{
  "id": "IN10879",
  "type": "CRS Insight",
  "typeId": "INSIGHTS",
  "number": "IN10879",
  "active": false,
  "source": "EveryCRSReport.com",
  "versions": [
    {
      "source": "EveryCRSReport.com",
      "id": 579999,
      "date": "2018-04-04",
      "retrieved": "2019-05-03T16:09:39.606300",
      "title": "Data, Social Media, and Users: Can We All Get Along?",
      "summary": "Introduction\nIn March 2018, media reported that voter-profiling company Cambridge Analytica had exceeded Facebook\u2019s data use policies by collecting data on millions of Facebook users. Cambridge Analytica did this by working with a researcher to gain access to the data, so the company itself was not the entity seeking access to the information. This allowed Cambridge Analytica to \u201cscrape\u201d or download data from users who had granted access to their profiles, as well as those users\u2019 Facebook friends (whose profiles the first user had access to, but for which the friends did not authorize access). \nAt this time, it is publicly unknown what data were accessed. Facebook hired a digital forensics firm to audit the event. Based on media reporting and old Facebook applications, user profile data such as interests, relationships, photos, \u201clikes,\u201d and political affiliation may have been accessible, but not all data held by Facebook appear to have been accessed by an outside party. Additionally, as initial access to a user\u2019s profile was granted via an app, other information about the user, such as other apps installed on the device and Internet Protocol addresses, may have been accessed. With this information, Cambridge Analytica built profiles of potential voters to test messaging and target advertisements. In addition to ads on Facebook, search engine optimization may have been used to drive users toward ads and other web content (i.e., blogs) outside Facebook. \nThis event could be characterized as a data breach despite Facebook systems not being breached (i.e., hacked) because a third party was able to access data that neither users nor Facebook intended to share. Rather than compromise a vulnerability in Facebook\u2019s information technology (IT), Cambridge Analytica compromised weak security controls and violated Facebook\u2019s data policies. This breach is akin to an insider exceeding authorized access to retrieve information, or an outsider using information they were authorized to access for purposes prohibited by contractual agreement.\nIn response to this incident, some Members of Congress have questioned Facebook and have invited Facebook CEO Mark Zuckerburg to testify before House and Senate committees. This Insight examines policy issues surrounding this incident and provides options for Congress to consider. While this event has started discussions on election security and social media company requirements to report advertising, this Insight addresses data security concerns without discussing the impacts or consequences of data use. \nIssues\nThis is not Facebook\u2019s first major privacy and data security incident. In 2011, the Federal Trade Commission (FTC) entered into a consent order with Facebook following an investigation into the company\u2019s privacy practices at the time. The FTC went further and released guidance so other companies could avoid enforcement actions. In an unusual step, the FTC has publicly confirmed opening an investigation on Facebook\u2019s data security and privacy practices in light of the media reports about Cambridge Analytica. \nWhile Facebook\u2019s, the FTC\u2019s, Congress\u2019s, and other investigations continue, the public will learn more about this event and its implications. However, initially, this event has ignited a public debate on data ownership, usage, security, and privacy.\nData Ownership, Rights, and Usage\nConsumers\u2019 expectations and reality on who owns data and how data may be used are commonly misaligned. In Europe and Canada, data about individuals are generally considered to always remain their data; they have a right to the data, a right to expect the data be secured, a right to know exactly how those data are used, and a right to remove those data from the service hosting it. However, in the United States, general data regulation does not exist. Individual regulations exist, but those are targeted at specific types of entities (e.g., the Safeguard Rule for financial firms and HIPAA health information standards for payers and providers of healthcare). Once data are submitted to another entity, they are generally considered to be under that entity\u2019s ownership, and any data that entity generates from submitted data belongs to that entity\u2014barring a separate agreement between the parties dictating data ownership and usage. \nData Security and Privacy\nData security is not generally prescribed by law for the information technology sector. Instead, companies make IT security investments as part of managing corporate risk. Mitigating this risk may be material to their investors or beneficial to their users. In the U.S. system, privacy rules are in place to ensure privacy of an individual from the government. However, privacy of individuals from other entities (e.g., other individuals or corporations) is a matter of state law and private agreements (e.g., contracts). This places a higher burden on individuals to understand the risk of generating and sharing data, as well as reviewing and understanding individual agreements with different services with which they engage. \nOptions for Congress\nOversight\nCongress has provided oversight of data security practices at private companies in the past. Following the Equifax data breach last year, Congress held hearings on the incident and encouraged the industry to adopt stronger security postures and provide consumers relief. Hearings can inform legislation, advance debate, and drive private action in hopes of avoiding governmental action. \nLegislation\nOptions for Congress to legislate in response to the Facebook incident include (but are not limited to) defining national expectations for data ownership and privacy; establishing expectations for liability when unauthorized parties access data; and creating data breach notification rules. Examples of such rules are the European Union\u2019s General Data Protection Regulation (GDPR) and Canada\u2019s Personal Information Protection and Electronic Documents Act (PIPEDA).\nThese options would alter companies\u2019 relationship with data. Currently, data are cheaply collected, analyzed, and used for profit, enabling free access to large portions of the Internet and other IT services. Placing restrictions on data would alter the business models of these Internet-enabled companies and services. The question then becomes one of tradeoffs\u2014does the free use of data create a national harm or is it a necessity for America remaining a leader in innovation, and what are the consequences of each?\nIn considering legislative options, Congress could also consider granting regulatory authority to a federal agency or agencies, or it could create a new federal entity to regulate companies. It appears that agencies do not currently have authority to regulate the data security at social media companies. Instead, data security may be enforced at a company pursuant to a consent order with the FTC after an unfair or deceptive practice investigation. \nRegulation\nThe IT sector (including social media companies) currently faces little federal regulation. This stems from a desire to promote innovation. However, absent from that argument is the enormous social and economic impact of some IT companies. For instance, the reported number of Facebook users affected by this event is greater than the estimated populations of New York and Texas combined, and Facebook has a larger market capitalization (over $400 billion) than JP Morgan Chase (over $300 billion). \nCongress could consider several models for regulation, including \nGovernment Regulation\u2014a government agency directly regulates an industry through an exercise of statutory authority with accountability to the President and Congress (e.g., the Nuclear Regulatory Commission\u2019s relationship with nuclear facilities). \nQuasi-Governmental Regulation\u2014an organization with public and private sector characteristics, like a government corporation, regulates under a statutory authority and has accountability to the President and Congress (e.g., the Federal Deposit Insurance Corporation). \nRegulation by Nongovernmental Elements\u2014a nongovernmental entity exercises regulatory authority in cooperation with, or under the oversight of, a governmental agency (e.g., the North American Electric Reliability Corporation writes standards which are accepted and enforced by the Federal Energy Regulatory Commission).\nSelf-Regulatory Organizations (SROs)\u2014organizations that act under a federal statute or authority, which can be overseen by a government agency (e.g., the Financial Industry Regulatory Authority) and federally chartered organizations that have exclusive jurisdiction over a specific subject (e.g., the U.S. Olympic Committee governing U.S. participation in the Olympic games). \nIf Congress were to grant regulatory authority to a federal agency or agencies, agency action would probably fit into a three-step framework. First, an authorized entity creates the regulation which industry must follow. This is also called rulemaking. Next, an agency could examine or supervise for compliance with the regulation. If a company is found to be not in compliance with the regulation, the agency could enforce the regulation (e.g., suing the company or issuing a fine). Congress may grant authority to different agencies for each step in this framework.\nShould Congress legislate and/or grant regulatory authority to a new or existing entity, Congress may likely have an interest in conducting oversight of how that authority is executed.\nAnother option, which does not require congressional action, is for industry-based SROs to prescribe standards (e.g., the Payment Card Industry Data Security Standards). In such instances, the government does not compel participation in the scheme, though industry-specific factors might make nonparticipation difficult.",
      "type": "CRS Insight",
      "typeId": "INSIGHTS",
      "active": false,
      "formats": [
        {
          "format": "HTML",
          "encoding": "utf-8",
          "url": "https://www.crs.gov/Reports/IN10879",
          "sha1": "1e9f30a9c11d79552d245ae9ebdf884a796df1d2",
          "filename": "files/20180404_IN10879_1e9f30a9c11d79552d245ae9ebdf884a796df1d2.html",
          "images": {}
        },
        {
          "format": "PDF",
          "encoding": null,
          "url": "https://www.crs.gov/Reports/pdf/IN10879",
          "sha1": "0d76c96bfd5880612726c68af69c2724e6b14d68",
          "filename": "files/20180404_IN10879_0d76c96bfd5880612726c68af69c2724e6b14d68.pdf",
          "images": {}
        }
      ],
      "topics": []
    }
  ],
  "topics": [
    "CRS Insights"
  ]
}