In recent weeks, Facebook confronted yet another privacy scandal, in light of leaked court documents suggesting that its staff discussed the idea of selling user data as long ago as 2012. Facebook's director of developer platforms and programs, Konstantinos Papamiltiadis, responded, “To be clear, Facebook has never sold anyone’s data.” It was the same denial that Mark Zuckerberg issued before the Senate in April 2018: “We do not sell data to advertisers. We don’t sell data to anyone.”
As a data scientist, I am shocked that anyone continues to believe this claim. Each time you click on a Facebook ad, Facebook sells data on you to that advertiser. This is such a basic property of online targeted advertising that it would be impossible to avoid, even if Facebook somehow wanted to.
Or even better, let Mr. Zuckerberg explain, as he did to the Senate in April: “What we allow is for advertisers to tell us who they want to reach, and then we do the placement. So, if an advertiser comes to us and says, ‘All right, I am a ski shop and I want to sell skis to women’ … we can show the ads to the right people without that data ever changing hands and going to the advertiser.”
Let’s take a closer look at Mr. Zuckerberg’s ski shop example. The ski shop pays Facebook to show a targeted ad to women and sends the women to the ski shop’s website if the women click on the ad. Mr. Zuckerberg describes this process as showing “the ads to the right people without that data ever changing hands and going to the advertiser.” But this isn’t true: If a ski shop pays Facebook to show an ad only to women, then Facebook automatically reveals to the ski shop that all people who clicked on the link must be women.
And in practice, the advertisers make requests that are much more nuanced. They may ask Facebook to show their ad to “liberal Latina women without college education who live in San Antonio and recently got married.” And then they might place a separate ad that is shown only to “conservative African-American women with college educations who live in Austin and are single.” When you click on an ad and are sent to an advertiser’s website, the advertiser knows which ad you saw and thus which bucket you fall in.
Facebook has a lot of data on their users and is eager to monetize it. The advertisers are encouraged to selectively target people according to a mind-boggling range of personal characteristics. Some, such as age, gender or location, are not overly intimate. Others, such as your political views, family size, education, occupation, marital status or interest in a gay dating app, are highly personal.
Facebook would even let advertisers target you based on facts that you may not be aware of, such as that you are a close friend of a soccer fan or of someone who got recently engaged. In a recent study we published, my colleagues and I discovered that advertisers can target users based on their intimate psychological traits, such as personality. If you can think of an important personal characteristic, there’s a good chance it’s targetable on Facebook. Through this ad-targeting system, Facebook discloses facts about you to advertisers, in exchange for money, every time you click on an ad. I’d call that “selling data,” and I bet that you would, too.
But Facebook is extremely clever at dodging this issue. When the company argues that it is not selling data, but rather selling targeted advertising, it’s luring you into a semantic trap, encouraging you to imagine that the only way of selling data is to send advertisers a file filled with user information. Congress may have fallen for this trap set up by Mr. Zuckerberg, but that doesn’t mean you have to. The fact that your data is not disclosed in an Excel spreadsheet but through a click on a targeted ad is irrelevant. Data still changes hands and goes to the advertiser.
Facebook's claiming that it is not selling user data is like a bar’s giving away a free martini with every $12 bag of peanuts and then claiming that it’s not selling drinks. Rich user data is Facebook’s most prized possession, and the company sure isn’t throwing it in for free.
Importantly, this problem is not limited to Facebook. Other Big Tech companies, including Google and Amazon, have similar ad platforms. If a platform can be used to target specific users, then it reveals those users’ data. The advertiser could easily create its own data file based on this information, or merge the information with any other data it has on a customer.
The potential for abuse is obvious. As we suspected in 2016, plenty of groups buy Facebook ads to cause trouble or sow discord, rather than “merely” to sell you things. If advertisers can effectively buy data about Facebook users in the manner I’ve described, they can discriminate or target propaganda ever more effectively — both inside and outside the Facebook advertising ecosystem. They could even take the information they’ve gleaned from Facebook, combine it with advanced machine-learning algorithms and build predictive models for other sensitive traits, like religious and political views, personality, intelligence, sexual orientation, happiness, use of drugs or parental separation.
To address this problem, we need to offer users both transparency and control. Before being directed to an advertiser’s site, users should be told which of their traits were used in targeting them. They should also be warned that, if they continue, these traits will be revealed to the advertiser.
Facebook cannot be trusted to fix this problem itself. Would you trust Big Tobacco’s claims about lung cancer? What about Big Sugar’s claims about obesity? Then why would you believe what Big Tech has to say about data privacy? Markets, including the market for consumer data, do not work efficiently when a company like Facebook is allowed to abuse its market position to ignore its users’ rights, needs and wishes. Policymakers have no choice but to step in, restore the balance of power and protect citizens’ privacy.
Michal Kosinski is an assistant professor at Stanford University’s Graduate School of Business. He has a doctorate in psychology from the University of Cambridge and has previously held positions at the University of Cambridge Psychometrics Center, Microsoft Research and Stanford's Computer Science Department.