For the last few years, I’ve been on an admittedly quixotic entrepreneurial adventure building a fitness-focused social network. With Facebook’s latest data scandals in the limelight and Mark Zuckerberg’s Congressional hearings on everyone’s mind, here is my take on potential opportunities around data privacy and security, and niche social networks.
How We Got Here
Facebook’s entire history is a series of privacy misdeeds and tech bro arrogance. As described in The Economist, “this episode fits an established pattern of sloppiness towards privacy, tolerance of inaccuracy, and reluctance to admit mistakes.”
In the mid-2000s Facebook was siloed in Ivy League universities, which gave it a caché of exclusivity when it launched to the general public. That caché gets credited as being one of the main drivers associated with the service’s unprecedented growth. Facebook’s aggressive user acquisition strategy has always been clear. As Facebook Vice President Andrew Bosworth noted in a 2016 internal company memo about the company’s aggressive tactics, “The best products don’t win. The ones everyone use win.”
Sheryl Sandberg dismissed that memo on NPR, but it’s absolutely on target.
The pressure for user acquisition is everywhere. The friends counter reminds you that you never seem to have as many as everyone else. There are constant prompts to invite new people and connect with people who know people you might know. Some of my first Facebook posts pondered the meaning of a “Facebook friend” since I figured the outer rings of my actual social network totaled maybe 100. Was I the only one who felt like a loser because some in my Facebook network had hundreds of friends?
Massive scale begets perverse incentives. Facebook’s vast numbers of users mean it can conduct interesting experiments involving “engagement” and “brain hacking.” Facebook has moved well beyond merely capturing web browsing data to more intimate kinds of data. Isn’t it funny in an ironic, pathetic, sort of way that a Facebook game called “FarmVille” was harvesting user data? At this point, Facebook isn’t a social network, it’s a surveillance machine. Facebook Messenger is particularly egregious. If we didn’t know it before, the Cambridge Analytica scandal (as well as the Equifax data breach) shows we have arrived at a point when firms can’t be trusted with any of our data.
The Cambridge Analytica scandal just may be the tipping point that sways the public away from all services (not just Facebook) based on surveillance economy business models. Again, from The Economist, “firms that hoover up consumer data … should assume that their entire business model is at risk. As users become better informed, the alchemy of taking their data without paying and manipulating them for profit may die. Firms may need to compensate people for their data or let them pay to use platforms ad-free.”
A corollary to Bosworth’s statement about user growth is “if you’re not paying for the product, you are the product.”
Within the prevailing surveillance economy using “free” services comes at the cost of your privacy. Tracking web browsing history with “cookies” is the latest incarnation of the way advertising has worked for decades in print and television. But, at this point, the magnifying effects of the web and its technologies are rendering these old advertising models untenable. Even Google recognizes that folks don’t want their browsing behaviors tracked and is producing an ad-blocker. Facebook is the most visible culprit at the moment, but surveillance-based business models are ubiquitous.
The utility of the surveillance economy is past its prime. With perverse incentives in place, Facebook has taken this business model to its logical extreme, and is doing obvious harm to personal relationships, society, and democracies. Meanwhile, colossal databases where all of this information is stored are an incessant target for hackers. It’s time for something new. The opportunities ahead include services built around privacy, security, and niche social networks.
During Zuckerberg’s Congressional testimony last week, the spectacle was quite predictable. The questions from many members of Congress exposed their lack of understanding about Facebook’s issues and technology in general. There was some stern scolding and vigorous finger-wagging. Like he has been doing since 2003, Zuckerberg sincerely apologized again. He did some tech-bro ‘splaining, and was caught flat-footed when questioned about user tracking. There is no reason to expect any action from Congress at least until after the mid-term elections.
These are big problems to solve. Regardless of the user’s technological proficiency or access, new services must address these needs:
- Control: The ability to decide exactly which data, if any, we are willing to share. The basic standard for sharing must be “opt-in,” but users also need super easy ways to manage their privacy.
- Security: Our data needs to be absolutely secure. Only entities we authorize should get to see it, and only when they need to view it.
“Data” is a broad term, and I would expect a series of working definitions about it as solutions evolve. Does data include things like social security numbers and medical intimacies? Absolutely. Does it include clicks and behaviors on a social network? I’d say yes, but obviously, there are numerous use cases that will require detailed technical and legal discussions. Given the wide range of what falls under the “data” umbrella, potential solutions will necessarily come about in a stepwise progression from “simple” to “hard.”
Some guiding principles I think should be applied to future product development include:
— Decoupling user data storage from the services that use them. The locus of control for user’s private data needs to move from firms to individuals, and be stored in a disaggregated configuration. Decentralizing sensitive data would make it impossible to grab in bulk, if at all. Instead of massive data singularities, individuals’ data needs to be dispersed in such a way that it’s no longer a feasible hacking target.
— Instead of users constantly needing to be on the defense, new solutions need to move in the direction of positioning users in the offense.
There are a number of potential solutions floating around these days. At this point, the actions fall into three categories:
Europe’s General Data Protection Regulation (GDPR) becomes a requirement starting May 25, and it may have international consequences. GDPR includes the right to data portability, meaning users can move data from one service to another. It also strengthens requirements for explicit and informed consent about a user’s data. It will be interesting to see which U.S. firms get on board, how this will translate into product features, and whether users feel that it addresses the concerns listed above.
When asked by a reporter about Facebook’s position regarding GDPR Zuckerberg responded, “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing.” During the Congressional hearings, he said that there were elements of GDPR that the European Union got right but did not endorse the regulations altogether. I interpret that to be tech bro doublespeak for “not gonna happen.”
The Economist speculates that Facebook could become a regulated utility. I doubt that will ever happen.
Legislation can play a role in solving these challenges, but there are a couple problems with expecting it to help us much. One issue is that technologies evolve quickly, so legislative solutions thought to be effective when they were drafted will lose relevancy as time progresses. Also, depending on the underlying incentives, firms may feel compelled to find legal or technical loopholes around the intent of the legislation.
For legislation to address the existing problems, it will need to limit the breadth and depth of the surveillance economy, and define who owns which “data.” Well-drafted legislation could force firms and users alike to re-think business models.
2. Self-imposed Improvements to Governance and Product Development
Firms might make changes to their governance and product development practices so they align with the user needs listed above. Legislation could impose some rules about corporate governance, but it would be impossible and undesirable to make rules about firms’ product development processes.
Several New Yorker contributors discussed revisions to Facebook’s self-governance practices, but there is zero evidence that contrition from Zuckerberg will result in any meaningful changes. Based on the firm’s and Zuckerberg’s leadership track record, I’m skeptical this will amount to much more than an apology (Sheryl Sandberg is currently on what has been called an “apology tour”), then back to business as usual. For things to change at Facebook, I think they’ll need to develop non-surveillance business models, and change leadership.
We have reached a point when services with a proven track record respecting their users’ privacy and ensuring security should be as competitive as ever.
3. Industry Solutions
Here is my take on the kinds of services that can address our need for privacy and security. I can imagine a kind of dashboard, similar to what some ad blocking tools already have in place, where users can control the privacy levels of their data, combined with a set of technologies that also manage the security of the data.
Privacy means defining which data you share and with whom. Existing privacy solutions include ad-blocking plugins and extensions for web browsers. Some of these have been around for a number of years, and are the leading edge of a new generation of tools and services that I expect to see in the months and years to come. A few of the options on my radar this week (it changes almost daily) include:
The Facebook Container by Mozilla is supposed to isolate your web activity from Facebook. I have it running on Firefox but honestly, I can’t verify that it’s working properly because I don’t see the “container.”
Security means that your data can’t get stolen. The technology that gets mentioned in almost every data security discussion is blockchain. I expect that it will require combinations of technologies to get us to a state of data security. Blockchain incorporates the principle of disaggregation mentioned above.
Niche and new social platforms
Assuming most folks agree with the idea that “massive scale begets perverse incentives,” I expect to see innovation around social services that target niche user groups. I’m not impartial on this topic: My startup, motion.social, is a niche social service for fitness groups.
Mastodon bills itself as “the world’s largest free, open-source, decentralized microblogging network.” The Washington Post calls it the service that will replace Facebook. I’ve asked around, but can’t find anyone who uses it.
Ikda is “a collaborative social platform that allows you to share and communicate, while keeping your data private and safe.”
Updated business models
Assuming enough folks decide to limit their participation in the surveillance economy, subscription models are likely to thrive. Subscriptions seem to be working for Spotify and others. At my startup — based on our anti-advertising sentiment and what we were able to discern from the black box of Google’s advertising program, we never thought advertising would pay the bills. Bundles of subscription-based features seemed to be the only way to run our business.