Last weekend, news broke that Facebook had been informally lobbying lawmakers to let them know the company didn’t oppose the Cybersecurity Information Sharing Act (CISA). The Senate passed the controversial bill on Tuesday with somewhat surprising ease given vocal opposition from cybersecurity and privacy experts who argue the bill enables greater government surveillance without doing much of anything to actually increase cybersecurity. On its own, there’s nothing particularly shocking or newsworthy about Facebook’s friendly conversations with senators in DC. CISA provides broad liability protections for companies that share information about breaches with the government, and it should surprise no one that businesses support laws that make it harder to sue them.
But privacy advocates were shocked and dismayed by the revelation of the social media giant’s involvement for one simple reason: Facebook and a couple of dozen other tech companies, through a trade association known as Computer and Communications Industry Association (CCIA), publicly said on October 15 that they were “unable to support CISA as it is currently written.”
As I’ve reflected on this doublespeak over the last week, a couple of things stand out. First is just how good Silicon Valley has become at the DC game in the past few years. Companies, by their nature, act in their self-interest to maximize shareholder value (however you define that term). Even when they’re seemingly acting in the public interest, they’re acting in self-interest. So it makes sense that a trade organization would say one thing publicly, while member companies would — if it seemed like good strategy — advocate for the opposite behind closed doors in Washington.
What strikes me about this incident is just how complicated the strategic calculations can be. As the CCIA said, its members supported the goal of creating a more robust system of information sharing between the government and private sector, but could not support a bill where the system came “at the expense of users’ privacy” or enabled “activities that might actively destabilize the infrastructure the bill aims to protect.” Invoking and protecting consumers’ interests is undoubtedly good for business. But maybe not in quite the same immediate and quantifiable way as broad civil, criminal, and regulatory liability protection for sharing information with the government. Corporate doublespeak can be costly, but it isn’t really surprising.
The second thing that stood out is how this incident is a perfect example of why, as lawyers and advocates, we often make such a big deal about who is in a position to challenge particular types of government action. Admittedly, it often sounds like splitting hairs, but the “who” matters because in the privacy and technology space, consumers often have to rely on tech companies to advocate on their behalf. Companies generally have far superior resources both for lobbying and court battles, and they are often on the receiving end of the government’s requests for information about individuals. They often simply know more than we do about what the government wants, how it’s trying to get it, and why. Secrecy in everything from the Foreign Intelligence Surveillance Court to routine criminal warrants forces consumers to rely on the likes of Yahoo!, unnamed companies, and, yes, Facebook to advocate on our behalf when there are concerns about government action.
But the balance there is precarious. It should go without saying that companies’ interests don’t always align with consumers’, and even when they do, the match isn’t always perfect. Sure, customers need to trust businesses to act for them, but that isn’t always an easy thing to do. In a statement opposing CISA, Apple said, “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.” Opposing a bill to garner the trust of consumers is not quite the same thing as holding yourself out a zealous defender of customers’ interests. The pledge to advocate for privacy ends once trust in Apple as a relatively consumer-protective company is sufficiently secured. Past that point, individuals and privacy groups are on their own. Companies aren’t quite the privacy defenders we’ve been looking for.
Not to mention, it’s often hard to know when an external force (like a court) is going to pry the common interests of businesses and consumers apart, as a five-judge panel in New York did in July when Facebook tried to fight 381 search warrants that had been served on the company. Facebook moved to quash the warrants — which granted the District Attorney full access to the individuals’ accounts, including “archived [and] stored information maintained by Facebook” — on the grounds that the warrants violated the users’ Fourth Amendment rights. The court, however, said that Facebook lacked standing to challenge the warrants, notwithstanding the fact that Facebook was also under court order not to tell the targets (only 62 of whom were eventually charged with a crime). If Facebook is barred from acting on behalf of its customers and those customers never find out that their information is searched, who’s left? There are and will be times where, try as they might, companies are barred from stepping in to protect the rights of their customers. So who can challenge government action like the digital searches that happened in New York?
We shouldn’t be surprised when companies act in their own self-interest. And it’s not always a terrible thing when they do. There are sometimes good reasons that we rely on companies to fight battles for us. And the good news is that companies will continue to do so if for no other reason than it’s often good for business. We just need to be aware that companies aren’t fighting in our best interests, they are fighting to protect theirs. So we should be mindful that the “who” involved in challenges often matters quite a lot. As Facebook has demonstrated, we cannot allow companies to be the only ones standing up for the rights of their users.