In the wake of the recent privacy controversy over Facebook and Cambridge Analytica, internet users and policymakers have had a lot of questions on the topic of “data portability”: Is my social network data really mine? Can I take it with me to another platform if I’m unhappy with Facebook? What does the new European privacy law, the General Data Protection Regulation (GDPR), demand in terms of my being able to export my data? What even counts as my data that I should be able to download or share, and as my friends’ data that I shouldn’t?
There’s a growing consensus that being able to easily move your data between social platforms, and perhaps even being able to communicate between different platforms, is necessary to promote competition online and enable new services to emerge. But that raises some difficult technical and policy questions about how to balance such portability and interoperability with your and your friends’ privacy interests—and how to guarantee that new privacy efforts don’t have the unintended consequence of locking in current platforms’ dominance by locking down their control over your data.
To investigate a potential path forward, New America’s Open Technology Institute partnered with Mozilla to host an event earlier this month, “A Deep Dive Into Data Portability: How Can We Enable Platform Competition and Protect Privacy at the Same Time.” It included a tutorial from OTI’s senior policy technologist Ross Schulman on the basic terminology and technologies at issue—for instance, distinguishing between “data portability” and “interoperability,” and explaining what the heck an “Application Programming Interface,” or “API,” is.
The event opened with a forceful keynote from David Cicilline, who’s a congressman for Rhode Island and the top Democrat on the House Judiciary Committee’s Antitrust Subcommittee. “We need pro-competitive policies that give power back to Americans in the form of more rights and greater control over their data,” Cicilline argued. “This starts by taking on walled gardens that block startups and other competitors from entering the market through high switching costs.”
Echoing a Wired op-ed he had previously co-authored, Cicilline highlighted how “[p]eople who may want to leave Facebook are less likely to do so if they aren’t able to seamlessly rebuild their network of contacts, photos, and other social graph data on a competing service or communicate across services.” Just as Congress gave cellphone users the right to “number portability”—lessening the switching cost of changing your cell carrier by giving you the ability to take your phone number with you—Cicilline argued that social network users should have the right to portability of their social media data. Unless we “free the social graph,” as one commentator put it, we may find ourselves locked into the current platform ecosystem with no chance of meaningful competitors emerging.
Importantly, Facebook has offered a feature called “Download Your Information” (DYI) since 2010. This lets users download all of the content they’ve ever posted on Facebook as a browsable HTML archive. (As described in our tech tutorial, other providers like Twitter and Google offer similar options.) However, Facebook’s download feature was originally designed as a personal archiving tool, rather than for easy porting of your data to another service. Indeed, when it was launched, Facebook clearly stated that "[t]his file and the information contained within it, is designed for an individual's use and not for developers or other services." That said, over the past couple of months, in response to both the Cambridge Analytica scandal and its data portability obligations under the GDPR, Facebook has revamped the DYI tool to be more portability-friendly. Most notably, Facebook now allows users to download their data in the structured JSON data format (see the tutorial for what that is!) instead of in unstructured HTML, making it much easier to move the data between different services.
But here comes the irony: The one thing you can’t download from Facebook is the one thing you’d most need if you wanted to move to a competing social network—your friends’ contact information, or any other unique information that would help you reconnect with them on another service. Instead, all you get is a list of their names, which isn’t very helpful for re-identifying specific individuals, considering how common many names are. Indeed, as was highlighted during the event, Facebook has long treated its possession of your friends’ contact information as a key competitive advantage, making it difficult for users to collect or export it.
For example, when users were first able to share an email address with friends on their profile page, it was displayed as a graphic rather than as text so that it couldn’t be cut and pasted. Some users may also recall when Facebook, in 2012, temporarily replaced users’ non-Facebook addresses with new “@facebook.com” addresses by default, making it harder to obtain off-Facebook contact information about your friends. And although there’s a hard-to-find setting where Facebook users can allow their friends to download their contact information, it is by default set not to allow such downloading—one of the rare Facebook settings that defaults away from, rather than toward, more sharing with friends.
Facebook has consistently justified its attempts to restrict sharing contact info as a privacy and security measure, but the alignment with its own business goals was always more than a little convenient. In addition, it’s also rather ironic, considering that a huge part of Facebook’s meteoric growth was driven by importing contact information from other services, especially Gmail (which led to a dispute between Google and Facebook back in 2010, when Google briefly cut off Facebook’s ability to access Google contacts over its API because Facebook wasn’t reciprocally allowing other services to access contact information on Facebook). Convenient and ironic or not, Facebook’s reticence to share contact information has only been bolstered by recent events: It was, of course, users’ ability to export data about their friends to outside apps that was at the root of the Cambridge Analytica scandal that has put Facebook in the privacy hot-seat. Meanwhile, thanks to GDPR’s privacy requirements, Facebook would now probably need to get affirmative consent from your friends before letting you export their email addresses, even if they arguably didn’t have to before.
There were no easy answers to this privacy-versus-portability conundrum coming out of our panel discussion. However, there were a few critical takeaways in terms of things that Facebook can and should do now to promote portability—and which are in its own interest to do, as it may face unwanted regulatory action if it doesn’t.
Help Set Clear Technical Standards. Easy portability of data between services will require open standards that everyone can use. Facebook’s offering downloadable data in the JSON file format is a good start, but it and other social networks should consider using the Activity Streams 2.0 open standard, a particular JSON-based format for exporting social media items. Facebook helped develop the standard at the World Wide Web Consortium, but right now only decentralized social network tools like Mastodon use it. On top of that, Facebook and all the other major cloud and social platforms should contribute to the open source Data Transfer Project, which aims to establish a common framework for easily moving data directly between services with just a few clicks and without having to download the data yourself. Google and Microsoft are already participating; others should, too.
Solve the Graph Portability Problem. Social platforms should allow you to export your friends’ contact information—or, if they can’t due to privacy restrictions, otherwise provide unique identifiers or other information sufficient to easily re-identify your friends on another platform. Your social graph is yours, and we need a standardized way to move that graph around. Some ideas that came out of the panel: Facebook could ask all users to give consent for their friends to export their contact information as part of Download Your Information—or at least give friends the power to ask each other for that permission. Or, Facebook could allow users to download some other unique piece of a friend’s data, like the URL of their profile or their unique Facebook user ID number. If that raises security concerns, the data could perhaps be “hashed” to obscure it while maintaining its usefulness as a unique identifier, as Josh Constine at TechCrunch has suggested. Facebook and others could maybe even petition the European Data Protection Board for an interpretation of the GDPR that would clearly allow such sharing for competition purposes. There are a range of possible solutions; the only certainty is that Facebook needs to start identifying and testing approaches now.
Allow Competitive Apps to Use the Facebook Platform. Data portability—letting someone download their data and transfer it elsewhere—isn’t the only way that people can leverage their Facebook data on another service. There’s also interoperability—the ability to use the Facebook Platform API to run an app that can make use of your Facebook data on an ongoing basis. The problem is that Facebook’s policy for app developers has long required that in order to make full use of the API, apps “must not replicate core Facebook features or functionality, and must not promote [their] other apps that do so.” For example, “your app is not eligible… if it contains its own in-app chat functionality or its own user generated feed” akin to Facebook’s messaging product or Facebook’s newsfeed. If Facebook doesn’t want to continue to be viewed by the public and by regulators as a platform monopolist, it needs to remove this anti-competitive provision and allow users to easily make use of their Facebook data on interoperable competing services.
Some of these steps would be easy for Facebook to take. Others would be more challenging. But all are worthwhile, and ultimately necessary, for ensuring an internet ecosystem that continues to be open, innovative, and competitive.
Reposted from New America's Weekly Newsletter.