Max Schrems is a privacy advocate who filed a complaint against Facebook with the Irish Data Protection Commissioner. This is the transcript of an interview with FRONTLINE’s James Jacoby conducted on March 28, 2018. It has been edited in parts for clarity and length.
Bring me back to when this all began for you. Was it around 2011 or so?
Correct. I was basically studying in California for half a year as Austrian law student, and it was pretty interesting for me that there was just this, you know, different approach to privacy being that there is actually very little regulation after all for a company like Facebook. Someone from Facebook was there and was explaining to us basically how they deal with European privacy law, because that was the only thing that even touched their business model, and it was kind of a general understanding was you can do whatever you want to do in Europe, because they do have laws, but they don’t really enforce them at all.
… What were the laws?
In Europe, there is actually very stringent data protection law in general. For example, you’re generally not allowed to use anybody else’s data unless you have a justification, so you as a company have to show why you’re allowed to use this data.
One of these examples is, for example, that it’s necessary to provide a contract or [show] that you have consent from the person. … You have to get freely given consent. So if people don’t want that they must have the option to say no.
Facebook And Privacy
… At the time, you’re thinking what?
It was interesting, because I was the only European in the room, and there was this talk about Europeans being out of the room in a way, where they were very upfront and transparent about not really following any of this or simply having very obscure ideas of what consent should actually mean, like as long as you use the service, you consented to whatever we want to do with your data. That was basically the idea.
And your reaction was what?
I was surprised to a certain extent, because at the time, Facebook was already a pretty big company, and you would expect them to have more expert people to actually know what they’re doing. I actually went through the whole procedure with Facebook that the more people you talk to, the more you realize a lot of them were just out of college, feeling very great at changing the world in some way, and didn’t really know much about what they were doing.
There are very little people actually I talked to at Facebook that had a deep understanding of what privacy means.
… At what point in time was that when you were speaking to these people?
… The first time [was] actually, I was in the university in California; that was when they roughly gave a presentation on what Facebook does. I was actually not asking many questions back then. That was mainly other students that were outraged about what they said. We later actually filed a couple of complaints with the Irish Data Protection Commissioner because Facebook’s international business, anything that happens outside of the U.S. and Canada – and that is 82 percent of the worldwide users, actually the predominant part of Facebook – is operated … out of Ireland.
Actually they’re a European company in that sense that [they] fall under European rules. So we filed with the Irish Data Protection Commissioner, who is the regulatory body in Ireland in charge of privacy, and after we filed these complaints, that was when actually Facebook reached out, I think within two weeks, to basically say, “Let’s sit down and have a coffee and talk about all of this.” That’s was the first kind of more personal contact then.
Do you remember those meetings? Do you remember what you discussed and with whom and what your impressions were?
We actually had a lot of email exchanges, and we met each other sometimes at conferences and so on. The privacy bubble in Europe is small, after all, so you run into each other. We then actually had a kind of notable meeting that was in 2012 for seven hours almost at the airport in Vienna. That was really going through all the points we raised with Facebook that are not you know, not working [within] the European law way to do it. That was with Richard Allan, who is their main lobbyist in Europe….
They originally tried to get us to Ireland and talk to all of their lawyers and [have] many people in the room. I made the point that this probably doesn’t get anywhere, so a smaller meeting like that – the more you probably get to the substance, which worked quite well. But the interesting thing is that [on] most of these points, they simply didn’t have an answer. That was the most interesting takeaway for me from that meeting …
You get these kind of non-answers. One of the most wonderful non-answers on consent, for example, was, how can you keep the data of people that never used Facebook even? They have what we call shadow profiles, which is profiles on people that never used Facebook in their life. The answer was that they were a so-called third-party consent, so someone else consented on behalf of you that Facebook can have your data …
It’s unthinkable, and – but that is the arguments they give you.
… What were the sorts of points that you brought up, for instance, early on and that were discussed at that meeting?
We had really 22 different issues, so we tried every little button that had an issue on Facebook to put it into one complaint. It was very simple things like your privacy policy, something that no one ever understood and [hasn’t] possibly been able to consent to … If they just give you a “We do whatever we want to do with your data,” that is not informed nor specific. This consent would be invalid, for example, or they track people through “like” buttons on other pages so they can see which pages he has visited.
We even pulled out porn pages where they can see which porn you were looking at. These were typical examples. One example was also that third-party apps could basically get all your data. That now became kind of relevant suddenly with Cambridge Analytica … So if I use an app and my friend’s data can then be shared by me to that app. That is the first issue: There is no consent by that friend. He didn’t even know that I would install such an app.
Secondly, these apps were totally not regulated, like anybody could anonymously put an app on there, pull that data from Facebook, and no one in the world would have known where this data has gone …
Back then they said this is perfectly legal; we have no problem with that; we trust that everybody’s not doing anything bad with the data, and there’s no reason to think otherwise. That was in ’11 and ’12, and now, when Cambridge Analytica came around, they were suddenly like, “Oh, my God, we were betrayed, and we didn’t know that this could possibly happen,” and I was like, “I’m a mid-20s student that told you that this is definitely going to happen.”
Investigating Facebook
… Let’s slow down. Let’s slow down. You come back to Europe after your experience in the States, and what actually prompts you to want to dig into this? Bring me in kind of piece by piece.
Basically in California, I had to write a paper about something, so I decided, let’s write a paper about Facebook. I actually never turned it in, so I still have an incomplete there. But that was the interesting thing that then we made access requests with Facebook to get a full copy of the data, not just me but two friends as well, so we could compare the different data sets and get a view of what Facebook actually stores on you. There it was, for example, interesting that about a quarter of the data that they had on me was deleted data. For example, if you delete a message on Facebook, it’s only flagged as deleted.
It’s on the record that says this information was deleted, but then the information comes right after it. It’s like having a Word file on your desktop computer and you just rename it as “Deleted – underscore – myprivateinformation.doc” That’s basically what they do, they just flag it as “deleted,” but the data is still there.
… You get back to Europe, and you and some friends make a request. Then tell me, bring me through the experience of receiving that CD in the mail, and just slow it down. Tell me the slow version.
Piece by piece. Yes, so basically, I was in the U.S. at the time, so I couldn’t make an access request under European law, so friends of mine already did that. I did it as soon as I came back. I sent an email to Facebook saying, “I want to have a copy of all my data under paragraph blah, blah, blah of the law” … After a bit of a pingpong, then suddenly they said, “You know, we’re just going to send you that data.”
So they burned a PDF file on a CD after all and sent it off to me. One of my friends actually didn’t get it for a while because they sent it off to Australia instead of Austria, so we could actually see it went through Sydney first, and then we got that information, and through that you could actually get a good understanding of what Facebook does. I think the thing that’s important for people to understand is Facebook has much more about you than what you personally shared.
The whole data categories on Facebook, that is data that Facebook produced on you. To give you a simple example, there’s a data category called “Last Location,” where they store where they think you’ve been the last time. I never locked into a place; I never used the GPS location on Facebook or anything, but out of the rest of the data that they have on you, they to try to figure out where you’ve been the last time.
There’s other stuff that, for example, if you tag people in pictures, there is GPS location attached to the picture that’s uploaded, so by that they know which person has been at what place at what time even though you may have never shared your personal location with Facebook. There is other information like advertising information; oftentimes they tried to derive from the data that they have on you.
One big myth around Facebook is that Facebook only has what you see on the screen. The reality is back on the servers, there’s a treasure trove just like 10 times as big as anything we ever see on the screen. So we also have to kind of separate from this idea that what’s on the screen is what Facebook really has. That’s the kind of the [rosy] perfect picture of Facebook that you see on the screen which they usually call the “positive user experience.”
That’s the term they use. But in reality, in the background, there’s actually much more that they have on you. A lot of that is coming from other people that share information on you, which is also the reason why no one is off Facebook. Facebook has data on everybody, even if you don’t have an official Facebook profile. You have one of these shadow profiles that Facebook generates in the background about people that are not on Facebook. That was really interesting, because we could actually prove that through the data [that] they keep a lot of information that was deleted.
For example, there’s even data categories like “Removed Friends.” All the friends you didn’t want to be friends with on Facebook anymore then end up in a pile of people you don’t want to be friends with. If you’re invited to an event, for example, and you decline, then that’s stored as well. If you delete it, then it stored that you deleted that event, which is, for example, in Austria was very interesting because at the time when I was a student, there were a lot of demonstrations that were organized through that. So you have a whole list of demonstrations I was invited to, and if you know a secret service wants to get you in a certain corner, they still have all this information of where you have been demonstrating all your political views.
In my personal file, I think the most relevant information or the most sensitive information was usually my messages, because there Facebook generates that picture that you’re now in a one–on-one communication with a close friend.
In my case, for example, a friend of mine was in the closed unit of the psychological hospital in Vienna, and she kind of explained a lot of the reasons why she has psychological issues, and the only way she could communicate at that point was Facebook.
I deleted all these messages, but all of them came back up. And you have messages about love life and sexuality and all of these issues, and people may not post it on Facebook, but they use chat functions on Facebook, and all of that is kept. Even though Facebook tries to give you the impression that you share this only with friends or only with one person you talk to, the reality is Facebook is always looking. There’s no limits on what data that they actually use for spying on your – at least to figure out more information about you.
That’s, I think, important, to also see this psychological level of Facebook of trying to make the person feel more comfortable in sharing and giving them the impression you’re only among friends; this is a safe space in a way, which is then a situation where people probably share much more than they would share if you would know this is basically a company that is going to read all of this. You know, they share more in a private Facebook chat than that they would share with cash registry at a supermarket, knowing that they may use that for something else, and that is, I think, an important element in the whole Facebook world, that there’s a lot of psychology involved in this as well,
a lot of nudging of users, a lot of feeling left alone if you don’t post something, if you’re not liked. There’s a lot of that going on as well, that tries to manipulate people to also share more information next to manipulating people in decision making by advertisement and so on. There’s also manipulation in using the service.
… Do you think they underestimated you?
They underestimated that there are people that are actually not happy about what they do. I think they are to a certain extent oftentimes almost religious about that idea of “We’re making the world better; everything we do is great; how could anybody ever criticize us?” I think that is an element that they may underestimate oftentimes. And it may be very interesting with the Trump election and so on, that they’re a very liberal company in a way maybe partly responsible for a lot of the racism we have that’s coming back in Europe, especially with the refugees and so on, a lot of the polarization that comes back. These filter bubbles, all of these issues were created by [a] company that oftentimes probably exactly – where a lot of people who worked for it exactly opposed that.
Taking On Facebook
… You decided to take on Facebook at that point.
Yeah. I mean, I know that’s mind-blowing in the U.S. setting, but in Europe basically there is a statutory law. You know what the law is; the rights are the same for everybody. That was interestingly not so big in the European context, because as a lawyer, you’re trained to file a case against someone. That’s your profession, so I never really knew why there would be such a big issue. However, it was still kind of interesting, because the public reaction on that was strong, because it was this David-versus-Goliath craziness.
However, even there [it] was interesting, because in Europe that was the big story, like David goes after Goliath. In the U.S. that was oftentimes the reason it wasn’t reported at all, because they said: “This is impossible; this not going to happen, so this is not a story. Where are your 20 lawyers? Where is your big law firm? Where are your millions of dollars you spend on this case?” … And that was interestingly oftentimes the reason stuff was not reported on that in the U.S.
So this was a big deal in Europe, but you felt like it was underreported here.
Yeah. Basically the cases we brought all the way along was really oftentimes in like the German evening news, the first subject after the evening news broadcast. We were on the front page of Die Bild-Zeitung, the biggest tabloid newspaper in Europe that exists. So that was like a rather massive thing for Facebook. …
What was the reaction [by] the regulators in Europe when you started bringing these cases?
Facebook chose the right jurisdiction in Europe for a lot of reasons. We have basically the problem that most of the international companies are headquartered in Ireland or in Luxembourg. These two countries basically allow you not to pay taxes and also in many other ways not to follow any regulation. That’s a problem within the EU. We do have the laws, but we’re dependent on each member state to enforce them, and in this case it was the Irish regulator, the Data Protection Commissioner. At the time, the head of that organization was a diplomat that had nothing to do with law or tech or anything.
And they had 20 people at a time over a little supermarket, like one of these corner 7-Eleven stores in a small town. It’s called Portarlington. It’s 5,000 people in the middle of nowhere, and they have 20 people, and none of them was a technician, none of them was a lawyer, and they were meant to regulate Google or Facebook or LinkedIn and all of them.
… How did you become aware of the fact, that Facebook was sharing data with third-party developers?
We basically went through Facebook’s functions, and to be honest, I made 22 complaints, and it was two nights with a bottle of wine.
… That was simply the function how apps work. I developed an app once as well and used the API [Application Programming Interface], so I understood how it works. It simply allowed us to pull the data off the friends of the person that actually uses the app, and that allows you, if one person uses the app, to get the data of hundreds of people. That allows you to just have a couple of thousand people using an app, and you basically get half of the country’s data.
However, to put that in perspective, you get very superficial data of these people, like you get their likes and couple of other information. Facebook has even much more data on everybody; Facebook has thousands and thousands of pages of data on each of these people. So even if an external app gets, like in the Cambridge Analytica case – 50 million data sets – that’s a kindergarten enterprise compared to what Facebook is. This is not even scratching the surface of the data that’s around.
… When you were learning this at the time, were you concerned about misuse and abuse? What were your concerns about the loss of privacy or the ease with which this data was shared or spread or transferred?
I think there are basically always two dimensions in privacy. The first dimension is just the fact that someone has information about you which already limits your freedom. Like, if you know someone else has compromising information about you, it limits your freedoms to do whatever you want to do. Then the second part is the actual misuse of the data. Now, in the European setting, already the fact that someone has information about you is violating your rights; that is already where our law kicks in.
… Information is so powerful. We’re not talking about democracy, but it goes much beyond that. The big question that arises in the digital age is who has the power over that information? Is it going to be the users? Is it going to be a couple of big companies? Is it going to be the government? Or is it somewhere in between, where there’s a kind of balanced and fair system where we can actually cope with this? I oftentimes call privacy “informational redistribution,” like making sure that your basic information stays with you and that you’re not totally transparent to other people that can then manipulate you or push you into situations that you don’t want to be in.
That’s very simple. That’s like with any business transaction. If you know how low the other person would go on a price, where their redlines are and so on, then you usually win a business transaction. It’s nothing but that it’s just done on a massively big scale with tons of data.
Trade-Offs And Regulation
… I want you to put me back in mindset of the moment of where – were you worried and concerned and expressing your concern about the misuse of this data that Facebook was sharing?
Yeah. Back then, with the apps, we said there are thousands of apps to do that that pull that data. You don’t even know where they are. They may be hosted in northern China, where you will never get a hold of them ever again. There is no way that you can control this data; this is going to leak at some point anyway, and probably it has leaked thousands of times. We just don’t know about it yet.
We now know about one case where actually we do know about it. But that was exactly the point. That’s what we debated up and down with Facebook, and they were like: “It’s not going to happen. It’s all legal.”
… When did you sue? I’m just trying to get the timing right. Was that – ?
Technically, we had complaints in Ireland, which is an administrative complaint before the Irish Data Protection Commission. It’s not a lawsuit. It’s simply a two-party procedure before a regulatory body. We actually then filed later a lawsuit against Facebook as well after the Irish didn’t do anything for three years.
… I think we know about the complaints, which basically didn’t lead anywhere, right?
I can probably summarize how that ended.
OK.
We went back and forth with the Irish DPA. … So at a certain point I just said, “I’m just going to call you every hour now,” and after a couple of hours, I got a text message from them saying they’re not available to speak to me anymore, which is interesting if you’re a party in a procedure.
If they basically end the relationship through a text message – that was how this procedure basically ended. After that they didn’t really respond to any e-mails anymore, even though there was an open, pending case.
Meeting with Facebook
You had this one meeting [with U.S. officials] at the Vienna airport, right? And that was with these two people from Facebook, and they basically wanted – what was the purpose of that meeting?
…I think basically they wanted – my idea was that we could probably clarify a couple of the points we raised. There may be things that change anyway; they may be things that we misunderstood or something like that. So the main purpose for me was to narrow down the issues in some way. The promise that since they didn’t really have any answers on these points we couldn’t narrow anything down, it actually really reinforced my concerns that they actually don’t have answers on that.
… But you totally saw they were basically sitting two people that on most points their pants were down, like they simply didn’t have an answer.
However, they knew that the Irish are not going to enforce this, and the problem is that if the Irish regulator doesn’t enforce something, you as the person that’s concerned can sue the regulator, but that’s going to cost a couple of million euros. An average guy is simply done if the regulator doesn’t do its job. There’s no realistic way to get there, and that’s what they knew. They knew that the system plays in their favor.
And did you try to raise some money to bring that suit against the Irish regulators?
We did raise – we did a crowdfunding that we then later used for the Safe Harbor case. That was like 70,000 euros. The problem is that in Ireland, legal procedures are so tremendously expensive and so lengthy and complicated that no one usually sues the regulator unless you’re an international corporat[ion] like Facebook. Even Irish companies that get kind of awkward decisions by this regulator usually don’t sue them because it costs a couple of hundred thousand euros, and people just rather put up with it than enforcing it, and that’s a structural problem we have in Ireland, that there is very easy ways for big companies to never really see the light in the court.
Trade-Offs And Regulation
… So it was very clear to you. I mean, what’s so fascinating [is] everyone’s kind of waking up to the fact right now that Facebook is essentially a surveillance company to some degree, but it was clear to you at the time that their business was surveillance so they could do something with it.
I’m not even sure if they themselves thought of them as a surveillance company. I think a lot of it was really we have the social network; oh suddenly we have data; we can probably do something with that data in the future, so even if you look at these data sets, there’s certain data that is stored that I don’t think they actually used for anything. But there’s this feeling that, you know, it’s like when they say data is the new oil. There’s this feeling: “Oh, my God, we’re on an oil well. We don’t really know the motor to burn it. We don’t really know what exactly to do with it and the best version to refine oil, but we know that the oil is going to be important, so let’s keep it all.”
I think that is, if you look at certain of these elements, that was more the attitude. I don’t necessarily think that they already had the big plan to be like the surveillance company. I think a lot of them really had that spirit of, “Oh, we’re making the world more transparent; that this is a social networking site that is about interacting with each other.”
I honestly believe that at least a lot of the Facebook people believed in that, and now it becomes more and more apparent, if you’re a public company, you have to make money. How do you make money? You sell the data or you use the data basically, and then you automatically get on that track. That is right now the business model for any online company is to use that data that they get about people, and I think many people still don’t understand how valuable that is.
That’s a fundamental problem with this kind of – it’s a free service idea – is to meet the key question, is this deal fair? They get so much money out of this. You just have to look at how much money they made in a of couple of years and how rich [Mark] Zuckerberg got from all of this that you’ve got to ask yourself, is this still a fair deal? Do they get more actually out of this transaction than is fair? And I would probably claim yes, because definitely we didn’t get much out of it.
… One thing that you’ve talked about before are they sort of apologized – ask for forgiveness, but don’t ask for permission type of thing. How was that evident along the way? Did they apologize at any points about what they were doing in Europe or no?
No, not really. … That was interesting for my story also that, for example, if we were in a very big European media, Facebook would not even show up, would not even send a response to that journalist or something. They would usually just ignore it. As soon as it came to the English-speaking media, then suddenly there was a response, and then suddenly there was pushback.
Regulating Big Data
… Going back to kind of a basic right to data protection, you’ve drawn this analogy with, you know, you walk into a building. Can you help draw that one out for me?
Yeah. Can you just ask me a question?
Yeah. Basically, we have all sorts of other protections, right? We have, you know, a construction company is responsible for its –
Usually I put that into context. There’s oftentimes this argument about the user should protect themselves, like it’s the user’s fault to use the services, so I think a big problem we have is that these services are so complicated and so impossible to understand. Even people at Facebook don’t really understand everything that Facebook does, so how should an average user that comes home after working for 10 hours really understand and make an informed decision on that?
I think that’s the reason that in the long run, this whole privacy debate we’re only going to win through proper regulation, just as we regulate building codes, fire codes, hygiene rules. We just walk into a supermarket in the U.S. and expect that if you eat food there, you’re not going to get sick from it and die, because we simply have regulations in place, and they’re enforced. I think in a similar way, we’ll have to work in the digital era that we make sure that there are rules that are giving you these baseline protections, that if you’re not stupid you can trust generally that these apps don’t do something evil or these platforms don’t do something evil with your data and then enforce them as well, because leaving it to the user is totally absurd.
The average person doesn’t understand what Facebook does. Will not ever understand it. Even I’m now working on Facebook for seven years, I cannot tell you what Facebook fully does with my data, so there is no way we can self-protect, we can make informed decisions on this if we have no way of ever understanding that. I think the long-term solution is that we say they’re experts; they’re going to check this for us; and they will make sure that our data is not spilled all over the place. Just as we do it with building codes with the fire department checking on your safety exits and so on, that’s how we usually regulate stuff like that.
But basically your story is that they weren’t enforced: You may have these protections, but that they weren’t being enforced.
That’s what I called big European privacy lie. We run around and tell everybody that we’re the biggest privacy protectors in the world, and it’s all a fundamental right, and it’s all great, but we don’t enforce it after all. This issue is probably going to be solved with a new law in Europe that’s called General Data Protection Regulation, GDPR, and that has very hefty fines. That has the option for everybody to sue for emotional damages. There are possibilities for class actions and so on. That is the reason why a lot of these companies are now seriously moving forward on the privacy front. You see in Europe right now all the Googles and Facebook sending you updates that they now changed this product and that product, and then you have a new privacy policy and so on.
The idea of all of this is that we now make privacy reality after all, because I think we’re now at that stage where we’re so deep into the digitalized society that not regulating it and not enforcing the regulation is simply not an option anymore. Europe understood this part. That’s for sure. That’s the reason we have this new law, and I hope that this may oftentimes spill over the Atlantic as well.
Did your cases and did your work lead to this movement of calling for a more – ?
The move was actually started by the European Commission that there should be a new law, because they realized that so far we have these privacy laws, but we don’t enforce it. There’s also diplomatic reasons or technical reasons why we need a new law. However, the first time this new law was presented by the European Commission they said there is this guy that tried everything with Facebook in Ireland, and it didn’t go anywhere, and there was not really any response, so we definitely need a new law, because this shows that if a citizen ever tries to really claim his rights, it’s really hard to do. I think we influenced that debate a lot in the sense of being practical about it to really say how does it really protect an individual person.
The other thing that seriously impacted it was disclosure of spying by [Edward] Snowden. This was really the point where no politician could totally ignore that privacy is a thing and that these options for surveillance are going so deep into your private space that we need to do something about it. I think these may be the – Snowden was definitely the bigger issue. I usually, in the European context I call Snowden the Chernobyl of data protection, the one point where people are like, “Oh, my God, this blows up; there are serious consequences from this.”
But why serious consequences for someone like Facebook?
Serious consequences for the society. Serious consequences in the sense of if you know that every step you’re taking is monitored, there’s pressure on you to not do certain things. There’s, for example, a limitation on freedom of speech. If you know that everything you say will be recorded and possibly held against you 15 years later, you’ll probably reconsider what you say. And there’s a lot of these effects on society that we can only be really free in a private setting. There are things that are culturally private.
A typical example is sexuality. There is no reason why sexuality is logically private; it’s just something that – it’s something that people feel about. And there are things that are logically private, like, for example, the election process. If your boss knows if you voted Democrat or Republican, you may either way have a problem, so that’s a reason we keep this information private. And your freedom to vote does only exist because it’s happening in a private space, so there are different situations. However, if this privacy is gone, and by now Facebook probably knows what you voted for just by analyzing your data and what you click on, a lot of this freedom will be gone that we enjoyed so far as a society. …
There are going to be different situations in different countries how far that should go, but there’s a general situation, if a lot of these companies will know every step you’ve taken, every detail about you, they would usually know more about you than you know yourself about you. Like in my case, when I got my 1,200 pages from Facebook, I read through it. I was like: “Oh, my God, I said that. I was not aware that I have ever said that.” That’s the interesting thing that now in digitalization you can use all that data. You can process it; you can do big data analytics on it and generate data out of the information you already have about someone so you can get actually a deeper understanding of what he actually – than [from] what he actually shared.
You can go even deeper into that. And all of that, if people really start to realize that, it puts so much pressure on you that I don’t think it’s going to be healthy for society, and it allows manipulation in many ways. It allows manipulation of elections. It does allow manipulation of buying habits, your whole life in many aspects. Oftentimes we call it advertisement, but in the end, the idea is to get you to do something you wouldn’t do otherwise.
Facebook And Privacy
… We should talk about then the Snowden revelations happened, and then what do you do? What does that trigger for you?
Well, what was interesting is that we talk about what a private company does with the data, but the government woke up to that and said, you know, it’s really nice if we have these private companies to collect every detail about every person in our country. If we can then pull it from them, we basically have better surveillance than the government could itself have ever had. And that is basically what Snowden disclosed, that there are systems that allow the U.S. government to pull data from Facebook; that they’re much further-reaching for non-U.S. citizens.
For example, for me as an Austrian, they can pretty freely pull any data from Facebook on me and use that for what they call foreign intelligence, to generate foreign intelligence information. That was an interesting additional step, because we’re oftentimes thinking about business being one thing and the government being the big threat. The reality is that these two things are becoming more and more one, because the government simply orders these companies to provide the data, and then you have kind of a private-public partnership of surveillance.
They surveil you for making money, and then the government is like”Oh, great, the data is already around; let’s tap into that and pull it from them.”
So how is it that the government or the NSA specifically gets your data from Facebook?
There is a law called FISA [Foreign Intelligence Surveillance Act] [Section] 702, FISA, which allows, for non-U.S. persons, that the government can pull data right from Facebook. That is done through the FBI apparently, [who] then do the technical sides of it, which we don’t know much about. But globally that was a very interesting aspect, because if the U.S. now goes forward and says, “We want to be the global dominant player,” in the IT sphere, having all the cloud services and everything in the U.S., then the big question arises: What are the rights of foreigners on this?
There is similar or similar ideas within the U.S. when it was like the Verizon phone collection, metadata collection system, which is the same idea basically. Verizon has all that metadata that the company collected, and then the government can pull it, in this case from U.S. persons. I think in the long run, this is going to be a very interesting dimension as well, that once this data is there, it’s not just a company that has it but also a government that can pull it from them already under existing law for individual people.
In certain situations, like a bulk collection situation, where they can pull all that data at one time, but that’s only for non-U.S. persons. That’s a kind of an interesting dimension that these two things become more and more one.
… So when you found this out, what did you do?
We filed explicitly on that. I’m trying to get this not too technical. What we did is we filed against Facebook Ireland and basically said the Irish company is not allowed to send data to the U.S. anymore given that all the data of non-U.S. persons is subject to these surveillance situations. That was actually rejected by the Irish DPA, just like the stuff before. They even said that my legal view would be “frivolous and vexatious” so not worth even of a decision.
We then appealed that through the courts, and we ended up at the Supreme Court of the European Union, the Court of Justice. …
Tell me about winning that case. What was that like? You bring this case all the way up to the equivalent of the Supreme Court, and you win it. How was that?
Oh, actually, I’m very not emotional about this. I’m really much of the lawyer in this situation. We had a case that was very clear. The law was very clear on it. It was just a matter of really bringing it to the Court of Justice. There’s oftentimes technical problems to get there. As soon as it was there, and there was the hearing that took eight hours or something, the judges were totally clear on how they’re going to decide on this. It was interesting, because there was still a lot of ignorance on behalf of Facebook but also a lot of the U.S. legal community that had that view of a student is never going to win this anyway; like there’s no way a student can win against Facebook. I was really surprised about that ignorance for a long while, because the whole case was like – every step it was clear where this is going to go. Really only when the judgment came out on that day they were suddenly like falling apart. It was like, wow, could this have ever happened? And this I think probably shows a lot of the ignorance they have in general on the law, is that they feel they’re so big, so powerful, so smart, that no one will ever decide against them.
And I think that may have been kind of a nice lesson for them to see that if a student kind of pokes around a bit, their whole empires fall apart a bit. And that’s only one issue. I mean, that is just the surveillance issue.
Cambridge Analytica
Then you have this moment – the Cambridge Analytica moment, and that does hit upon the work that you were doing. What was it like for you when the revelations happened that there had been all this harvesting of data from Facebook?
I was actually on my way onto holidays, and I thought this is just too funny, because we debated exactly the Cambridge Analytica situation with Facebook in 2011 and ’12. They said this is all legal; this is meant to be that way; this is how the system is meant to work. And now suddenly Zuckerberg is like all over the place and says we were betrayed, and this was all like a big mistake, and I don’t know what. And it’s the same thing. They totally knew what they were doing, ignored it, and now later, when the problem really arose that everybody was talking about before, then suddenly they excused themselves and thinks everything is great again.
The problem is, they do get away with this, like they got away with this in many, many times, where later they were like, “How could you not see that all this Russian trolling was going on during the election?” And they’re [Facebook is] like, “Oh, we’re going to do better next time. We’re going to fail better next time,” kind of thing. This works if you’re a couple of students working out of your basement, but this should not work if you’re an international global dominant IT company and information company.
Failing better the next time it’s not really an option, because you may undermine our democracy, a lot of our society on the way of failing better the next time. I’m not sure if that’s really a good excuse then.
Have you paid attention to what Zuckerberg and [Sheryl] Sandberg have said in the wake of this in terms of saying this was a data breach and they’re going to audit what happened and all that type of stuff? What’s been your reaction to that?
They said it’s a data breach. It wasn’t. It was a deliberate knowing forwarding of data for years and years and years. It was raised with them a couple of times. There was media reports that it was raised within Facebook by engineers as well. They wanted this data to go, not really thinking apparently about what could possibly happen. And you didn’t need a lot of thinking to figure that out. The idea that an app got a bunch of data and is just going to sell it on to someone else, you don’t need to be overly creative to get that idea.
And this was an idea that you had –
Yeah. That was absolutely what we debated with Facebook in 2012 in the Vienna meeting. … I guess they didn’t expect that this would now go into a Trump debate, and to be honest, the Cambridge Analytica thing would not even be a story, a privacy story, if 50 million data sets would have been leaked to, I don’t know, someone else. It’s in fact a story in the U.S. because it ended up with Trump.
That is the actual issue. In my view, I don’t even know if Cambridge Analytica really influenced the election all that much as they claim. It may be one of the elements, but a lot of the people want to think that this really tilted the election, so the Facebook becomes suddenly an issue for them. I personally have a hard time to even see that this is so much more of a privacy violation than all the other privacy violations we have. I think many people should reconsider if they only care for a Cambridge Analytica because it was Trump.
…They also were offering their own tools, targeting tools, right, with their own data and data analytics, regardless of Cambridge Analytica, right? Isn’t that part of the picture here as well?
Absolutely. That’s – the interesting thing with Facebook, however, they usually don’t forward data. They only give you the possibility to target people based on their data, because Facebook’s thinking in my view – and the app situation is an exception to that – is that they’re a one-way street. They’re basically a one-way street. Data goes into their system, but it never leaves, because that’s their might and their power, that they have this information but don’t ever give it to anybody else, which is very different from a data broker that sells and buys data.
They tried to build an information pool about our whole society and about each person in it that only they have. You can rent it or use it in a way, but you’ll never get the raw data. That was finally apparently also the reason why they shut down the apps, because they were afraid that people could pull that data and replicate their network that they have on people.
Regulating Big Data
[Going back, …] tell me about that kind of classroom experience and how it felt and what you heard.
I was a law student in Austria. I did privacy law for a while already, and I kind of wanted a semester off, so I actually went to California, to Santa Clara University, which is a small private university in the Silicon Valley, and did a privacy class there. We had a couple of guest speakers that came in, and one of them was from Facebook, talking about how their privacy practices are, how they deal with different jurisdictions. And the Facebook guy was interesting because he was the only one that didn’t ask us to keep confidential whatever he says here.
Other companies actually said very similar things, but they said we should keep it confidential. The basic story that they talked about was mainly European law, because that’s the only law that regulates them really in the privacy field. The takeaway for me was that even though there are a lot of laws that exist in Europe, they basically reinterpret them in the way they would like them to be.
That is fundamentally what is happening for a long while; that in the U.S., there’s hardly any regulation on any of this. Even at a U.S. privacy class, we mainly talked about European law because that’s the one that exists globally. Then when you talk about it the reality is the companies don’t follow it because there is simply no consequence, and that is a problem on the European side, that we come up with all these wonderful laws, but we’re simply short in enforcing them.
That is what these companies know, take advantage of, and that’s the reason why we’re in this whole privacy situation, actually.
originally posted on pbs.org
