Filed Under: Money

On Facebook, Open APIs and User Consent

Leave a Comment

In the recent congressional hearing into how Facebook data has been misappropriated for political and probably nefarious purposes Mark Zuckerberg usefully confirmed that Facebook’s users own their own data:

 “Actually, the first line of our terms of service say that you control the information & content that you put on Facebook”

Of course there is a very similar example of customer-controlled data, currently stuck in a corporate silo, which is being opened up – the European Union’s PSD2 regulation which forces banks to implement APIs to allow access to their customer data. Actual third-party access to this data is controlled through consumer consent implemented via two factor authentication. In essence, banks are regarded as the custodians of the consumer’s financial transactional data, but not the owners.

Oddly, although Mr Zuckerberg’s statement appears to put Facebook in exactly the same position as the European legislators have put European banks, it’s not at all clear that the same rules apply. As it stands at the moment Facebook – not to mention Amazon, Google, Apple, etc – can, with the appropriate consent, access bank customers’ data but the banks can’t access Facebook’s data, not without Facebook permitting this. This asymmetry of information access is likely to lead to even greater asymmetry of market power than already exists.

This asymmetry isn’t even theoretical. Last year the UK insurer Admiral created an interesting scheme to allow people with limited credit histories access to insurance products using social media data. A social media profile is quite hard to fake if you know what you’re looking for – the strength of links to other real profiles and the depth of data mean that really faking a profile is really hard to do.

Admiral’s idea was that if people were willing to grant them access to this data they could perform a form of social identification and verification with an element of personality checking to identify people with traits conducive to good driving. You might think this invasive but if you’re a careful 18 year old then getting your insurance bill reduced by thousands of pounds might be worth giving up access for, at least temporarily.

To cut a very long story short the trial ended when Facebook blocked Admiral getting access to the data: https://www.theguardian.com/money/2016/nov/02/facebook-admiral-car-insurance-privacy-data

“In an embarrassing U-turn, the insurance firm pulled the product less than two hours before it was due to officially launch on Wednesday. The product, called firstcarquote, was launched later with “reduced functionality”: users can log in to the product with Facebook but it will no longer analyse their data”.

And:

“Facebook said protecting the privacy of its users was of the “utmost importance” and that it had clear guidelines about how information obtained from the site should be used.”

Listing the problems that this potentially raises would take a much longer article but let me raise just a few. Firstly, in what way does the Internet Giants’ control of personal, social data different from the banks’ control of personal, financial data? And if the banks are being regulated to allow third-parties access to their monopoly of financial data then why shouldn’t the likes of Facebook and Google be regulated to allow third-parties access to their monopoly of social data? Why can Facebook choose what third-parties do with this data while banks can’t? After all, as Mark Zuckerberg stated, it’s their users’ data, not Facebook’s.

Secondly, if PSD2 ensures that the users have control of the information and content held in banks via mandated APIs using two factor authentication to manage user consent why shouldn’t exactly the same rules apply to social media data?  Finally, the asymmetry of data access that PSD2 imposes will place more power in the hands of social networks at exactly the same time as the ability of these companies to handle that power is being questioned: is that what we want?

Regulation is not, and never can be, a panacea for all of the world’s ills. However, in PSD2 we have a template for ensuring that consumers can control and manage access to their data. It’s hard to see why what is mandated for banks shouldn’t be mandated for other organisations that have equivalent power. We predict that if Facebook and its cohorts don’t take responsibility for providing equal, fair and properly consented access to the data to they hold then they will be forced to do so. We already have a template, it’s just a question of how long it takes regulators to realise this.

Leave a Reply

Your email address will not be published. Required fields are marked *