone #’s. Quit using a public service and expecting privacy.
Re: Re:
That’s more of a rule of thumb than a guarantee. There are free services that respect your privacy and allow you control of your data.
Google, Twitter, and Facebook are not that kind of service. It’s good to be wary of the non-monetary costs of a service.
I think your use of the phrase "public service" here is probably the wrong choice of words. "Public service" has several meanings.
Fuck facebook