A legacy of the 2016 U.S. election is the controversy about the role played by paid, targeted political ads, particularly ads that contain disinformation or misinformation. Political scientists and psychologists disagree about how these ads work, and what effect they have. It's a pressing political question, especially on the eve of another U.S. presidential race, and the urgency only rises abroad, where acts of horrific genocide have been traced to targeted social media disinformation campaigns.
The same factors that make targeted political ads tempting to bad actors and dirty tricksters are behind much of the controversy. Ad-targeting, by its very nature, is opaque. The roadside billboard bearing a politician's controversial slogan can be pointed at and debated by all. Targeted ads can show different messages to different users, making it possible for politicians to "say the quiet part out loud" without their most extreme messaging automatically coming to light. Without being able to see the ads, we can't properly debate their effect.
Enter Ad Observatory, a project of the NYU Online Transparency Project, at the university's engineering school. Ad Observatory recruits Facebook users to shed light on political (and other) advertising by running a browser plugin that "scrapes" (makes a copy of) the ads they see when using Facebook. These ads are collected by the university and analyzed by the project's academic researchers; they also make these ads available for third party scrutiny. The project has been a keystone of many important studies and the work of accountability journalists.
With the election only days away, the work of the Ad Observatory is especially urgent. Facebook publishes its own “Ad Library," but the NYU researchers explain that the company’s data set is “complicated to use, untold numbers of political ads are missing, and a significant element is lacking: how advertisers choose which specific demographics and groups of people should see their ad—and who shouldn't. They have cataloged many instances in which Facebook had failed to live up to its promises to clearly label ads and fight disinformation.
But rather than embrace the Ad Observatory as a partner that rectifies the limitations of its own systems, Facebook has sent a legal threat to the university, demanding that the project shut down and delete the data it has already collected. Facebook’s position is that collecting data using "automated means" (including scraping) is a violation of its Terms of Service, even when the NYU Ad Observatory is acting on behalf of Facebook's own users, and even in furtherance of the urgent mission of fighting political disinformation during an election that U.S. politicians call the most consequential and contested in living memory.
Facebook’s threats are especially chilling because of its history of enforcing its terms of service using the Computer Fraud and Abuse Act (CFAA). The CFAA makes it a federal crime to access a computer connected to the Internet “without authorization," but it fails to define these terms. It was passed with the aim of outlawing computer break-ins, but some jurisdictions have converted it into a tool to enforce private companies’ computer use policies, like terms of service, which are typically wordy, one-sided contracts that virtually no one reads.
In fact, Facebook is largely responsible for creating terrible legal precedent on scraping and the CFAA in a 2016 Ninth Circuit Court of Appeals decision called Facebook v. Power Ventures. The case involved a dispute between Facebook and a social media aggregator, which Facebook users had voluntarily signed up for. Facebook did not want its users engaging with this service, so it sent Power Ventures a cease and desist letter alleging a violation of its terms of service and tried to block Power Ventures’ IP address. Even though the Ninth Circuit had previously decided that a violation of terms of service alone was not a CFAA violation, the court found that Power Ventures did violate the CFAA when it continued to provide its services after receiving the cease and desist letter. So the Power Ventures decision allows platforms to not only police their platforms against any terms of service violations they deem objectionable, but to turn even minor transgressions against a one-sided contract of adhesion into a violation of federal law that carries potentially serious civil and criminal liability.
More recently, the Ninth Circuit limited the scope of Power Ventures somewhat in HiQ v. LinkedIn. The court clarified that scraping public websites cannot be a CFAA violation regardless of personalized cease and desist letters sent to scrapers. However, that still leaves any material you have to log in to see—like most posts on Facebook—off limits to scraping if the platform decides it doesn’t like the scraper.
Decisions like Power Ventures potentially give Facebook a veto over a wide swath of beneficial outside research. That’s such a problem that some lawyers have argued interpreting the CFAA to criminalize terms of service violations would actually be unconstitutional. And at least one court has taken those concerns to heart, ruling in Sandvig v. Barr that the CFAA did not bar researchers who wanted to create multiple Facebook “tester" accounts to research how algorithms unlawfully discriminate based on characteristics like race or gender. The Sandvig decision should be a warning to Facebook that shutting down important civic research like the Ad Observatory is a serious misuse of the CFAA, which might even violate the First Amendment.
Over the weekend, Facebook executive Rob Leathern posted the official rationale for the multinational company's attack on a public university's researchers: he claimed that "Collecting personal data via scraping tools is an industry-wide problem that’s bad for people’s privacy & unsafe regardless of who is doing it. We protect people's privacy by not only prohibiting unauthorized scraping in our terms, we have teams dedicated to finding and preventing it. And under our agreement with the FTC, we report violations like these as privacy incidents...[W]e want to make sure that providing more transparency doesn't come at the cost of privacy."
Leathern is making a critical mistake here: he is conflating secrecy with privacy. Secrecy is when you (and possibly a few others) know something that everyone else does not get to know. Privacy is when you get to decide who knows what about you. As Facebook's excellent white paper on the subject explains: "What you share and who you share it with should be your decision."
Leathern's blanket condemnation of scraping is just as disturbing as his misunderstanding of privacy. Scraping is a critical piece of competitive compatibility, the process whereby new products and services are designed to work with existing ones without cooperation from the companies that made those services. Scraping is a powerful pro-competitive move that allows users and the companies that serve them to overturn the dominance of monopolists (that’s why it was key to forcing U.S. banks to adopt standards that let their customers manage their accounts in their own way). In the end, scraping is just an automated way of copying and pasting: the information that is extracted by the Ad Observer plugins is the same data that Mr Leathern’s users could manually copy and paste into the Ad Observatory databases.
As with so many technological questions, the ethics of scraping depend on much more than what the drafter of any terms of service thinks is in its own best interest.
Facebook is very wrong here.
First, they are wrong on the law. The Computer Fraud and Abuse Act should not not be on their side. Violating the company's terms of service to perform a constitutionally protected watchdog role is lawful.
Second, they are wrong on the ethics. There is no privacy benefit to users in prohibiting them from choosing to share the political ads they are served with researchers and journalists.
Finally, the are wrong on the facts. Mr. Leathern's follow-up tweets claim that the Ad Observatory's plugins collect "data about friends or others who view the ads." That is a statement with no apparent factual basis, as is made abundantly clear from the project's FAQ and privacy policy.
That's a lot of wrong. And worse, it's a lot of wrong on the eve of an historic election, a wrongness that will chill other projects contemplating their own accountability investigations into dominant tech platforms.
Published October 27, 2020 at 05:17PM
Read more on eff.org