right past the scheduler and set i'm going insane and i said we are going to do something about this. cannot allow people to say this and do nothing about it and he said you're right, close the door. i thought, this will be good. he said we will pray for. i said, tim, i love you, but i ate ring for it. he said then you sit here with me while i do. he sat there and prayed for a critic, by name. not very many people do that. >> watch tonight at 9:00 eastern on c-span two's but tv. -- book tv. >> facebook founder mark zuckerberg is about to testify about data privacy after it was unveiled last month that a

british consulting for misuse data from millions of facebook users during the 2016 presidential election. next, tech industry experts on upcoming hearings and what can be done to improve data transparency and online privacy. this discussion was hosted by new america's technology institute and is an hour and a half. [indistinct conversations] >> all right, folks, i think we will get started. great. good afternoon. i'm the director of the open technology institute in america which guarantees everyone has access to an internet that is open and secure. which guarantees everyone has access to an internet that is open and secure. thank you for joining us today. for our conversation, what should we do next? if you're not sure what i'm talking about, you might be in

the wrong room. once upon a time, there was a fast-growing social network called facebook that hoped to grow even faster by becoming a platform for other apps so in 2010, it launched an api, application programming interface that allowed cap developers to use data from facebook users who had signed up to use their apps. but, there was a big privacy catch. not only could app developers obtain data from users, but also all the friends of those users. though nominally, facebook notified users of the set up through the privacy policies, and there was a not particularly easy to find privacy setting for adjusting what data your friends

could share about you, the default on the setting was for apps to have incredibly broad access to friends data and most ordinary date -- users had little understanding of what was going on. so for about four years until facebook tightened up access to friends data with an upgrade -- updated 2.0 in 2014 and 2015, untold thousands of app developers site event tons of data from people who did not even use their apps. primary guardrails protecting the data from misuse after it left facebook's platform or simply facebook's terms of

service telling them they should only use the data for providing the service that users had signed up for and that they shouldn't, for example, sell it all to a spooky political consulting company that wanted to build profiles in order to better manipulate them. of course, we know that is

exactly what happened, that in 2014, a researcher named alexander used a survey at called this is your digital life and was able to attract 270,000 facebook users and through access to those users friends data, was able to obtain personal information about, well we are not sure, but we heard from facebook up to 87 million facebook users. he then sold the data to cambridge analytica, a portable consulting firm that worked with the trump presidential campaign and the brexit campaign, has bragged about influencing other political outcomes in mexico, australia, and kenya, and based on recently released undercover recordings, has apparently used bribes and sex workers as part of its toolbox for influencing

political candidates. this brings us to last month, when we learned about how cambridge analytica had obtained the data. we also learned that facebook has known about the passing of data to cambridge analytica since late 2015 but did little to confirm that the misappropriated data had been deleted other than demanding that cambridge analytica certify that it had done so.

facebook also continued to allow cambridge analytica to advertise on its platform until just before last month's story broke. this has led to a firestorm over nude concern just as controversy has already been raging for over a year about how several big tax -- big platforms have been subverted to help spread foreign propaganda during the u.s. presidential election in other elections as well since then. now, as facebook is losing billions of dollars in stock value due to lost public trust, and it is promising to make extensive business changes to regain trust, policymakers in the u.s. and europe are rattling the saber of regulation, and ordinary folks, only now seem to

be starting to understand how facebook actually works or at least how it worked for five years ago, and what that means for privacy, the simple question is, what now, what should facebook do, what should

policymakers do, what should users demand they do with regard to facebook or internet platforms generally? i will be talking to commissioner sweeney about these questions and more generally about the state of online

privacy and how to improve it. before we do that, i wanted to pass the mic to my colleague who runs an independent project called ranking digital rights, dedicated to answering another question very relevant to today's proceedings. how well our companies like facebook are user's rights? she will briefly give a preview of how the latest annual corporate accountability index being released later this month will answer that question, then we will move on to my conversation with commissioner sweeney and then our panel with the experts. thank you. >> thank you.

i do not want to take too much time other than to let you know the 2018 corporate account ability index will be launched on april 25 and we have a flyer here at april 27th, an event here right in the room. we are planning to talk about it in person to the people who are not in new york. the 2017 index can be found on our website so you can see how we evaluated companies last year, the index ranks 22 of the world's most powerful internet mobile and telecommunications

companies on commitments and and policies affecting user rights on freedom and privacy. there are indicators looking specifically at facebook and other company policies affecting how they handle user data, and it will not surprise you, you can see on the website last year facebook did not perform well with the policies disclosed and also what it did and did not

disclose. you will not be shocked to hear there was not a revolutionary change between 2017 and now. you can see the report when it comes out online on april 25 for all the details and downloadable data and everything else, the analysis, we will have the event in new york on the 25th. a similar event here on the 27th to discuss it in person and people will be able to go through and discuss results in great detail. one other point in relation to

data, generally, it is doing poorly. but facebook's disclosures were toward the bottom of its cohort. so that is just a little preview. thank you. at the end of the obama administration, they did call for resources for the agency. it has never been funded near that level, so it is under resourced and that is easy to fix. i think it needs to think about its configuration. one thing it had been doing, and i am proud of sharing the fcc with this is we have been bringing more technologists into our work in bringing more researchers on staff. we have an office of technology research and investigations i think is a great first step in the direction. i think we need to think about institutional design and whether that kind of capability ought to be significantly expanded, maybe

by the creation of technology just -- a bureau of technology like the bureau of economics, so there is even more horsepower within it. it also needs additional authority to contact outside experts to really have resources to evaluate what it is being told. it needs in-house expertise and additional resources to bring

that in when it does not have it. i think beyond that, it has called for penalty authority, not just for data security and breach violations but for privacy as well. it needs rulemaking authority it can use for privacy and data security. it has also been studying some conduct that it finds very

concerning. looking at the data broker industry for example and it called for more transparency and accountability for data brokers and they think that is really important.

beyond that, you could also be making the case for consumer rights that we need an additional -- digital age which include things like interoperability. those are meaningfully procompetitive as well. >> one of the big limits to what the fc -- ftc can do and what sticks it has to work with is

your primary tool in regard to privacy has been deceptive trade practices. if someone misrepresents what they are doing with your data, that is within it but if they are doing something with your

data that is awful but telling -- tell you about it and nominally you consent, that is ok. how do we get past that? is noticing consent a workable model? facebook certainly will model and has argued that its users and the fcc had consented with and had notice of, this is how

it works, this is what the product was, so where do you go from there? >> the idea that notice and consent is a framework that can protect consumers in this environment has been described as quaint and i think that is correct. no i do not think we could --

continue to rely solely on the framework. i do not even think the ftc itself is advocating we rely fully on that framework.

>> particularly influential is cases involving whether the security practices are reasonable or not. it is a really important authority and it is challenging to use so we have to have a clear likelihood of harm or we have talked about harms that are not just economic, but harms that involve invasions, turning cameras on in people's bedrooms and emotional harms with revenge porno and things like that, it can be tricky for the ftc to reach some conduct using just the unfairness authority. this is an area that i continue to reiterate the ftc cannot go alone. one thing that happened is when it starts to use its unfairness authority aggressively, congress in the past has stepped into eliminated pretty severely. the agency has been cautious developing how it uses the

authority but with good reason. kevin: what about market harms? you are also a competition authority. there is a lot of talk about platform monopoly or breaking up these companies or a variety of other ideas to deal with the fact that they are big, what role do you see their? -- there? terrell: i think more competition would definitely benefit consumers. one of the tricks that has to do with the economic of how the markets work. it is not completely obvious to me that just getting more competition would yield better outcomes and better protections for consumers. that is why we need additional regulations to help really direct the marketplace toward the outcomes we want in data use and security and privacy. more competition is good and i

think using its competition authorities aggressively is terrific. i think we need to be mindful of the fact that we can't rely on competition correction to correct the problems we're potentially dealing with here. congressked about what could do to strengthen your agency. >> i think congress could start really thinking about what are the laws it needs to pass to protect consumer privacy. one thing he could do is stop passing laws that undermined the broadband appeal. by we can build on that taking a look again. i can get a number of ideas that i'm looking around the room, a

number of people have been talking about for a while. also real comprehensive data security legislation. cyber security legislation. obviously talking about more resources and strengthening the fcc as an agency. -- the ftc is an agency. control your data. that's the consumer protection angle. one of the things we're seeing play out in all of the stories analyticebook and dachshund cambridge analytica --

and cambridge analytica. the ability of technology to be used in disinformation to desmet -- of this information campaigns. the manipulation of the credit institutions is a deeply harmful thing. at the -- >> does that strengthen, weaken, >> i dohe argument? hope it strengthens it. they are complying across their

platform globally. it seems to me a lot of the opposition to the burden to allowing u.s. consumers to codify that -- i think it could have an effect of making it easier for congress to think about rightsizing consumer protection for the digital age. >> we appreciate you taking the time to come and chat today. we are going to invite the rest of the panel up right now. hey, gang. i'm going to let everybody introduced themselves.

and then briefly answer the same question i posted. >> i think it's is going to have legs for a little while, subject to new massive breaking issues that may come up. there have been privacy questions. i think this will make a difference. the investigation will be ongoing. also any potential impact the response may have on competition. they think we need to insist on

very important consumer protections, but also we need to be mindful of any unintended consequences or over corrections that could exhibit some of the things we love about the internet, about openness and ensuring that competition remains five print. this is an opportunity to shut down competition in the name of privacy and security. i am currently a missoula text policy fellow. >> i'm the executive director, a nonprofit agency in d.c.. the entity or question as i'm -- i sure hope so. it definitely is like because it's facebook and it has links to political campaigns and

political groups that people have intense interest in that they have more legs. given the public pressure they are under, facebook is willing to make some changes. to require some changes in the company. >> i'm director of privacy and data at the center of technology. your framinges in of it being a tipping point. i think that could have this crescendo. when it was tied to a political that exists in the

country, and the fact there is a country that betrays itself -- portrays itself as being friendly and the value proposition they are getting, we want to connect you. all of those things crescendoed into this moment. i'm an optimist. i think facebook will have to face the music and will have to change their practices and at the least will have to become more transparent. >> i was the former director of the bureau of consumer protection of the ftc. it will be a significant moment in a couple of ways.

facebook has a lot to answer to. a lot depends on what hath facebook decides to follow. this is the first major reach --breach. an yes, there was a dustup with google. in my view there are major issues about facebook's willingness to comply with federal orders. i think one of the things to watch closely is what does zuckerberg and facebook say about that? this may be a tipping point because it will force the

drama they have now announced a whole bunch of changes. -- force the agency's hand. >> in terms of facebook's response to have enacted a whole bunch of changes trying to regain user trust. they will be simplifying their privacy settings. there are clarifying the terms of service and privacy explanations. but not yet talking about substantially changing any of those terms. they stopped working with online data brokers which is good. they closed a gaping privacy hole in their people search. just yesterday they announced they will be surveilling what data is available to act directors. it seems like they are doing what they can in the short term. the question, first to harlan, but the rest of the panel, what else should facebook be doing now? if you were in the war room at facebook at this moment what would you be advocating? >> the scandal raised to related issues. obviously we will be talking a lot on this panel about user

privacy, and the scope of sensitive user information facebook makes available through its api to app developers. as facebook starts to raise its walls, how is the public going to then a scrutinize what is happening inside that wall. how is the public going to scrutinize what is happening in particularly how facebook's business model is tonerable and potential those issues. the cambridge analytica story got a lot of attention because

of political campaigns. i think with a story did was intensify interest in the way that facebook data and facebook platforms were potentially being over elections and the political discourse in the country elsewhere. promised some additional transparency. especially after an internal investigation. it wants to establish a new standard for add transparency that would help everyone, especially clinical watchdogs. who they say they are and what they say. i want to spend a few minutes talking about the user privacy center but ad targeting. i'm really talking about any

.essage on facebook they can spend money to boost your message to a certain segment of facebook users. your mind probably gravitates toward consumer products. we are obviously talking about and othercampaigns states that want to spread or to exploit certain divisions, political and social divisions in our society. wayslso talking about advertisers may be using facebook and targeting platforms . these are ads that are trying to find patients for fraudulent opioid rehab centers or

aggressive ads for profit colleges. more ads were at ad campaigns in finance and employment and in housing. these are the kinds among legitimate ad targeting. there are those that are possible in the system. and those for facebook business models, which is finding for finding certain segments. the main question i have is how was it public teacher going to be able to scrutinize this ad targeting behavior? what is facebook going to do to help

facebookhese issues? has made a few small promises so far. there is a lot more that the company can do. first, facebook have slowly started to make advertisements on the platform available to public scrutiny. if you're a user and you go to an advertiser you can actually see the list of running ads that advertisers currently running. in principle all ads are visible. if you are a researcher, it makes it difficult to know. in many occasions advertisers have thousands of ads.

in the same way they have built a robust api user base. robust api with search functionality. the second thing facebook has started to make enhanced transparency promises, especially around election ads. they are looking at federal election ads that specifically mentioned an election and are trying to get people to vote. ignores a broader range of abuses i have described. they should really be turning their attention to the election but also all ads being run. in order to have effective

accountability it's important to know the scope and reach of those ads. here is an ad who the advertisers are trying to target. some advertisers don't use explicit targeting criteria. upload a list of existing voters or consumers and --ebook uses a specials defined facebook users that have the same feature. what facebook needs to also do in addition to making the ads themselves more transparent is to expose targeting criteria and information about the audience a particular ad actually reached. how many people?

what are the demographics of that audience? they are doing their internal enforcement to take down bad ads. they should give the public a detailed accounting of all of the ads they are taking down and for what reason. those are the kinds of steps i think would provide real transparency and real accountability, and these are the kinds of steps that will help raise the public's trust. it is not just facebook telling us they are doing these things to stop nefarious behaviors on the platform, but actually letting the public scrutinize this and verify it is actually happening. and so i will just put a plug on a report that upturned in the next couple of weeks and service republican advocate to add transparency. >> thanks.

it does feel like we are building a manipulation layer into the internet we can't control. well, iinds me as should make sure to disclose --t facebook has provided clearly we disagree on some things we are also aligned on some important issues. in terms of my wish list i would add greater transparency in the system. they've done a lot more press calls on the record. seen more that public engagement is great.

as far as other people's wish lists, any other things? >> let me say what i think they should talk about doing. one of the problems of the how little control facebook was exercising over the third party. facebook has acknowledged they don't have any remedies in case there are deliberate overharvesting. when it comes to how to use all the cambridge analytica problem, part of it is there has to be much greater oversight control and yet this whole

one part ofproven the consent decree requires facebook to ratify privacy. that was an obvious vector for privacy. one would expect there was some control placed on app developers. just going down the list. of contractual lockups that give them power to require audits, oversight, some sort of certification. audits done by facebook or an

outside party to ensure there was compliance. we are weeks and months into this, and facebook cannot assure us that the information is not still floating around. or that the researchers have actually destroyed them. in law school we teach students how to enforce these kinds of promises, and it does not appear that facebook has any remedies at all that are effective to discipline third-party developers that have a very broad access to consumer data. what i would like to hear from facebook is what are we going to do to control this? yogi berra's famous line was this is deja vu all over again. things were designed to avoid

exactly this problem. i would like to see facebook come before the senate, as sucker is going to do next week, with a real list of things to control this part of the problem. i agree with harlan. there are lots of other problems. >> now that you bring it up, what you helped negotiate in 2011, you indicated earlier you believe it has been violated. i would love to hear a little bit more about what that was about and what you expect or want to see from the ftc in regards to that now. >> again, this goes back to third-party access. in 2009 facebook made two changes to its privacy settings

that pushed a lot of private information into the public, it also gave third-party apps access to information they were not supposed to have. one of the things that is ironic about the complaint, part of the deception was allowing third parties to get access without their consent. this is why i think i have seen this movie before. one of the things that fcc did was try to rein in third-party collection. it draws a line between users who actually post things and third parties who harvest information. the goal was to limit third-party access unless there is clear notice and clear consent.

now facebook is going to say that the settings they have allowed sharing. on the other hand, the question the ftc was asking is what our consumers reasonable expectations about what that means? one question to ask mark zuckerberg next week's do you really believe any of the friends thought something like this would happen to them? were your notices back then, whenever this happened, clear about that? i do not think they meet that test at all. that will be part of the ftc's inquiry. so, i think that is part of my concern. the other part is once action is devoted basically to forcing facebook to look at former abilities, where is consumer privacy in jeopardy and plugging those holes.

it is quite clear in the aftermath that facebook paid no attention to that heart of the decree because there are no controls on third-party downloading, there is no remedy for harvesting data that you have no consent for, for sharing that data with third parties.

which is why this is such a scandal. this is two or three years, maybe four years, since facebook has known about this problem. and yet it still has done nothing to fix it. a lot of the things facebook has announced, the new platform policies mark zuckerberg is talking about, we have heard all this stuff before. the question is, is facebook serious about moving forward now? >> at want to jump back into what facebook would argue. i think they would say when we all negotiated the settlement in 2011, they would basically say this is how it worked and these are the disclosures made to the users, these are the settings they had. what changed to make that not ok anymore? their position is our product is working the way it was designed. >> it was to avoid problems with people like that. it forced facebook to give clear and better notices. that was part of the consent decree.

section four was looking at vulnerabilities. that was the key provision. in my mind, facebook did not pay any attention to that. the question for facebook users is, in any time after the consent decree was entered into what friends understand the scope of harvesting of their data? that is the question to the 87 million facebook users who had their data taken. the answer i think is plainly no. i think in terms of ftc enforcement, i do not think it really matters, because i do not think facebook has any argument that this is a violation of section five. section five turns on what consumers reasonably expect.

i think they also do not have a defense to my view, which is they violated the consent decree. there's going to be a very substantial civil penalty. at the time of google, the civil penalty statute provided for $16,000. now, if you multiply $40,000 times 87 million people. >> jumped from $16,000 to $40,000. that has changed? >> that would not be the starting point for the agency.

i think there is likely to be very substantial penalty. >> we're talking about what the f cc might do. there's also the question of what congress might do or should do. to start that conversation i will move over to michelle. >> what should you do? i think yelling at mark zuckerberg is a start. it is not necessarily going to make change, though. at some point i want to go back

to the consent decree. perhaps, congress could make some fixes to make them have more teeth. for example, in the google case, the fine was $24 million. so, to make it really matter and actually have some hat --heft, what congress should do is not remake the gdpr. this is not in line with what advocates are saying. i think the gdpr is fantastic. i do not think that we need to duplicate it. that's not to say that there are not elements that could be great in baseline privacy laws, but i do not think enacting a baseline privacy law is to replicate the failure of consent. i think, instead, what we should be looking at is expectations. i think the way congress should in butte a baseline privacy law is with the idea of what is a person's expectation? what sort of transparency is available and what sort of accountability is attached? the way we interact with these platforms is obscured, and other

words you cannot make consent for the most part. all of this is by design. to push to the forefront the idea that if you're going to imbue expectations into your platform and use these values of accountability, some of those changes have to come from the design side. creating some design standards. it is more about what sort of interactions make clear to a person what the true value proposition is. one person that i know put it very well and set, with companies leverage your data 100 times that is like a price increase you do not know about.

i think that argument is ringing hollow now. there are design principles that allow for more transparency, accountability, not just the gdpr. i think also the idea of accountability is so crucial. the idea of making public disclosures and drawing on some of the other laws that exist. public disclosures on a quarterly basis. force is ceo to have skin in the game. -- it forces the ceo to have skin in the game. i think there are discrete ways that would make a huge difference in privacy protection. i think just that. baseline privacy. >> what you described is not a

modest proposal. >> no, it is not. >> considering there was a much worked on proposal from the obama white house in 2015. i'm not sure if the calculus has changed that much, but it does raise the question. you mentioned a couple of targeted things. impact assessments. what can i write right now? looked impactful on the issue. what can they do that strikes fear into the heart.

quick striking fear in their hearts is not what i'm concerned with. how do we get protections for people. with protection should, accountability. it has strengthened the ftc which everybody knows truly needs more sources to be able to do its job. we are going to be a plug. here are specific recommendations on consent decrees, and hopefully that is something that can get bipartisan support. at the reform playbook and gives a vivid is

more palatable. another area, and david touched on this, is the idea of data access by researchers. it is something that has been sort of avoided, partly because it is a tricky subject. we do not want to shut down innovation or open access. that is what the internet is built onto it but there are ways to create obligations for researchers they do not exist. if you are a federally funded academic researcher, you follow the common rules, which means there are ethical guidelines and you go through an institutional review board. those institutional review boards, there fairly worthless. the people who sit on the mark in good faith, but they do not ask for things like terms of service reviews. not to say that if you review terms of service and it says you should not do this, should not do a lot of what researchers do, but it is appeared of further to be a review of that, some accountability for the researcher.

there should also be certifications for the researcher's so they are held to some obligations, not just for what they intend to do but how they are protecting the privacy and security of the data. facebook's data sharing agreement was very light on details and light on accountability. i am not sure that was not by design. think the idea is to let the day to let the data go and then we do not have liability. we do not want to create lability. the other aspect would be creating a chain of command of lability and the speaker system, which would not be easy. but you start with the platform of the service, so creating the risk of the user, the benefit and the risk. and got on the line and decide and assign the rules and liabilities. those can be chopped up in small ways, and maybe consent decrees are part of that, maybe certifications.

>> i am guessing, david, you are all for strengthening the fcc. >> yes, i am happy to repeat everything she said before. absolutely spot on. there are maybe smaller pieces of the privacy issue with data brokers. this would get at any but not all of the problems. given some of the breaches that we have had and some of the problems with large data brokers, there needs to be something like a fair credit reporting act but much stronger for data brokers. the fact is people are worried about what the nfc knows about them, but they actually know some much more, and so does facebook and other companies, but we do not have her glittery tools. -- we do not have regulatory tools. these are massive data pools. there is real risk there.

>> i am somewhat skeptical of going back to the platforms and away from the brokers. we will see specific use restrictions and law or requirements about consent, but i think the possibility of much stronger transparency requirements is definitely in the answer. i suspect they are talking about it. there is also the question of political viability and timing and what-not. for example, i have a crazy idea, which is there is a single law called the video privacy, protection, and it protects records of what you watch on netflix and the video store. that got past after video records were obtained by journalists, and congress freaked out thinking it might be them.

hence, the strongest privacy live o-- law ever. i do not see why that should not extend to what is online. i shared this with a staffer and there were like, sure, but that is in the criminal code, mending it would go through judiciary, and nothing is going to happen in judiciary and we need something that will go through congress. so what is actually possible right now? they are not going to pass anything this year. they are basically already done because of the election. but where should we plant this? >> what happens in that if all is huge. it will decides of -- decide if democrats will retake congress, and then the possibilities are

much greater for baseline privacy law or any kind of updates to privacy in the general. it is funny, the jurisdictional question, because privacy is notorious for being 100 different committees or people believing it should be in 100 different communities, especially with a high-profile case exists. they are all scrambling to figure at how they can fit it into agriculture. [laughter] great, fine. this is way our democracy bumbles along. but to the extent we can provide staffers with the correct facts about what happened, first of all. i have seen journalists use words like scraping and access interchangeably. those are not the same at all. as advocates, we need to make sure they have that. and offering different committees different solutions, i think that is up to groups like cdt and other groups to

work hard to make the committee -- make sure the committees have information. and we need to bring in republicans who are interested in make this issue. they had not said much for a while, but now they are. that is a really important development, especially in d.c., and i think it is important to engage both sides to explain this is a truly bipartisan issue or should be. >> moving on to caroline and the issue of competition, which is your expertise, what role does the antitrust law play in that addressing a situation like this, if any? >> so i think when of the questions we have heard is, well, wait a minute, maybe if we had more competition, things would be better. we have seen a lot of headlines talking about the power of big tech, the concentration, the consolidation that has occurred. can't the antitrust laws

dissenting about this? -- do something about this? the follow on is, maybe if there was more competition and they were doing their jobs, something -- maybe things would not be so bad. they could play a bigger role in some of the bigger questions, probably not as good at the consumer privacy question. yes if we had multiple social platforms. in an ideal world you would see competition. the trick about social platforms is we really do not want to have to go to six different social platforms and find all of our friends on each one. one of the value is the value in this service, that the more people who are on it, the more valuable it becomes. so competition is not

necessarily something that consumers really would want in the real world. you might want options for competition, and i can talk about some ideas for promoting competition. but there is a limit on antitrust law. it is a law enforcement that can keep them from taking actions that will farm from the competitive process, and it can stop mergers that will lead to lessening of, titian -- of competition. this could have some positive impact on how the platforms compete and the actions they

take. another important tool besides antitrust laws is that ftc's section five authority is believed to, and i believe it and cumbersome thing more than just the antitrust laws, and congress must have meant something. it is not just the antitrust laws. so looking at how the agency can use that authority, it finds actions facebook is taking that violates this principle. they are somewhat limited tools. one of the things, how to promote more competition, how to put competitive treasures on a company like facebook and better data portability. it creates a meaningful way to support your data. a meaningful way through other application or service. this then goes into the questions i'm trying to think about. the importance of data

portability, operability, and they use into this, i have been thinking about promoting competition in the platform. and cambridge analytica happens. is it more responsible use of apis and the digital ecosystem. they have the opposite technology. facebook starts to review its apis and policies.

at the same time let's make sure there isn't an overcorrection in terms of shutting down access to data. data that helps developers comes up with exciting new programs that could ultimately complete test compete with facebook. using its apis -- >> this is something i was thinking about, including the commissioner. you can go look at some tweets about it if you like. there is portability, getting your data out. facebook does have a tool for getting your timeline out. it is not really suitable for

uploading into another service. assume there are services out there. >> they build it. >> but not for you to take it somewhere else. gdpr is going to require some level of portability, including machine readability, so you can move it somewhere else. remains to be seen how people are going to implement that, and that will be really interesting. then there's also the issue of how to come up with an environment or something can actually get big enough that you will actually even want to move your data to it. then you get into interoperability. from where i am sitting, one of the possible versions of a networking big enough at this

point now the facebook really bought the two networks that were getting big enough to compete, instagram and what's app, is to be able to leave facebook while still communicating with people on facebook. it is the people on the platform. if no one feels like they can leave because everyone is there, then a hashtag on facebook nene -- means nothing and there's no pressure to change. how do we do that? what are the tools other than consumer outrage and a bully pulpit? it is probably considering that the most mortal threat, building doors into its wall. >> you would have to find the market power. but doing things that would require that sort of a remedy to make this open. i think one of the solutions is more likely legislative or giving the ftc more authority to do rulemaking. the important thing is it is not just helpful to have my pictures and my posts , the most valuable piece of my friends. we have to also thing about privacy.

my friends are my friends, but if i go over to some other service, are my friends ok getting pinged by the new service to join? there are a lot of questions about what the meaningful data portability to another service actually means, and the devil is really going to be in the details. it would be great to hear from developers and others who are trying to think about the next great social platform to create and what they would need to be able to meaningfully port the data or get the data, capture the data, and then build a service off of that. >> what you are really talking about is forcing facebook to become a common carrier. that is full of subsidiary problems. i just do not know how you force it except through legislation.

>> there is some precedent like when aol bought time warner, there was a condition about aol having to make its messenger interoperable with its biggest creditor -- >> competitor. they would have to see the demand. >> besides amazon and google. >> when will the authorities have that type of hammer? >> maybe it is small parts of facebook, like messenger. maybe that is not that small. but looking at specific communication aspects. like the plug-in or something.

>> there is also a core tension between privacy and into broad -- and interoperability. yesterday, they announced that they were close off more parts of api. privacy advocates will cheer but competition advocates will not. so how to get both at the same time will probably have to do with more people and policy solutions, rather than tweaking of the knob in terms of how much of the user data the api exposes or not. >> and i think this is going to require a lot of study. it will be helpful to have the research and empirical data. we really do need to think, is that what you want to do because you need to keep in mind that we want to ensure the incentives to build the next great whatever platform or facebook is going to be. if you create a policy that says it is going to be big and have lots of people, so we need to open everything up. it is like the chill innovation, and maybe the flipside is that

it will force the services to be the best they can. competition is good. you are going to want them to be excited about the best privacy policy, whatever it is. it is going to be an important consideration of what trade-offs might there be for getting certain policies we think will benefit consumers and what impact it will have on innovation. >> as that occurs, i will admit that my greatest fear right now is that this will not only push the decision-makers at facebook but also the rest of the industry toward, like, it is not worth trying to plane that field. i worry that there is like a rabbit in the prior patch and facebook is like, no, please don't make us locked down our api's even more. >> there were some ideas around data collaboratives that i think

would be interesting for people to look at, the idea that maybe part of the data, part of some of the big platform's data could be put into data cooperatives or interested into intermediary ies. tobe there are ways segmented so it doesn't create the problem in certain segments like research. >> all these apis aren't necessarily relevant. the most lucky piece of data is a phone number and an email address.

filing -- may be violating what we are ready a presented -- already represented. discussion.h not to overpromise, but i believe oti will be doing an event on interoperability and portability within the next few months. knock on wood. meantime, we have a a few more minutes for some questions. and there are hands shooting up. there is a mic going around, so please wait for that for the benefit of folks watching on c-span or online. >> hello, i have from access now. david, you spoke about the dissent -- consent decree, and michelle, you spoke about audits . audits are in this consent decree, and they would have had to have gone through at least one, probably two, between then and now, and he clearly did not do anything to push us forward.

is an audit actually something we should be pushing for? was it effective with the consent decree? if it was not, which is seems not to be, how can you make them better? >> the word audit is a word of many meanings. the consent decree requires biannual filings by a third-party to essentially make sure this was a good year for the commitments it made in the consent decree. so there have been at least two, maybe three, of them. i have not seen one in several years, but that is not really what i am talking about when i talk about audits. i am talking about facebook trying to make sure that third-party apps speak to whatever commitments they have made in terms of what they are going to download and not shared with third parties. one of the real problems with cambridge analytica is facebook

really do not know what cogan was downloading, nor does facebook have any means of making sure that data was not shared with third parties or sold or done -- there was no control and know what it. so what i am talking about is ways of overseeing third parties who have access to data. there needs to be some contractual lockups, and there needs to be some ways of, after the fact, making sure that the third parties behave as they promised. at the moment, facebook is simply depending on wishful thinking that third-party apps are going to do whatever is in the terms of service. but the cambridge analytica debacle has shown there really are no controls. when i use the word audit, that is what i am trying to refer to.

>> from what i understand, these are really assessments, which is different. so you have the private assessor that is sort of cataloging benchmarks. there are ways for companies to game this. they will change their practices right before. for example, to look better, they will often not -- obviously, this is not public -- but they will also not miss material changes, things that would be relevant to a consent decree. the assessor does not have access to it or the company does not tell them about it because of the timing. a formal audit would require it to be public. it would require the company to sign off on material changes of their policy and practices before and after the audit happens. and it would create instance of a gun the a -- create a sense of accountability tied to the consent decree. >> it is not at all clear that facebook reported what happened with kogan -- cogan and cambridge analytica to the ftc, but i think it would have been required in one of the biannual reports.

>> i am the advocacy director of the committee to protect journalists. it is interesting, because in several conversations around and countering violent extremism debates and the fake news debate, one of the big concerns is the lack of access to data by researchers. so it seems like there is this tension between access to personal data, yet facebook and other companies not turning over lists of content that they have removed or censored, etc. so i think that we should be careful about making broad brush strokes about institutional research boards. at least they have to go through something. definitely they need to be more technologically apt. but how can we balance the need for more oversight and auditing potential, both by researchers but also potentially by the judiciary?

and that is with the need to protect private data. >> i can take that. at least in terms of the recommendations i was talking about, it is true, especially when talking about countering violent stream is him a desk violent extremism. balancing that is a problem. the recommendation i was talking about applies to ads. facebook already considers ads to be all public good with the pilot they are trying, any post that money has been spent to boost is already considered public and not private information. at least in terms of -- it will not get it all of the problem, but for large part of the problem, beyond just election, more transparency about ads will probably do a lot of good without really risking individual privacy.

>> i will just add that i think your question is one we all neer question. your question is one we all should be asking. the need forance privacy with all the other things we need? you have the fcc commissioner writing in the new york times --ut how we need more open to do research on how problematic content is spreading. at the same time we have a push to close them down. to be fair to facebook, i would be like what the hell do you want us to do? >> maybe this is where ships make sense. >> fair information practice principles. the data governance framework.

most privacy advocates are well-versed in fips. to govern dataw well. it does not mean restrictions and terms of this is a good project or this is not a good project. it is about privacy and security restrictions. limiting the amounts of data and the scope of the data. the reason you're collecting the data during those requirements do not exist right now. that would be a step forward. >> we have room for two more questions. i'm a researcher that is been looking into this cambridge analytica situation. i am pretty familiar with the internals of it. one of the things that occurred to me that you want -- the you might want to consider as part of your advocacy to mitigate the situation is a technical deprecatewhich is to

all of the user id numbers that have been exposed. clearly one of the problems is there is a horse left the barn in 2015 issue. i think that while deprecating the user id numbers, you cannot target those user id numbers anymore would not solve the problem, but it would mitigate it. something, it occurred to me and was something that facebook would not like for a much so it would have a punitive aspect but it would not crush them and not fundamentally disrupt legitimate ongoing activity from people who are obeying the rules. >> thank your much. >> i would be happy to talk to more about that. >> one more question. consultant here in washington, d.c. i've a simple suggestion. what if as a result of the

investigation, the ftc would require facebook to devasting instagram or some other application and that would competition, solve some of the problems. there could be other requirements but that could be something facebook would see as punitive. that?ld the ftc do >> when i was at the ftc in the dark ages, i do not know whether the commission would have thought of a remedy like that for a deceptive act as opposed -- i suspect the agency would still have problems doing that now. it is an interesting idea. bob always has interesting ideas. it is yet another interesting idea from bob that people should think about. the remedies that the agency has

are basically equitable remedies. todo at times force people do all sorts of things they do not want. this is an intriguing idea. >> there will be plenty of other intriguing developments ongoing, findsing, i hope everyone interesting the testimony next week. thank you, everybody, for coming. thank you to the panelists. [applause] [captions copyright national cable satellite corp. 2018] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org]

>> this week, facebook ceo mark zuckerberg will testify before senate and house committees on facebook's use of user information and data privacy. on c-span3, he will answer questions during a joint senate judiciary and commerce hearing. 10:00 on c-span3, you will appear before the house energy and commerce committee. watch live coverage on c-span3 and online at c-span.org and was online with the free c-span radio app. with a preview of the facebook hearings on capitol hill, stephen janis -- stephen denis joins us. he reports on the centers for bloomberg. withare the main issues mark zuckerberg? zuckerberg isk going to get a grilling on the failure of the company, the