Text archives Help


Re: [projectvrm] Facebook and GDPR


Chronological Thread 
  • From: Guy Higgins < >
  • To: Tim Walters < >
  • Cc: Iain Henderson < >, ProjectVRM list < >
  • Subject: Re: [projectvrm] Facebook and GDPR
  • Date: Thu, 19 Apr 2018 14:51:55 -0600
Tom,

Thanks.  Nice and informative comment.  I do agree with you.  Let me try to order some thoughts here:
  1. Innovation in support of success (profitability or growth or longevity or however you want to categorize success for a business entity — something that I think was best captured by William Edwards Demming — “The purpose of a company is to stay in business."  In order to stay in business, you must 1) make profit, 2) respond to your customers, 3) comply with (or change) the law/regulations and 4) continue to evolve your products to attract and keep customers.)
  2. Incentives (and the role of Boards of Directors)
  3. The role(s) of government
Okay, in that order:
  1. Innovation — I really like a framework that Eric Beinhocker proposed in The Origin of Wealth.  A company can create a competitive advantage by innovating in any of three “dimensions.”
    1. Material Technology — this is developing and implementing new and better ways of turning “stuff” into different “stuff” that people need or want more.  This “stuff” can be product or process (including the hardware and software).  This is the area about which most people think when they think of innovation.
    2. Social Technology — this is conceiving of and implementing new and better ways of working together in order to turn “stuff” into different “stuff.”  This may be represented by Nucor or Whole Foods (prior to its recent purchase) or perhaps even Nordstrom.  This is where leadership comes into play
    3. Business Model (or perhaps operational model for non-profits — same thing) — this conceiving of and implementing some new and better way of turning the “stuff” you produced into money or some equivalent thereof.  This is the area in which esoteric things like incentives play
It is, I think, critically important that companies innovate in all three of these dimensions.  Apple developed some innovative hardware, but they also created an entirely new business model for the music (and now entertainment) market.  Amazon’s business model was innovative, but there’s no indication that they have innovated (as opposed to being a rapid follower) in material or social technology.  FaceBook’s business model was innovative, but it may turn out to have been an evolutionary dead end.  As people understand better what “free” use of the FaceBook ecosystem entails, they may elect to look for something better.  The “Steve Jobs” of social media who creates that “better” is likely to quickly exterminate FB (the way that the iPod and then iPhone exterminated all those yellow MP3 players with their LCD displays and gray buttons.  The connectedness of the world today enables small players to quickly gain critical mass and become a competitor.  

To stay in business, ala Demming, companies (actually the leadership of the companies) need to create the environment within the company that empowers employees (or associates or whatever the company wants to call their internal human resources) that enables innovation and tolerates the associated failures (Hallucenegenia is an example of the evolutionary tolerance for failures — its been extinct form eons).  A highly flexible process and a cavalier attitude toward what worked last time is essential.
2.  Incentives — some of the biggest problems for companies are failures to:
 1.  Have an actual strategy.  Most companies have warm fuzzy sound bites rather than actual strategies that recognize barriers to success and that allocate resources to overcome those barriers
2.  Create effective incentives that actually align with and support the strategy.  Too many times incentives focus on individual accomplishments rather than on implementing the overall organizational strategy.  For example, the VP of marketing may be incentivized to grow sales and market share while the actual company strategy may be focused on phasing out an aging cash cow and replacing it with a revolutionary new product.  Boeing military is a perfect example here — the executives in Military Airplanes have been incentivized to maintain and grow their sales of F-15’s (1975 vintage) and F/A-18’s (1979 vintage).  They have performed heroically, but they are now a full generation behind Lockheed Martin and at serious risk of becoming two generations behind and going out of the tactical airplane business. Nonetheless, the Military Airplane executives have gotten some seriously good annual bonuses.  Perhaps the new CEO of Boeing Defense will change that since she effectively fired one of the biggest “contributors” to a failure to win new business, but that remains to be seen.
3.  Align the size of the incentives with proven effectiveness.  Research by Dan Ariely (Duke University) and others has indicated that incentives of the size of a week’s salary are too small to make any difference and incentives the size of an annual salary and larger tend to create a highly conservative behavior.  The trick is to figure out the size of the incentive that actually incentivizes and then tie it to the overall company strategy.  This is hard (the working title for a book I fantasize about writing).
3. The role(s) of government — Caveat, I am one of those people who thinks (not believes) that government should be as small as practical (and no smaller) — not because of any ideology but because the data indicates that big governments tend to do things that they are not competent to do and that they make BIG mistakes without accountability.  ‘Nuf said about that.  Given my thoughts on that subject, I think that the role of government is not to regulate market segments or behaviors, but rather to create laws that tend to bias the economic ecosystem in the direction of increased prosperity and better quality of life for the majority of people.  To me, that means, in this case, that 281 pages of regulations in the English pdf of the GDPR is probably may overkill.  It will create all sorts of unintended consequences and niches within which sly and cunning people will abuse the system.  The Ten Commandments are very brief and they don’t allow wiggle room.  Similarly, the Golden Rule is very brief and very much to the point.  Governments should be trying to implement laws and regulations that create biases toward the intended result rather than trying to specify any specific behavior.  I’ll observe here that directive laws (those that mandate a behavior like the US Affordable Care Act or prohibit a behavior) are generally implemented after the circumstances have changed and are therefore less effective than planned.  Law is always “behind the power curve.”  Again, this is hard.  Anybody can use force to compile the behavior of a single person.  Creating an environment in which the population of a nation state behaves in a manner that benefits most people is what political leadership is about.

I’m interested in hearing your thoughts when you get a free moment (or several),

Guy 


I agree, Guy. But I think it's even more fundamental.

Beyond (or in addition to) the pathologies of big companies/monopolies, I think we have with Facebook a fundamental clash of incentives. Their business model depends on targeted advertising, which depends on profiling, which depends on collecting large volumes of personal data. If you believe, as I do, that businesses (as legal persons, not as their publicly identified leadership) are, and should be, driven by their business incentives, then Facebook (and similar) has to resist the GDPR restrictions wherever and whenever possible --- e.g., in the devious consent notices I posted yesterday.  That is, FB has a fiduciary responsibility to the shareholders (a legal responsibility I find despicable) to maximize shareholder value. Thus their incentive is to devise consent notices that maximize the volume of ongoing personal data collection -- balanced against the risk of investigations and fines from the supervisory authorities. This behavior (which I termed being "devious little shits" in a tweet yesterday) will change (or should change, according to the principle of incentives) only when a countervailing incentive quite literally "weighs more."  

For example, when McDonald's abandoned the clam shell styrofoam packaging. They didn't do it out of principle or kindness to the environment. They did it because they calculated that it would be the right thing for the bottom line.

Similarly, Facebook will (I hate to say it, but -- naturally, even "understandably" --) continue to "depylore" -- which is a new word I just made up that combines "deploy" and "ignore" -- the GDPR, until the incentives compel them to do otherwise. The threat of 4% of gross revenue fines may not be sufficient incentive. The loss of 30-40-60% of the data available for targeted advertising could be.

Meaning? We (insofar as we're on Facebook) monitor Facebook's compliance with the GDPR, restrict access to data, exercise data subject rights, complain as appropriate to DPAs -- and thus impress upon FB sooner rather than later the benefits of, as the ICO's Elizabeth Denham has said, handling data "sensitively and ethically."

Cheers,
tw

On Thu, Apr 19, 2018 at 6:11 PM, Guy Higgins < " target="_blank"> > wrote:
On Tuesday, we had a serious wind storm locally and one of my neighbors had a fir tree blown over in his front yard.  While I was helping him and his wife attempt to save the tree, we fell into a discussion of monopolies and success.  I’ve held for a long time that success is a self-correcting condition.  Successful companies, like FaceBook and Amazon and Google (and US Steel and Standard Oil and AT&T), become successful, then they begin to suffer from the pathologies of large organizations.  These pathologies include, but are certainly not limited to, large, rule-bound bureaucracies, slowing growth, fiscal laxity and hubris (my personal favorite).  These pathologies create risks for the organization — risks that are extremely difficult to effectively address because addressing them would require the leadership to take actions that do not reward said leadership (short-term bloodletting for long term health).  That opens the door for competitors.  Is any of this inevitable — of course not, it’s merely the way the Second Law of Thermodynamics (paraphrased as, “Left to itself, everything goes to s#*&.”) weights the evolving ecosystem.  Look at the Dow Jones Industrial Index.  The average time that a company is on the index has been monotonically declining for a century.

I suspect that the contortions that the illustrious Mr. Zuckerberg is going through will ultimately open the door for competitors — and I think that the most effective thing government could do is to nature the economy/economies to enable those competitors — and those competitors should include VRM-friendly players.

Guy


And as expected/feared. I suspect this will be worth a court battle. It's not clear to me what it means to "switch the data controller entity." If FB Ireland continues doing all of the processing, I doubt that FB can simply *designate* FB US as the controller.

https://techcrunch.com/2018/04/18/data-experts-on-facebooks-gdpr-changes-expect-lawsuits/




On Thu, Apr 19, 2018 at 9:27 AM, Iain Henderson < " target="_blank"> > wrote:
Hi Tim, on your first point i’d have thought that just boils down to which Facebook entity is the data controller for which which set of users; as you say if ‘served from Ireland’ equals Facebook IE is the data controller then yes all 1.9bn should have those rights.

If true then that won’t have been by design related to GDPR; just historical, and I don’t see how they could move users from one controller to another at this point.

Sounds like facial recognition activity was planned pre Cambridge Analytica blow up as it does not sound like a good thing to be doing in that context.

Cheers

Iain



Two quick news items to promote and solicit viewpoints.

First, I was surprised by this statement a couple of days ago. "The 89 percent of users served from Facebook Ireland—even those who don’t live in EU countries—will already benefit from the GDPR’s legal protection, regardless of public promises, and can seek redress through European regulators and courts."

If it is true that these global users -- all except the US and Canada -- are served from Ireland, then according to Article 3(1), all 1.9 billion of them should be due full GDPR protections and rights as of 25 May. It seems to me that that, combined with the Article 5 requirements for purpose specification and limitation plus the heightened awareness around data abuse, could equal a significant revenue impact for Facebook.

Make sense?

Of course, if the impact is significant enough, it could motivate FB to restrict Ireland to serving EU residents and deal with the rest of the globe from elsewhere.

Second, that highlights the question of how successful FB will be in getting users to consent to purposes that go beyond those necessary to facilitate social exchanges. And this article says that FB has started rolling out the requests. FB provided a sample of a consent request for facial recognition. (I'll try to embed it here, but it didn't work last time.) I can't see how any data protection authority is going to find this acceptable. (But then, the lead DPA for FB will be Ireland's Helen Dixon, who has until now shown no backbone in standing up to FB re Max Schrem's complaints.)

The left screen asks for consent for facial recognition. But instead of the "affirmative action" choices being Accept/Refuse or Allow/Disable, they are "Accept and Continue" or "Manage Data Setting."

Problem #1: The request is not "clear" and "transparent" as required by the GDPR. A request to accept or decline a given type of data collection should offer accept or decline actions. Instead, users can accept, or they can . . . ugg, yuck, "manage my data settings"? Sounds hard. I'll just accept.

If you do select Manage Data Setting -- that is, if you want to say NO -- you're presented (I presume) with the screen on the right. This does nothing but ask AGAIN if Facebook can use facial recognition. Even I (a trained sceptic) initially thought this was a different question. The choices after this question -- allow/don't allow -- are the ones that ought to have been presented on the left screen.

Finally, note that according to one quote in this article, FB itself evidently thinks that GDPR protections apply only in the EU, not for the 1.9 billion served from Ireland. Namely: "The company says that “people in the EU will see specific details relevant only to people who live there, like how to contact our Data Protection Officer under GDPR.”

Cheers,
tw

Archive powered by MHonArc 2.6.19.

§