Topics

Ethical considerations for managers in the technology industry

Author: Clayton Nesslein

The technology industry has faced a myriad of data privacy issues since the inception of the internet. The digital age has created a unique set of challenges that were quite unanticipated. New scandals surface regularly that are the result of management blunders, other times they are the unintended consequences of creating new technology frontiers without understanding the consequences. The victims of data breaches are unexpecting users of online platforms, or even innocent customers of consumer brands. Online use is not even a prerequisite for being a victim of data theft or abuse, as evidenced by the Target hack of 2013, where credit card data of 40 million customers was stolen.

The relative youth and immaturity of cloud computing has led to a “wild west” environment whereby companies are still trying to understand what their responsibility is to the consumer, and how best to protect data. Consensus is lacking on what best practices are, and how much effort should be expended to secure private information. Conflicts exist between profits and data privacy. For example, the primary business model for social media platforms is an advertising-based revenue stream. These models rely heavily on sharing user information with advertisers to best target consumers. Striking a balance between the competing interests of users and business is paramount to making progress in the realm of data privacy.

Who can we turn to for answers and assurances that our privacy is protected? In the U.S., legislation seems well behind the curve. Laws exist, such as the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act (SCA). But those laws only protect citizens from unwarranted government access to electronic information. Within the sphere of private industry, federal legislation does not provide any guarantee of data privacy for consumers or online users. There is an evolving demand for privacy that comes with new online technologies and applications. Certain state laws protect personal information and require encryption, but no national standard exists. The Federal Trade Commission (FTC) is empowered to enforce and protect consumers from unfair and deceptive practices. They have used this power to enforce penalties upon tech companies which include ongoing data audits along with fines (Hill).  The European Union enacted the EU GDPR in 2018, which may serve as a blueprint or a catalyst for further legislative action in the U.S.

Are we entitled to data privacy? Much debate is required to develop a consensus on what companies should do to protect our information. Do businesses have a responsibility to keep our information safe, or is it a situation of Caveat Emptor ? The most salient argument is in favor of stronger consumer protections. A blueprint for further data privacy protections could include a right to deletion, a right to object to marketing, and a right to data portability.

The online and social media realm is comprised of many competing companies, but is dominated by two key players: Facebook and Google.

Facebook has annual advertising revenue of $60 billion, along with 2.3 billion active users of its platform. The data collected on each one of those users is quite vast in scope. It includes content users provide, networks and connections, product usage, purchases, device information, device attributes, and device operations. The company uses this information to improve their product, but also to share with third party apps and advertisers.

The third-party sharing has led to multiple scandals and data breaches. The Cambridge Analytica Scandal is arguably the highest profile case with far-reaching implications. Data on 87 million users was shared with Cambridge Analytica, who gained access to the information through the developer platform under the guise of academic research. The consent of 300,000 users was leveraged to access data on their entire network of friends and connections (without explicit consent from those users), which totaled the 87 million. That data was then used to create political profiles on individuals, and leveraged by the 2016 Trump Campaign for President. The degree to which this work influenced voters is questionable, but is still important to consider.

More recently, Facebook has come under fire for highly controversial content shared by users. For example, the company’s livestream functionality allowed a shooter in New Zealand to broadcast the horrific mosque attack live via Facebook (Kelly). Misinformation and deceptive individuals have learned how to thrive in such online communities, gaining greater influence in politics and media. Previously, technology firms had taken the stance that they provide a platform for content, but are not required to moderate that content. After seeing the far-reaching implications of foreign actors gaining influence over U.S. elections, and acts of violence perpetrated live on the platform, Zuckerberg and other executives have come to understand that they yield great responsibility in how they craft and manage data privacy and other content issues.

Google is a global behemoth of the online world with annual revenue of over $100 billion, along with 7 services that tout over 1 billion users each (Popper). Those apps, including Android OS, Google Maps, YouTube, Chrome, Gmail, Search, and Play collect a vast array data on users in all facets of life. Google+ exhibited the same weaknesses and exposed data to third party apps as Facebook did during the Cambridge Analytica era, but did not experience such a high profile scandal. The company confessed to a bug that could have exposed the data of 500,000 users since 2015. Google came to a settlement with the FTC in 2011 which required 20 years of privacy audits as a consequence of deceiving users about its privacy practices.

These two companies are not direct competitors. Facebook is social media-focused. Google has a variety of platforms including online search, web-browsing, email, etc. But there is a common thread between them, and it is that they both have access to and collect a vast amount of information about users through smartphones and other online activity. They know what websites we visit, who we communicate with, where we shop, and much more. Subsequently, advertisers on the Google and Facebook platforms are provided with this information, which allows for optimal targeting of key demographics. Many ethical issues are faced due to the competing interests of users, platforms, and advertisers.

Ethical Issues in the Industry

Google and Facebook will continue to face a highly fluid landscape in the realm of data privacy. The companies both developed their platforms in the context of hosting an agnostic platform, whereby users could share, post and search for whatever they wanted. But as time goes on, a call for active platform moderation has grown. Cases of violent videos, racist content, and hate speech have caused a debate on what role these companies should play in moderating content. How should Facebook moderate the activity of 2 billion users? How should Google moderate the content of 7 platforms with over 1 billion users each? Even after hiring some of the brightest minds in legal, public relations, public policy, and crisis management, Facebook still considers content management to be the biggest challenge it has faced to date, and also the largest risk for the company. “There are failures of policy, failures of messaging, and failures to predict the darkest impulses of human nature. Compromises are made to accommodate Facebook’s business model. There are technological shortcomings, there are honest mistakes that are endlessly magnified and never forgotten, and there are also bad-faith attacks by sensationalist politicians and partisan media (Koebler & Cox)”.

Facebook content management has reached true crisis level. The impact spans the globe and threatens the long term viability of the company. Three of the five “Common Sources of Crisis at the Organizational Level (Leavitt)” pertain to the issues the company is facing every day. Consumer Protection, Conflicts of interest within/across industries, and advertising are all relevant.

In the social media space, consumer protection as a source of crisis management can arise due to improper data privacy of consumers, lack of quality control over content being shared, or lack of notification when data breaches occur.

There are many conflicts of interest that exist in the industry. CBC makes the case that “extreme content” is what drives user engagement. The case is made that the Facebook business model relies on extreme content to keep users online longer, feeding them more ads. Therefore, the company will always put profit before user safety. In one real-world case, the company left a video up for 6 years showing the beating of a child. It had been shared tens of thousands of times. Facebook can always cite spreading awareness as their motive for not blocking content, whether it relates to domestic violence or any number of sensitive topics.

Advertising is major source of risk (and profits) for Facebook. The company opens itself up to almost any advertiser that is willing to pay for impressions and clicks. Thousands of products and services are visible on the Facebook platform every day. Any number of those companies could show deceptive ads to consumers. Additionally, the sheer volume of companies that Facebook hosts can pose an issue. Any one of those companies could face ethical issues of their own, which then become associated with Facebook due to the advertising relationship.

The inherent complexity of the content management issue means that the data policies crafted by Google and Facebook will always be flawed. Content management is covered under the “Community Standards” section of those policies. The goal of these standards is to encourage expression and create a safe environment. Facebook recognizes that diverse views are shared that may be considered normal to one group but objectionable to another. Their goal is to weigh public interest value against the risk of harm. Content management policies are relatively clear on issues of violence and criminal behavior. The company will remove language and posts that incite or facilitate violence. Despite this seemingly clear policy, they will leave posts up that show violence, but have a condemning caption (to spread awareness). The ethical pitfalls of such a policy should be abundantly clear (Facebook Community Standards).

Are companies collecting the right data?

Facebook and Google collect every piece of data that is possible. There is almost nothing left on the table for them to collect. The advertising-based revenue model means that the more data they can collect on users, the more ability they have to repackage that information for advertisers. Those advertisers can then target the “right” customers. More importantly, U.S. citizens do not necessarily have the right to access what information has been collected on them.

The EU GDPR has a “Right of Access” clause which can serve as a model. EU citizens have the right to access any data collected, and also to know how it is being used. Taking it one step further, the law ensures a right to erasure. This “right to be forgotten” means that citizens have the right to request erasure of all personal data on a company server EU (EU GDPR, Article 17).

More importantly, the scope of the data being collected and shared with other companies may be limited by the EU GDPR. As Facebook and Google currently collect any piece of data that is possible, EU GDPR uses a “legitimate interest” clause to limit the scope of data. “The processing must relate to the legitimate interests of [the] business or a specified third party (Combemale, Chris et al.).” The data sharing must be aligned with a specific objective or campaign, otherwise known as “Correct Marketing to the Correct Person” (Ico.org.uk). Whether private industry or government is the first to act, it is clear that limiting the scope of information collection to align with specific objectives is the most important concept. 

Alternative Data Policy Recommendations

Recommendations for improvements to the data policy of Facebook and Google are focused on the scope of information that is collected, how the data is used and stored, and who the data is shared with. User rights should also be a central theme in improved data policies.

The current scope of information being collected includes information and content that users provide, information about networks and connections, usage, transactions, device information, and third party information. If one were to model data collection to be within the scope of EU GDPR, there would have to be a legitimate business reason with a specific objective. This approach may be able to narrow the scope of data collection.

Data storage is covered in only the most general terms under the current policies. Considering the laundry list of data breaches that have occurred, there needs to be a federal standard for security of user data. Currently, each company sets their own standards for encryption and data protection, Government regulation may be able to raise the floor for security. We have also witnessed many real-world instances where victims of a data breach are not informed of it until months after the occurrence. Equifax was hacked in 2015. Sensitive information on over 100 million Americans was compromised. The company waited for over a month to release the information to the public. In the meantime, executives were selling shares of their company stock worth millions of dollars. Disclosure of data breaches to affected users should not be optional. The company executives made a utilitarian decision to withhold the data for their own gain. This places a limit on a rights-based approach, where information is only disclosed to users if the disclosure benefits the company more than it harms them. A categorical approach to data privacy and security should be the standard policy of the land, whereby the rights of the users always take precedent over the profit-driven interests of business.

Data sharing is one of the most contentious issues facing social media companies today. There is a direct conflict between the privacy of the individual and the profit motives of the company. Also contained in this sphere is the simple yet broad concept of “Public Information”. It is possible for someone to have information shared about them without their consent. Today in the U.S., little or no recourse exists for individuals who are victims of public information sharing on the internet. The EU GDPR has enacted a right to be forgotten, “a concept that has arisen from the desires of individuals to determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past (Manteloro)”. Federal legislation in the U.S. would even the playing field for private companies, and compel them to act in users’ best interest.

Tech firms in the U.S. are notorious for using the “auto opt-in”, whereby the default settings for data collection and sharing give broad latitude to the company to collect and share user data. The EU GDPR has developed a lawful basis for processing. Informed consent must be given by the user for data processing. It is not enough for a user to provide unambiguous consent. “Consent must be a specific, freely-given, plainly-worded, and unambiguous affirmation given by the data subject; an online form which has consent options structured as an opt-out selected by default is a violation of the GDPR…Silence, pre-ticked boxes or inactivity should not therefore constitute consent” (EU GDPR, Recital 32). The measure is a direct result of the opposite practices by the technology firms in the U.S.           

Conclusion

The debate over data privacy and user rights will continue to be a newsworthy topic for years to come. We have entered an age where the human desire for privacy is anathema to the continued course progression of the world wide web. But it does not have to be a self-fulfilling prophecy. The rights of the individual need to be paramount in how companies draft future policies and how governments enact new legislation. Social improvement must be balanced with the economic interests of firms to avoid negative externalities. It is yet to be seen what positive externalities may exist from heightened data protections, but one can speculate that putting the rights of the individual above the rights of profit-driven interests can only create a more just and egalitarian society.

Supplemental Information: Google and Facebook Privacy Policy Deep Dive

Facebook and Google continue to update and revise their data privacy policies on a regular basis to follow U.S. and International laws.

The Facebook policy has three major sections dedicated to data use and privacy: How data is 1) collected, 2) used, and 3) shared. The policy states that the inherent nature of social media requires that certain information about users must be processed and collected. The company collects content, communications, and other information when a user signs up for an account, creates and shares content, or communicates with others. Not only is the content information collected, but metadata pertaining to date stamps and location stamps on photos and uploads can be used and analyzed. Network and connection data are collected, such as the people that a user interacts and communicates with. Usage data and user transactions with products are also collected.

The device(s) one uses supply a treasure trove of data to Facebook, and allow the company to tailor its products and services to specific users. The device attributes, such as the operating system, hardware and software versions, battery level, available storage space, browser type, app and file names and plugins. Device operations such as user behavior, beyond the scope of Facebook use are also collected. All device signals, such as cell tower, Wi-Fi and Bluetooth fall under the purview of collectable information.

Beyond device and activity information, Facebook collects Cookie data. Cookies are a foundational element in online advertising and customization of web pages to specific user preferences. Whenever a server sends a page requested by a user, a packet of text is sent that contains a unique “cookie” value. The browser then stores the string and returns it to the server during any subsequent requests. Websites and online platforms can track and store this activity and track the on-site behavior of users. Advertisers can better understand the online habits of visitors and can promote certain products based on the information they gather from cookies.

Cookies may be a point of contention amongst users, as the level of personalization that they allow in online “chase” ads and other tailored product suggestions may rise to a such a level of specificity that some may find it invasive and offensive. Cookies can be blocked by a user, but it can render many Facebook features quite unworkable. This brings up an ethical issue for Facebook and other companies. It is up to them to responsibly use cookie data without becoming overly invasive and intrude in user privacy.

Now that Facebook has all this information on users, how is it used? The company uses it to provide personalized feeds and products, as well as provide improvements and feature updates. Location-related information is collected such as current location, where a user lives, and where they visit. This is then used to personalize products and ads. Even facial recognition data can be used to identify a person in a photo or certain types of experiences that they have had. Most importantly, they use all of the collected information to select and personalize ads and offers.

Beyond just simply tailoring ads, the company provides measurement and analytics to other businesses. They also promote safety and integrity by combating harmful conduct on and off the platform. Taking it one step further, Facebook says they research and innovate for social good. This can include innovation on issues such as general social welfare and technological advancement. This is where Facebook has a supposed (and arguable) competitive advantage in Corporate Social Responsibility (Porter and Kramer). They are leveraging capabilities within their sphere to enhance the social environment in a competitive context. For example, the “Safety Check” feature allows users to identify themselves and loved ones as unharmed during crises or natural disasters. More recently, Facebook has developed a multidimensional form of Safety Check, called Crisis Response. It brings together Safety Check and Community Help with news alerts and public posts from government agencies. Beyond basic philanthropy, the company has made an effort to use their data for public good.

Facebook also shares user data in a variety of ways. They make it very clear that user information may be public information unless privacy settings are updated. The company can send information to any one of their products or third-party services. Third-party services can include partner apps, website and third-party integrations. In the past, this has opened a “pandora’s box” since not all third parties were properly vetted. The ways in which third parties used the data was not regulated or moderated by Facebook in any meaningful way.

The policy specifically states that “apps and websites you use will not be able to receive any other information about your Facebook friends from you, or information about any of your Instagram followers.” This is in response to a scandal in 2016, where 300,000 users gave Cambridge Analytica full access to all of their connections, which totaled 87 million users. That data was then used to create profiles for targeting during the presidential campaign of 2016. Developer data access has been one of the major points of contention, and a major source of data breaches for Facebook. Future restrictions for outside developers and third parties are inevitable, as EU GDPR and possible legislation in the U.S. come down the pipeline. Additionally, Facebook states that it will comply with law enforcement or subpoena requests for data.

Despite the company’s broad scope in collection of data as the default setting, they do not retain the data in perpetuity. On a case-by-case basis, data is deleted as it is deemed unnecessary for legal or operational needs. Users also have the right to delete data, or change their personal settings to restrict data collection (Facebook Privacy Policy).

Not surprisingly, the Google Privacy Policy follows the same format of how data is: 1) collected, 2) used, and 3) shared.  

Google collects personal information such as name, password, phone numbers and credit card numbers. Device information such as browser, type, and OS are collected. Activity information is collected en masse for terms that are searched, videos watched, interactions made, audio information, purchase activity, shared content, and browsing history. Location information is collected via GPS, IP address, and sensors. The data is then used to provide services, and improve upon those services. Personalization of those services, including content and ads is central to the company’s business model. They provide recommendations, personalized content, and customized search results to users.

Despite the treasure trove of information that Google collects and uses, supposedly do not release personally identifiable information to advertisers. Also, a major similarity between Facebook and Google lies in how sensitive categories are handled. Personalized ads will not show for categories such as race, religion, sexual orientation, or health (Google Privacy Policy) .

Both companies allow users to customize privacy settings. For example, Google allows users to customize or turn off activity controls, manage preferences about ads, and control what other see about you across Google services. Therefore, one could use Search and YouTube effectively without having any data collected on them.

Facebook’s ability to abstain from data collection if requested by a user is not so absolute. The act of using Facebook requires an account with a login. All activity including viewing posts, clicking on links, and interacting with others will be collected by Facebook. This is not a setting that can be changed, and it is the most salient difference between the Google and Facebook privacy policy.

Facebook will continue to collect data if users are actively using the platform, but the company does allow users to restrict ads based on Facebook activity. Users may subsequently see generic ads and others with less relevance to them. Privacy settings are also adjustable. A user can adjust settings so their posts are only available to friends instead of the public. There is also a setting to restrict search engines outside of Facebook from linking to a user profile.

The Facebook and Google privacy policies are very similar. They both make the case that collecting user data is necessary to providing a better user experience, by customizing pages and tailoring ads and suggestions. In both cases, privacy settings can be easily changed and managed by users.

References

Wallace, Gregory. Target credit card hack: What you need to know. https://money.cnn.com/2013/  

OSU: Mgmt 559. Introduction to Corporate Responsibility. Mgmt 559. Leavitt, Keith. 

Hill. So, What Are These Privacy Audits That Google And Facebook Have To Do For The Next 20 Years?. www.forbes.com 

ICLG. USA: Data Protection 2018. https://iclg.com/practice-areas/ 

Chang, Alvin. The Facebook and Cambridge Analytica scandal, explained with a simple diagram. www.vox.com/policy-and-politics 

Kelly, Heather. Facebook changes livestream rules after New Zealand shooting. www.cnn.com 

Grothaus, Michael. How our data got hacked, scandalized, and abused in 2018. www.fastcompany.com 

Neidig, Harper. How our data got hacked, scandalized, and abused in 2018. https://thehill.com/policy 

Popper, Ben. Google announces over 2 billion monthly active devices on Android. www.theverge.com 

Facebook Privacy Policy. April 19, 2018. https://www.facebook.com/policy.php 

Google Privacy Policy. January 22, 2019. https://policies.google.com/privacy?hl=en-US 

Porter and Kramer. Strategy & Society. The Link Between Competitive Advantage and Corporate Social Responsibility. Harvard Business Review. 

Koebler & Cox. The Impossible Job: Inside Facebook’s Struggle to Moderate Two Billion People. 2018. www.vice.com 

OSU: Mgmt 559. Crisis Management, and the Future of Labor. Leavitt, Keith. 

CBC Docs. How does Facebook Moderate its Extreme Content. www.cbc.ca

Facebook Community Standards. www.facebook.com/communitystandards/  

EU GDPR. Article 17. https://gdpr-info.eu/art-17-gdpr/ 

Combemale, Chris et al. GDPR for marketers: The essentials. DMA. 2017 

Ico.org.uk. How do we apply legitimate interests in practice? https://ico.org.uk/for-organisations/guide-to-data-protection/   

Paresh, Dave. Credit giant Equifax says Social Security numbers, birth dates of 143 million consumers may have been exposed. 2017. www.latimes.com 

Mantelero, Alessandro (2013). "The EU Proposal for a General Data Protection Regulation and the roots of the 'right to be forgotten'". Computer Law & Security Review. 29 (3): 229–235. doi:10.1016/j.clsr.2013.03.010 

EU GDPR, Recital 32. http://www.privacy-regulation.eu/en/recital-32-GDPR.htm