> The bill would require communications platforms with more than 100 million monthly active members - Facebook has more than two billion - to allow its users to easily move, or port, their data to another network, Warner’s office said in a statement.
Facebook already has a data export feature. You have to manually navigate to that page and download a giant zip file. Cool.
The much more important concept being proposed here is delegation:
> Under the bill the companies would be required to maintain an interface to facilitate interoperability. Or users would be allowed to choose another company to manage a user’s account settings, content, and online interactions, the statement said.
Very few people are going to manually export their data from Facebook. But they might go to a new network that supports cross-posting to Facebook, or an automatic import that doesn't require them to navigate Facebook's menus.
Delegation is a severely underappreciated digital right. Beyond advocating for data-exports, we should advocate that users have the right to delegate data-access through APIs to third-parties. If I can manually update/download my Facebook status, I should also be allowed to programmatically update it. And I should be able to authorize another person to update/download it on my behalf.
> we should advocate that users have the right to delegate data-access through APIs to third-parties
From my PoV, for my purposes, as a technically minded user I might agree.
But thinking about the numpty-on-the-street, this could be a privacy nightmare with people being easily conned into allowing a random application full unrestricted access to slurp their data. This can happen already, of course, but the provider could detect a remote API scraper and try to block it, and a user-local malware scanner can be trained spot a rogue browser extension that scrapes the UI, but if API access like that is mandated they'll have to provide the access and won't be able to tell the difference between that which the user requested and that which the user was conned into requesting.
The solution I think that the PDS2 "open" banking system has come up with is that all the API integrators are also subject to regulatory approval. So you can't just spin up a shadowy data-slurping shell and connect it to people's bank accounts.
Then we'd have to apply for website licenses at the California Department of Cyber Vehicles. I hope my website is up to the Cyber Building Code. Yikes.
User must rotate their password every 7 days or be locked out pending in-person approval. The software must enforce this restriction while allowing a two-hour grace period on days when daylight savings changes.
The building codes I am familiar with (fire alarm systems) are completely sane "best practice" guides.
I recently renovated a 1950s building, among other things I designed and wired a fire alarm system from scratch, and passed inspection on first attempt. The building code gave very valuable pointers: what kind of cables should I use, how zones should be wired, how many sensors I should have, how they should be placed, how long backup batteries should last, etc.
You say you are familiar with building codes. But have you ever tried to build or renovate a building?
Some areas are okay. Others are not. The issue is not so much building codes, although there are definitely codes that e.g. push specific products from specific vendors and other shenanigans, but the approval process that gives the local authority unlimited time to mess with you for any reason.
There is, I think, a single US state that puts reasonable limits on project authorization, but I can't remember which it is.
All in all, doing anything with real property opens you up to just having your money taken by the government and lawyers while accomplishing nothing.
Can’t you already post through the Facebook API, just in a non-standardized format? I know you can’t anymore for Instagram, but I thought that third parties could post to your feed with your authorization.
Again though, all that needs to be done is to make sure that the liability for leaked data falls on the user. That's the other part of it right? You delegated access to your account, so InstaFaceTwitter is no longer responsible for what happens to the data on that account. They are only responsible for making sure they give anyone presenting the keys you authorized access to edit and read data on your account.
I mean, there are obviously responsibilities that naturally come with having delegated that access. And word will get around. The first GDPR violations because some user delegated access to their account and the entity that was authorized slurped up all of that user's contacts' personally identifiable data without the contacts being notified, will undoubtedly set the tone. That's still likely a GDPR violation. This doesn't change any of that. The only thing that changes is that the consequences for the GDPR violations now fall on the entity that was authorized, or maybe on the user who authorized the entity? (Not sure which?) But it obviously would not fall on Twitter since it is only complying with the law.
It's important that legal and criminal liability is matched to authorization or delegation. In practice, it will be the threat of legal liability that ensures data security and data privacy, so that needs to follow delegation to ensure incentives are always aligned properly.
> all that needs to be done is to make sure that the liability for leaked data falls on the user
I don’t think that was the point of what the parent commenter was saying.
As I read it, they were talking not about liability but the likely negative side effect of having more people be conned out of their private data that will then be abused.
Who is liable is a secondary concern. The main problem is the fact that people’s private data end up in the wrong hands.
With such a shallow view of freedom, physical property ownership is a very anti-freedom concept as well, is it not? Ownership of a house is an infringement on the freedoms of other poeple who want to live there?
Intellectual property is no different than any other sort of property. The right to own property is invaluable, and serves the purpose of maximizing freedoms in the long run.
Someone will write an app that uses a delegation API to destroy your data. Possibly including better or more nuanced ways than simply deleting your account, like removing all pictures of yourself smoking or wearing a beret.
Don’t we have this right for a large portion of the population? GDPR and CCPA both include “the right to be forgotten.”
Many companies will honor GDPR delete requests for non-eu users. CCPA includes a programmatic delete option and I’m sure the most common decision will be to allow it for all users not just California users.
> should advocate that users have the right to delegate data-access through APIs to third-parties
Not just third parties, but themselves (aka, write/use your own client for messenger/discord/...). This is the only way to get rid of having to use dozens of clients for various networks (apart from total standardization and federation which isn't happening anytime soon)
Yeah, EU made the same mistake with banking APIs. Banks now have to have API access, but not for end users, just for registered intermediaries. It just pushes the data into hands of more corporations, instead of giving users easy access to their bank.
This is the last thing these companies will allow because it would destroy their business model. This would allow federation of different competing sites and users could pick the company/interface they like most and still have access to all their friends/pages/connections on FaceTweet.
>> Under the bill the companies would be required to maintain an interface to facilitate interoperability.
This would be easily achieved with ActivityPub [0].
>> The bill would require communications platforms with more than 100 million monthly active members [...] to allow its users to easily move, or port, their data to another network...
That's the idea behind Berners-Lee's Solid [1].
I wish legislators were more in touch with open-source technology innovators. I feel the FOSS movement's philosophy and the idea of having collective technologies promoted and funded by the government go hand in hand.
Solid is not the first effort in this area, but the timing w.r.t. consumer sentiment and legislation, combined with the clout of TimBL, does make it feel like it has a serious shot at success.
(Disclosure: I work at inrupt, the main commercial player supporting Solid, founded by TimBL.)
Twitter's API is notoriously bad for 3rd party apps.[0] In order to use the standard API, you need to register for a developer account, which requires manual approval and which Twitter can deny for any reason.[1]
Facebook has a history of outright suing 3rd party apps.[2]
If I can log into Twitter, I should also be able to update my account with an HTTP request. That's it. I shouldn't need to sign an agreement, or tell them why I'm programmatically accessing my account, or dig into a settings page. I should be able to grant an OAUTH permission to anyone that gives them access to that API, and Facebook shouldn't be able to sue that person just because they got around an IP block. That should just be part of my account.
I don't know if this legislation guarantees that (the article doesn't link to the text of the bill). Most tech legislation is bad, so there's a good chance it doesn't. But the principle remains.
wanting to own all ads placed against user content
wanting to lock users in and make it harder to leave for another service and still maintain a presence (which is also a constant ad for that other service) by cross-posting
wanting to make it harder to see the stuff you're following people for without ads inserted every few posts
It s still possible to leave but nobody leaves. Surely they benefit from some extra safeguards, but i don't think either are worried that users will take their data elsewhere. Usually when a new platform emerges, it 's a new format (e.g. tiktok).
I 'm pretty sure their response was in order to avoid bad PR during the Analytica scandal period.
As I understand it for Twitter in particular, third-party apps were limiting the reach of their business-related tactics that users hated. Namely, none of those apps implemented any kind of invasive advertising, tracking, and recommendations – which made those apps much better from the UX standpoint than the official ones.
Yeah they severely limit bots and ask for phone numbers and then they 'll ban your number if you use it twice. Who's responsible for that other then the media FUD about russian bots? I really can't blame twitter (and FB) for limiting their platforms here.
Does it outline in this legislation who is responsible if twitter throws open their api's and the company that a user delegated steals the user's data by acting, essentially, as a proxy api for other companies? I would think it's obvious that from the moment you delegate access to your data, Twitter would no longer be responsible. Basically, they should only be responsible for making sure that data is given only to whoever authenticates with the appropriate keys that the user in question authorized. What happens from there should be no longer Twitter's legal problem.
That seems obvious to me, but it's definitely something you would have to check.
Well, we're not trying to "solve" the problem. We're just trying to clarify that Twitter has no legal liability for the problem. If you delegate access to your account and someone proxies it; or there are all of a sudden all these GDPR violations flooding in because you gave away access to your contacts' private information when you delegated access to your account; etc etc; that liability should fall on either the user, or the entity to which the user delegated access. It shouldn't really fall on Twitter.
That's all we're talking about here, just making sure that legal and criminal liability is matched with delegated authorization. Because the legal ramifications are what tend to ensure security and privacy.
First, I doubt many people knowingly allowed Cambridge Analytica access to their data.
Second, slandering is not the same as legal liability. If people are slandering you, sue them. But people can't sue you and say FB gave some company access to my data unless FB actually does that without the user's knowledge.
Lastly, under this new system, no one would be saying that FB is legally liable for a user explicitly granting access to a third party. Vast majority of people would lay the blame for that at the foot of the idiot user. Again, we're just trying to verify that the legislation reflects that very common sense view.
and that s why they are "monopolies" - they each dominate a format. It's like saying IRC is a monopoly - which it is, just not owned by a central entity. It's not really going to work with people having 2 facebook-like accounts - they 'll eventually gravitate to one. What will work, is if there are viable , better open source and decentralized alternatives.
No it doesn't. It doesn't have the phone numbers or email addresses for the vast majority of people, even the ones who have their email address and phone number in their profile.
Facebook's argument that this data actually belongs to the friends and not the profile that's being exported, while convenient for Facebook, has to be acknowledged as a reasonable point of view on this matter.
Their argument doesn't hold up under the slightest amount of scrutiny. You can go to your friends' pages and manually extract their email or other contact information. If it's visible to you, its because your friend made a decision to make that information visible. They designed the data export tool that way knowing that the main thing someone trying to leave Facebook wants is contact information for their friends that they may only know how to reach on Facebook.
If I put my number or email on my page, and I adjust the privacy settings to "only friends", I understand I am making that information available to my friends. They are free to copy that information by hand, or by copy-pasting, into their own address book. I have explicitly made it available to them. Facebook includes information about your friends, such as their birthdays, in your data export. Their decision to not include off-Facebook contact information is a business decision designed to make leaving Facebook harder. It has nothing to do with privacy.
Facebook lets you export "your data" which they define as data that you input into Facebook. They don't define it as data that you can see. Likewise companies usually don't let you export what their machine learning AIs have inferred about you. So they're using loopholes to make data portability less useful.
No it's not. If someone gives you their physical business card, would you expect to lose access to it if you move houses? Once they give you their contact info, you should have a copy of it forever. Otherwise it's completely useless.
No. Because that's the same argument FB could make.
No. Your data remains your data, even if you allow someone else to look at it. You should be able to allow others to look at it, or even delete it after having allowed others to look at it. Now in practice, you can't. I get that. But that doesn't mean that it's not your data.
Certainly your contact info is your data. I shouldn't be able to give a girl's contact info to some other guy without her consent. One, that's douchey. Two, it's not my data, so doing so violates her privacy.
> Your data remains your data, even if you allow someone else to look at it. You should be able to allow others to look at it, or even delete it after having allowed others to look at it.
So you would argue that it's fine that Apple was deleting people's email the other day, because it's not really their data?
But for an answer's sake, no, Apple should not be able to delete an email I wrote. But that's the entire point of what I just said. I should be the final arbiter of my data. Me putting my data on an Apple Mac does not make the data Apple's. It's still my data. I should be able to show it to other people, or delete it whenever I like.
Apple should not be able to show it to other people.
Apple should not be able to delete it whenever they like.
But again, that's what I said in the first place.
>Your data remains your data, even if you allow someone else to look at it. You should be able to allow others to look at it, or even delete it after having allowed others to look at it.
You have to somewhat assume a hostile actor here. Have you worked with fb's API before? They _technically_ have one, but frequently make breaking changes. They could easily justify this for such a legally-demanded API, as they do the same thing internally and already have that practice . What would prevent them from making it very difficult to maintain such a service?
Getting the language correct and the implementation will be extraordinarily difficult. For instance:
Let's say you are on twitter. Does twitter have to build an email interface so I can DM my friends who are on gmail?
Or maybe I'm on Facebook - do they have to let me allow people on Myspace to "friend" me?
Maybe I see an article on ZDnet, and I'm tired of using multiple accounts, so instead, I'd like to move away from Discus to Matrix for posting. Who is responsible here - ZDnet, Discus, Matrix?
Will MSFT be forced to allow me to port my entire Skype history and number to Verizon? Or to WeChat?
Will AT&T and instagram be forced to allow me to post on instagram using my AT&T account?
Interoperability of protocols is important (e.g. one email provider not blocking another). But the law of unintended consequences here is going to be huge. Security alone is going to be a nightmare.
I agree this goal is laudable, but the government never made Fords have to use GM parts (only that they use standardized gasoline). I think the idea that they have to expose an interface makes sense, and is much less problematic than full portability and interoperability.
Words are important here, and the actual word choices in the legislation are going to radically affect our future.
Read that last sentence again - this is a huge problem with any major legislation, and legislation with technology in particular.
One thing I forgot to add - how would this interoperate with the GDPR laws?
For instance, if I move my data from FB to something else, what happens to the email addresses and phone number of all the people I'm connected with? Assume this gets even worse when you have social platforms based in different countries (e.g. EU, US, Russia, China for instance).
Section 6(c) "Technical Standards" looks intriguing. Basically tasking NIST with publishing technical standards for online messaging, multimedia sharing, and social networking.
Definitely some good parts here, but I'm still worried about the laws of unintended consequences. Nobody thought that allowing software patents would be bad, but clearly that's been way more costly than anyone imagined. I worry the same is true here.
This paragraph on its own is great. Would love to see a step-by-step approach rather than doing everything at once. Less change for screwing up, and you can adjust new legislation as needed.
Being able to take your data with you is good but most of the value in social media is due to the network effect. If you can't seamlessly being your connections with you, the incumbents will continue to have a huge advantage over newcomers to the market. In the context of social media, how could someone bring their connections with them to a new platform without compromising the rights of those connected to?
interoperability and distributed federation would be much more powerful than export. Maybe they dont know facebook already has an export button? And if that export is in a non-standard-structured format, its not even useful to import into another network.
Interoperability just gives more people potential access to your data. What most activists are trying to do is move towards fewer people having access to your data, as well as you having full and legal custody of your data.
Interoperability is better for companies, particularly small ones. But the idea here is to help people prevent companies from accessing their data willy nilly. I'd think the goal would be to decrease the number of access points and to require that strict, explicit, legally binding, criminally enforceable, consent be given for every access to a user's data.
If you want to help smaller companies compete, that's a different discussion that can be had. But securing the data of users and providing a great deal more privacy than user's have right now really is a completely reasonable effort in its own right. In fact, I would think for the vast majority of users, the effort to ensure security and privacy should probably take precedence over providing more companies potential access to their data.
I mean, as I said, "encouraging competition in the marketplace" is a separate discussion. If we start allowing marketplace needs to determine or even influence who gets to access a user's data, we're already moving away from the goal of the user being the final arbiter of who gets to access his data.
Not to put too fine a point on it, but letting marketplace needs influence who gets access to a user's data is how we got to this point in the first place. It's a separate discussion, and it needs to be kept separate. Besides, whatever people come up with in that regard, the commercial entities that want access to users' data can really have no reasonable objection to obtaining strict, explicit consent to access that data. With the concomitant legally binding and criminally enforceable rules attached.
Competition in the marketplace is good, but people are a society's priority. We can't lower the barriers to access on a user's private data in the name of, "this is good for business."
> Competition in the marketplace is good, but people are a society's priority. We can't lower the barriers to access on a user's private data in the name of, "this is good for business."
That's a reasonable position to take in the two joint discussions, but that's not "keeping the discussions separate", that's defining your priority and optimizing for it at the expense of other concerns. Dismissing those concerns because they are not important enough is fine, dismissing them as if they didn't belong to the discussion is dishonest.
I contest that the discussions are separable at all. The same regulation can be very good disregarding its effect as a barrier to entry, and very bad not disregarding it.
Whether or not any particular regulation is good on net depends on pros and cons analysis that actually takes all relevant cons into account.
What that could lead to is a build-up of social network information brokering services, like how PCI compliance forced people to stop storing CC numbers on their own.
I'm okay with that. I worked on so many small e-commerce sites early in my career that just had a "CC" column in their user database, and it was all so sloppy and horrible. None of these would have been a big enough target for serious hacking, but also the security was never so good that an amateur couldn't walk off with 1,000 cards.
Now, payments are all handled by people who treat that data much more seriously. I certainly trust Stripe or Shopify over random web dev X.
If personal data starts being treated with that kind of care -- and the interoperability and exporting is also important -- I think that's only a good thing, even if it means that Google and facebook get a head start on that.
> What most activists are trying to do is move towards fewer people having access to your data
It seems to me like there are two important issues currently. There's access to data, but there's also how influence works and who controls that. Right now, social media companies decide what rises to the top of your feed.
The current situation is that if you want to be part of the Facebook community (for lack of a better word), you need to let Facebook decide how you see that data. I could see an argument that some kind of federated system might allow different lenses where you could still communicate in a social media way but different things could rise to the top.
Anyway, the point is these two concerns seem to be at odds with each other. If you don't want one party to have the power they get from being the only party in charge of processing the data, then you need multiple parties to have access to the data.
The main concern though is keeping the user as the final arbiter of his own data. He wants to delete it? Bam! It should be gone. She wants to allow someone else to see it, that other entity should be allowed to see it. But that other entity should not be allowed to delete her data. Nor should it be allowed to let anyone else see that data.
The user being in control of access to his/her own data is not a concept that should frighten any legitimate business people. But businesses being in charge of access to a user's data is absolutely a concept that should frighten users. The power of determining access has to be shifted back to the user where it belongs. If some businesses that specialize in "data brokering" are harmed because users are suddenly able to choose to disallow them access, so be it.
Again, allowing businesses to influence and determine who gets to access a user's data is literally the reason we're in this predicament in the first place. Solve that stuff separately if you want, but under no circumstances can end runs around the user's ownership of their data be allowed.
> interoperability and distributed federation would be much more powerful than export
It'd be great. But at the same time, interoperability brought us Cambridge Analytica scandal. I don't know who social networks could be interoperable without data leaks.
What created CA was 2 fold. 1) people exposed their personal data to their friends, and gave their friends access to read their data 2) friends got a prompt that said "share data available to you" with CA and people pressed that button.
The actual coherent arguments are a) people didnt know what information they were sharing b) didnt understand how that data could be aggregated c) what the share data with a vendor button did d) should be trusted to wield this kind of power e) that entities should have been able to aggregate data like that without arousing suspicion. f) who is even responsible for this error in judgement (data sharers or friends, or facebook or ca)
The data leak here was people pressing "give away my friends data." Facebook designed the system that allowed it, hosted the data collector, incentivizing the bad actors to build their collection quizs and was responsible for communication of how the permissions system worked, but the data leaking itself was the sum of millions of people being careless with what their friends data. Facebook itself didnt directly leak the data. This was an aggregate human misbehavior.
My thoughts exactly. If this becomes reality as described in the article, the only change we'll see is countless new social networks popping up, creating shadow profiles based off of the exported data, and spamming phones and/or emails with "Someone you know joined our network and imported your post 'XYZ'! Click here to join them and see their comments on your post".
I don't have the technical specifics in working memory, but would the privacy-preserving Apple geolocation system work here?
E.g. You could export edges of the graph as well, but in encrypted form. Only when the owner joins and supplies the decryption key do they become usable and valid
> most of the value in social media is due to the network effect
Global network effects require consolidation. But there are many local network effects that add value with less scale.
In the real world, these local networks emerge as friend circles, interest groups, block associations, companies and industry networks. These local networks are either subsets of or correlated with the global network. But they produce value relatively independently of it.
Starting such a social media company today is hard because surviving amidst Facebook is hard. (See Snapchat, which could be considered, at its start, a local network of a certain age group.) Portability lowers this barrier for new entrants.
Yes, but the question is how to achieve portability without infringing on others' privacy rights.
If I'm on facebook and want to export all my comments, that would require exporting all the status updates of the people who's posts I've commented on, which then also includes those contacts, too.
There's no such thing as exporting a single node in a network, you need the entire network.
> If I'm on facebook and want to export all my comments, that would require exporting all the status updates of the people who's posts I've commented on
The bill [1] is ambiguous on the definition of user data (§ 2(9)). There is latitude with this definition, from rich portability (as you describe) to bare-bones portability (simply metadata, e.g. X commented on Y's post on such and such data).
> There's no such thing as exporting a single node in a network, you need the entire network
Graphs are divisible. My export need not contain every user in Kazakhstan's data.
> A bill written by a bunch of clueless lawmakers to legislate technology
This has been Silicon Valley's party line for why we can't be regulated by governments, and should instead be left to self regulate. While I agree with that for start-ups, it's patently failed with Big Tech.
No one is saying we should bar all regulation. But we do need to be careful, and _very_ knowledgeable and intentful, when we pass legislation in this field.
You certainly can export a single node - just depends on your expectations. For example, the Indieweb has already done this in a way that I find acceptable. My blog (kickscondor.com) syndicates all the comments to every post (including deeply nested ones.) And it also captures a copy of all posts that I respond to (all the way up the chain going backwards.) This is sufficient for me. No need to export anything - it's already there in my own storage. You could also say that you'd need a snapshot of the entire Internet to provide context - but that's Just unreasonable.
I think the a Web itself already has had a 'network effect' larger than that of Facebook or any individual subnetwork.
When someone wants to comment, they post - not on my blog - but on their blog. If their blog supports Webmentions, my blog will get notified and I will 'syndicate' their comment - a copy will get placed on my blog. This way everyone in the conversation had copies of the entire conversation in case one blog goes down. (Does that clear it up at all?)
It does, and that is _one_ way in which to export a single node--assuming we're all using this Indieweb blog software. But I have heavy doubts that such software will become the norm, or that it will be the expectation of whatever data schema this bill ends up supporting.
I appreciate the theory of your approach and how it can be used, and while it does directly respond to the immediate statement I made, I don't think it realistically captures how my statement applies to the broader context, when and if this law becomes implemented.
If I want to migrate my "list" to another network, wouldn't I need to take some form of PII (and therefore consent) from each person on the list to make it valuable on the new network?
It is indeed arguable that the data item relating two people is owned by both and necessitates consent for republishing. Export though ... it's still 'mine' even if shared ... I don't know, this bit is a little sticky.
And it's worse than that - if it's a photo of both you and them, there's an immediate impasse. Does their right to take their data trump your right to keep a hold of it? Does it depend on who took the picture, or who uploaded it, or when it was taken or how embarrassing it is?
I'm not saying these aren't answerable questions, but I'm very skeptical that the answer is so obvious and non-controversial that we should legally enforce it against all social media platforms.
Here's where law gets complex. Who took the photo? They hold the copyright. Who's in the photo? They have some [limited?] publicity rights. Perhaps those in the photo would need to consent to have the photo republished, which is not, IMO, technically enforceable, but only legally enforceable when someone hires a lawyer/files suit.
My question is limited to "the list." I.e. this is the list of people to whom I connected on this network and, perhaps, the connection type (e.g. followed them, allowed to follow you, both tagged in some post, etc.)
But to add my thoughts to your question: I have a photo, I uploaded it to my account, it's my 'data' and I've simply shared it with you (or made it public) such that it is displayed to you. That doesn't make it your data, meaning you don't get it in an export dump. Perhaps you have a client that makes copies of published posts from your network, but exporting those things you consumed (which are not yours, to which you do not have a 'license') should not be the intent of this export functionality.
It's easier to bootstrap a new network if you can take your data with you. This is how Facebook/LinkedIn got much of their early viral growth. They would scrape your email (at that time the biggest network) for contacts and invite people you knew.
Just a nitpick, but FB did that without any real user consent. This would require that companies not do it at all. Rather that the user himself would have to take his data to the new company and explicitly give the new company consent to host the data. That's the way it should work. The user should always be in charge of her data.
Yes, it's not clear what bringing your data out of social media even really means. Saving your posts/photos is one thing. But it's not clear that exporting your social graph and all their posts/photos/comments/etc. is even a good thing--yet that's what exporting their social media would mean to a lot of people.
Who asked for this, exactly? I know plenty of users who would like to delete their data--I can't think of too many that want to port it over somewhere else.
Is the idea that this would fuel competition by allowing people to migrate their history over to decentralized/federated alternatives?
I have to be on mainstream social networks to interact with people I know who are. That's the fundamental problem with these networks.
"Under the bill the companies would be required to maintain an interface to facilitate interoperability. Or users would be allowed to choose another company to manage a user’s account settings, content, and online interactions, the statement said."
Think of this requirement less like a "Facebook export" and more like what AOL Instant Messenger was once forced to do: They were legally required to allow other messengers to communicate with AIM users.
Imagine me being able to be on Mastodon, but follow my Facebook friends and tag them and be tagged by them.
I understand the possible use-case. My skepticism (or cynicism, maybe) comes from the fact that the CBP under this same government has taken to forcing people to provide their social media history when entering the country. So there might be a less than altruistic reason that the government would like to ensure people's social media history lingers forever, rather than being deleted when the user tires of Facebook.
Yeah, I feel this pain. This is kinda where we are on a lot of these issues, right?
Like Net Neutrality? Ok, just make a law that all bits must be treated the same by pipe providers. Boom, you're done. But no, instead what's suggested is that the FTC start managing this stuff under Title 2. Right after that, you can bet we'll start hearing calls for a return of the Fairness Doctrine.
Want users to own their data? Great. Write a law that says that users have total control over their data, where it lives and where it goes. Furthermore they can delete or access it at any time. Also boom. It's a simple concept. But no, we're going to split the baby yet again and talk about exporting data. Next up an argument on CBP.
We seem incapable of actually fixing tech matters, instead trying to chop off some small part where we can do stuff that sounds good but has possibly severe unanticipated side-effects down the road. I don't know why that is, but I know that it makes trying to figure out which laws or policies to support quite difficult. Maybe that was the intention all along?
Note: all laws have side effects, but optimally you should set things up that the side effects are shouldered by the people involved in the activity, not the voters. You're not fixing a problem if all you're doing is setting up the next argument we're going to have. That sounds more like a recipe for endless conflict.
I understand that and it's a fair point. But the law should be on the principle of the matter, I own my data, with the compromise buried in the details. (Perhaps I own the data in the same way an artist owns a copy of their music). Instead, the principles are compromised, and in a way that's not visible to the public, with the only thing left being a bunch of policy details.
That might be a great way to get a law passed, but it doesn't do much in the long run towards fixing the underlying problem.
Yeah I would like to have a tool to purge a lot of messages from history. I don't want people in the future to sift thru my messages and wonder why I and my friends were so weird in Facebook chats.
Which is arguably, at least in part, actually in opposition to this. To the degree that data can be better exported and spread around, it's more likely to be persisted than if it's locked up in a single company's system.
> Which is arguably, at least in part, actually in opposition to this
Disagree. Today, questions about persistence and portability are made by companies. Users have virtually no say.
Giving users say in the matter may mean some make bad portability decisions. But there is nothing fundamental to user-initiated portability that interferes with user-initiated deletion. Today, I can do neither with Facebook.
Well, that's true. Because once content by or about you is out there, neither you nor anyone else really has the power to force anyone to delete it. That's not so much a company making a decision but a collective decision that you don't generally have a "right to be forgotten."
But that's not so much individual companies making an affirmative decision to always preserve data as no one providing individuals any real rights to erase what they've made public.
> once content by or about you is out there, neither you nor anyone else really has the power to force anyone to delete it
If you port your data to every social network on the planet, an act tantamount to publishing, yes, your data will be public. That isn't an argument against granting users this right.
Social media companies distributed users' data when it was in said companies' interests. Letting users make that decision themselves may mean bad decisions will be made. But that's better than companies making users' decisions for them, with zero regard for what the users themselves want.
> a collective decision that you don't generally have a "right to be forgotten"
There is no right to be forgotten in America. (There can't be without gutting the First Amendment.)
Honest question (I'm not making the connection on my own, so please help me out): how does giving me the ability to instruct a social network to delete my information (and a law to enforce that instruction) infringe on the network's first amendment rights?
> how does giving me the ability to instruct a social network to delete my information (and a law to enforce that instruction) infringe on the network's first amendment rights?
There is a difference between the right to deletion and the right to be forgotten. Right to deletion is "I gave you these data, these data are mine, please delete them." Right to be forgotten means "you have these data, they concern me, please delete them".
Say you tweet something. That tweet, under current law, is Twitter's. Let's say a right to deletion is enacted. Now, you can require Twitter to delete the tweet from its records. This is great!
Now say that while the tweet was up, a newspaper quoted it. Now, when someone searches your name, that article comes up. A right to be forgotten means you can require search engines de-list that article from your search results.
Rights to deletion don't necessarily interfere with the First Amendment because they concern your first-party data. Rights to be forgotten, by dealing with third-party data, often public, published data, are more problematic.
Apologies for the conflation of 'deletion instruction' and 'right to be forgotten' - thanks for pointing that out.
I'm under the impression, in the USA, that I wrote the tweet, therefore I'm the copyright holder, and I've only licensed it to Twitter. Further, I'm under the impression that the smart publisher is going to reach out to me to republish my tweet (under license.) If I'm mistaken, please correct me.
Given that I created the content and I hold the copyright, I can revoke the license I gave to Twitter. However, Twitter's TOS probably requires a 'non-revocable license' and a law requiring services to offer deletion would presumably remove the ability of these companies to insist on a non-revocable license.
Personally, I'd be on the side of 'allow deletion' rather than 'right to be forgotten' but I also feel like cementing the concepts of content ownership ("no, $service, you don't own user-generated content") and licensing ("no $service, you cannot insist on a non-revocable license") would go a long want to enabling either deletion, or rights to be forgotten.
> The first amendment does not talk about copyright or distinguish first with third-party data
The Constitution talks about copyright and a series of court cases have circumscribed commercial speech within the First Amendment's projections, e.g. you can't commit fraud and call it free speech.
I don't think so - I can export my data, then delete it from your network. Now I'm in control of its spread. Subsequently, I can import that data $elsewhere, add to it, export again, and delete it from $elsewhere.
But that kind of makes no sense. It'll be completely out of context and it's not going to provide much value. Wet can't you just link to your Twitter on mastodon?
Somebody might decide that his Twitter account offends somebody important and make it disappear. Or his Twitter might get compromised. Or Twitter might go out of business. Or maybe no reason at all.
I’d like having an archive of my tweets that I control. I know they have a tool, but as far as I know, there’s no way to upload that to Mastodon. I could be wrong about that.
A couple cases I can see - photos and email. Export my email from gmail, import it to protonmail, delete gmail account. OK. How about incoming email though? That's not content I created or own the copyright to. What about emails I sent to people that are copy pastes of news article material or attached photos determined to be copyrighted by someone else. Perhaps these should be filtered out so it's only the user's personally created content that is downloaded. Now photos from one service to another have that same check that should be done. But the matter of comments on the photo. Some comments are responses from the photo owner. Others are comments by random people. Those comments should not be exported since they don't have the rights to transfer them. So I upload this to some other photo site and have a bunch of one sided conversations. Fair enough though I can see how that works.
Then I want to export all my conversations from Hacker News and import them to Reddit. Hacker News will give me a zipped set of xml files or perhaps a SQLite database. Then I create some custom subreddit and upload these comments there. But they'll all be one-sided conversations of course since the people I'm replying to or who reply to me can't be part of the data dump. So I've done this, but why is it necessary this be supported at all? How about reverse? I tell Hacker News, hey the law says you have to let me import my comments from reddit here. So I do that. And what is that supposed to accomplish. Not sure. Maybe people will then say hey I want to upload my photos from Instagram to the Steam Store's comments section. Or upload all my email there.
Also of interest is that every site will have to support every conceivable possible export format generated by every other site. Complex job for those of us who have struggled with similar data migration problems with a finite set of formats and possible errors in the data. And what about the data that has errors? Will the exporting company by liable for costs by the importing company due to errors in the exporting company's export job?
Also the article suggests the bill is a bit more extreme than this. The user will not actually download the data and reupload it somewhere, instead they will go to Facebook and pick "Hacker News" from a drop down menu and then Facebook will be required to send all the user's data to Hacker News automatically and Hacker News will be required to accept it and do something with it, presumably provide similar functionality that the user is accustomed to. Perhaps Hacker News will then be legally required to implement a clone of Facebook, gmail, Instagram, and every other social media site simply to be able to handle these import requests. And every other site likewise will be required to do the same.
What about illegal content and content that violates the importing services TOS? Will they be forced to accept the data and yet responsible still for hosting it even if they don't want it? Someone wants to export their homemade videos from their YouPorn account to YouTube or maybe to the comment section of the New York Times which should now support and host video. Can they refuse to interoperate under this bill mandating interoperating?
Everything should be interoperable and all formats exportable from every site and importable to every other site, automatically. Is this a sensible goal.
I have a suspicion that the senators supporting this bill really just want to be able to export their email from gmail and yahoo for free and import it to some other email service so they want to pass a law. And then they were brainstorming and someone said hey let's make this law apply to all forms of data, not just email. And they all thought that a great idea. Then the masses hear about this and think "Wow this is great, I'd love to get all my data from every site and upload it to every other site." without actually realizing that a law mandating companies support that is probably not a good idea.
> The bill would require communications platforms with more than 100 million monthly active members - Facebook has more than two billion - to allow its users to easily move, or port, their data to another network, Warner’s office said in a statement.
I assume that this proposal is based on good intentions. But how they want to overcome the technical hurdles is a mystery to me.
Who decides, how facebook should structure their exported data? Will there be a standard? Social media platforms like facebook, twitter, reddit or youtube are so fundamentally different that I doubt it is possible to create a common standard.
And who decides which services need to have a compatible data format?
The idea of downloading my twitter feed and post it on mastodon and vice versa is, I guess, a pipe dream. Or will I be able to download my Imgur posts and import them in Reddit? Can I export all my Youtube videos and import them on Vimeo? Yeah, go figure...
I think a better alternative would be a requirement for such companies to open up their API. I want full access to my twitter feed for free. This would allow third parties to create a single interface to many different networks, like twitter and mastodon.
> Who decides, how facebook should structure their exported data?
You might find clarity in the bill [1].
It avoids, as good laws do, defining how companies must comply, instead setting principles for clarification by the FTC and courts. ("A structured, commonly used, and machine-readable format" is the bill's language (§ 3(a)).)
> who decides which services need to have a compatible data format
Congress. "A product or service provided by a communications provider that...generates income, directly or indirectly, from the collection, processing, sale, or sharing of user data; and...has more than 100,000,000 monthly active users in the United States" is the bill's threshold (§ 2(7)).
One of the reasons that open banking works well is that every bank has essentially the same offerings and therefore the same type of data. It's perhaps possible that social networks may be marginally less uniform.
> Who decides, how facebook should structure their exported data?
Facebook. As long as it's well documented the format isn't that important. The requirement should just be that if you take the exported data and reimport it, you get back to the original state (or at least reasonably close).
Exporting data is alot simpler than importing data. I therefore doubt that all platform providers will sit together and debate, how to structure your content. In some way this could even be impossible. Let's say platform A uses id's for references, platform B uses hashes. platform C uses GUIDs. This doesn't stop here. Think about image codecs or internal links. This makes writing importers a huge pain.
Only large companies will be able to maintain different kinds of data, which will push new user to them, because they provide most integrations.
Yet, there is a lot of incentives to allow importing into your social net.
Right now, if only facebook was authorizing scrapping instead of actively fighting it, even in the absence of a clear documented API, people would be writing bridges to import your contacts just by making http requests.
The law will probably use words like "reasonable" and "common". While legal language is supposed to be as precise as possible, it is fine to be as vague as necessary, too.
In practice, I'd expect exporters to export in a format that doesn't cause them huge contortions, and importers to write the converters. Any lawsuits about unreasonably obfuscated formats would be quite messy, but maybe it's time for the legal system to handle questions of software adequately anyway.
And it should be no less vague than necessary. A decade or so ago, XML was all the rage, can you imagine if a bunch of laws had been stamped in stone mandating XML everywhere? Yuck!
G Suite, or what was originally "Google Apps for Your Domain" is a white-labeled Gmail.
Commercial social media companies can theoretically make some serious money by whitelabeling their services and selling those to whoever has an audience. Stop thinking about things in terms of followers - it's the publishers that need to be captured for revenue.
What I'd really like to see from U.S. Senators is legislation to require all *.GOV agencies spin up their own ActivityPub-compliant implementations and publish through that means, rather than via accounts on commercial social media services.
Eventually, media and other institutions will follow.
if anyone is interested in learning more, just look up Mastodon Project, the Fediverse, and ActivityPub in Wikipedia.
edit: By "whitelabeling" I mean "Twitter/Facebook/Instagram/Youtube for Your Domain", federated and ActivityPub-compliant. Enterprises will eat this shit up.
I've thought of this very same thought myself ever since I've had a presence on the fediverse (waaaaay back in the gnu social, statusnet, etc. days). Even if brands only gain the benefit of better control of their brand presence (on platforms that they control) instead of being beholden to the likes of Facebook, etc....I do agree that there's a business to be had for offering commercial social media hosting.
+1 for solid. Solid has these concerns baked into the design. It's the best solution I've seen for user-owned data and interoperability, not to mention the wealth of possibilities enabled by linked data. To try to legislate those concerns into the current centralized web is going to cause a lot of grief.
At this point, if Facebook wasn’t public and I was Zuckerberg, I’d wind down the company and update the home page to simply read, “I’m leaving it as I found it. Take over. It’s yours.”
I always used the analogy of a message board that I put in my yard. If people start dictating that I need to display the nazi graffiti someone spray painted on it, I'm just going to remove the damn board.
Please note that this article makes a crucial omission: this bill only applies to communication platforms
With more than 100M users in the United States.
To my knowledge, only Facebook and Facebook messenger meet that threshold (please list others for which there is data supporting that they'd also be affected). So as it is, this bill would make Facebook offer APIs to it's services, but other services with less users in the United States won't have to.
Here's the relevant section of the bill:
(7) LARGE COMMUNICATIONS PLATFORM.—The term ‘‘large communications platform’’ means a product or service provided by a communications provider that —
(A) generates income, directly or indirectly, from the collection, processing, sale, or sharing of user data; and
(B) has more than 100,000,000 monthly active users in the United States.
I absolutely like the idea but hope that they push true interoperability more than just the "bundle all your data into a single big zip file" feature.
The problem with the latter is it doesn't really do a lot for the vast majority of users wishing to use a competitor. Sure, they can take their data there but who is going to be able to see it easily?
I wish it all worked like email. I can use any email provider I want, and people can send me mail, regardless of which provider they use. It isn't perfect (for instance gmail does some stuff with images and links to youtube videos and links to maps and so on that others don't, so I find myself using the product a bit differently if I know the recipient is using gmail), but still it is better than facebook etc where if you share via a product, the people seeing what you share have to use that product too. So basically what that means is competing (or complementary) products should be able to post your stuff to facebook as if you had posted it yourself.
Or something. I don't know the exact solution, but I certainly support legislation forcing such companies to open up their platforms. Network monopolies are not good for consumers and not good for innovative competitors.
Hmm.. so I agree that it would be awesome to easily port my data from company A to company B. I mean, that would be really great! But I kind of don't think that's an appropriate role for the government. Feel free to disagree, I'm all ears on other opinions, I just don't feel the government should have that type of authority to regulate a company like that.... but maybe that's just me.
Something like this would be the right way to do social media and networks, and it would never be allowed to work.
Ideally, I would own my data and I could just bid the social media providers I want to host my data. I could pick one, or several, and I could pick free providers with ads or pay for a premium provider with no ads and other benefits. I could also host the data myself, and messages, posts, friend requests, and updates would travel from service to service via standard protocols. Each user would have a cryptographical identity that would be unalterable across different services; of course you could create many of them, such as one for your work-self, one for your personal self, and one for your hobby/forum discussion/spare time self.
This would reduce social media companies into mere infrastructure carriers. Even telcos talked themselves out of it, I can't imagine social media companies to want anything except own us.
Facebook is getting pulled in two directions. First, for competitive reasons people want a Facebook platform that can actually do useful things like export data.
The problem is that the other direction is for Facebook to keep your data private. The Cambridge Analytica scandal was basically blaming Facebook for giving users the ability to export their data to applications that subsequently sold it to Cambridge Analytica.
Senators are not writing code, so they are not required to be logically consistent. I predict a future in which Facebook gets fined no matter what they do.
I'm 100% for this idea but is a government law really the best way to go about this? There are already social media alternatives that are decentralized and give users control and nobody uses it.
There's an increasing amount of bureaucracy in the tech space that it is going to make it very hard to innovate. Laws typically deeper entrench bigger companies because they have the resources to have full legal teams and departments dedicated to compliance. Startups do not.
This law is for companies with more than 100 millions users. This bureaucracy will not be a problem for innovators and startups because it takes a lot of time to reach this threshold, they are not concerned by this while at the startup stage.
It hijacks input/comment areas & saves your tweet/post to your own personal local archive in the browser, and then encrypts the message so Facebook/Google can't spy on it.
How would/should permissions work in this if my friend moves to a new service? Do I also have to accept a TOS in order for them to continue to see my stuff?
The email analogy fails for me because it is clear that once I send an email, that data now belongs to everyone I sent my email to. Is the same true for a tweet or photo I post?
Better Idea: Create a fund for startups that are building new social media platforms specifically to compete against Fb/Twitter/Reddit/Etc. Create pathways for them to compete and enter the public domain. Give them free national advertising slots. Only companies with less than 100M users can apply.
Maybe they can handle this like the phone number portability rules. All internet users will be charged a $5 or so monthly "social media portability tax" which will then be distributed to these 100 million+ user companies to help pay for the cost of maintaining the portability systems.
What's missing here is the ability to ERASE all of your data from any service at your desired level of granularity.
In other words, I ought to be able to tell Facebook to only keep a one month history on me and truly delete everything else, including from backups. If
I want a 100% erase of everything, I should be able to get that too. It should be a simple single button operation with suitable confirmation.
Perhaps I want all my pictures erased. It should be easy.
How about all of my facial recognition data for myself and my children? That too.
In other words, these services should not be allowed to store data on you that you don't want them to have. We should not toss out privacy just to protect someone's business model.
I had an interesting experience with Turo.com. It's a P2P car rental service. I decided I wanted to try it. To sign-up I had to give up what I would call deep personal info: Name, address, date of birth, credit card, driver's license and maybe a few more things (don't remember). I ended-up not using it even once. It just didn't fit my needs.
I contacted the company with a request to cancel my account and delete all of my personal information from their database. They refused. Well, they wanted to have the account go dormant at first. I pressed and they agreed to cancel the account. No data deletion though. I said: What possibly justification do you have to keep such sensitive information in your database and backups when I am not a customer and don't want to use your service? Well, long story short, they agreed to delete the data. My guess is they lied to me. Without a court order I have no way to verify that my data isn't sitting in multiple backups ready to be hacked or used by another company if they sell the company or go bankrupt and the database is sold as an asset.
The consequences of having your data stored in databases forever could come years, decades later, when an event lands your data in the hands of someone with nefarious intent or someone who might accidentally and without intention cause you and others harm.
This is just one example.
We really need a law that says our data is ours and we get to decide who can keep it, what they can keep, for how long and under what conditions. This isn't hard and it is common sense. Put a different way: Just because a 15 year old in a garage decides to launch an internet business it doesn't mean that 15 year old is entitled to own our data and do with it as he or she pleases.
After watching Mark Zuckerberg testifying on Capitol hill I think it's obvious Facebook and Alphabet are leading the show... A very interesting case is Alexander Nix speech against UK comittee, recommend.
Haha, remember more than a decade ago when we all thought that interoperability was more profitable, and that everything would just naturally tend toward open standards? Wow. We were all just stupid?
won't big players like FB benefit from this? It seems more likely that people would port data from smaller networks to bigger ones than the other way around.
You do own it. You can copy paste your posts around as much as you want. Does Twitter have to put in work to make it easier for you for no benefit of their own though?
For God's sake can the US government stop meddling in this kind of garbage. The republic is collapsing around us and we're supposed to be conserned about being able to port our facebook posts over to twitter. WHO CARES
I understand where you are coming from but because one part of the government is failing doesnt mean the rest of it should shut down and focus solely on it. How would any long term change be enacted if every elect shifted focus every time something new and seemingly more important came up?
I believe we are helping to build part of that future in my current startup. People should own their own data and have a right to use it for their own benefit.
The issue for me and many other folks is not taking the data - but its the ability to remove specific users data COMPLETELY and FOREVER from all of the companies servers!
So far this capability and access are reserved to special branches within the government (3/4 letter agencies etc).
Every human should be able to wipe off their own digital footprint forever!
Facebook already has a data export feature. You have to manually navigate to that page and download a giant zip file. Cool.
The much more important concept being proposed here is delegation:
> Under the bill the companies would be required to maintain an interface to facilitate interoperability. Or users would be allowed to choose another company to manage a user’s account settings, content, and online interactions, the statement said.
Very few people are going to manually export their data from Facebook. But they might go to a new network that supports cross-posting to Facebook, or an automatic import that doesn't require them to navigate Facebook's menus.
Delegation is a severely underappreciated digital right. Beyond advocating for data-exports, we should advocate that users have the right to delegate data-access through APIs to third-parties. If I can manually update/download my Facebook status, I should also be allowed to programmatically update it. And I should be able to authorize another person to update/download it on my behalf.