Facebook’s Oversight Board is sparking discussion about global governance institutions for online content. Privacy, competition policy and cybersecurity are all implicated in the battle over enclosing platforms’ data. And an insurance company is demonstrating how cybersecurity information sharing really happens.

Facebook Oversight Board sparks governance debate

The Oversight Board, set up as a private, independent appeals body for reviewing Facebook content moderation determinations, issued its first decisions. The Board’s decisions, which covered some of the most common and contentious issues Facebook encounters like hate speech, adult nudity, dangerous organisations and health related misinformation, overturned the company’s decision to remove posts in five out of the first six cases it considered. Across all its decisions the Board has consistently highlighted the lack of clarity around the scope and criteria of Facebook’s internal policies and demanded greater transparency around their enforcement.

Far more interesting than the details of the individual cases was the debate over the FBOB itself. Here is more private sector based governance – we’re getting Johnson’s and Post’s “emergent law” again. Like ICANN, the FBOB responds to a need for governance of a transnational interaction space through private ordering, because nation-states simply cannot do the job. Nation-states regulate content by enforcing laws, and that process does not scale, both in rapidity and volume, to the demands of content moderation on global platforms. Governance solutions, whether the FBOB or the Christchurch Call and GIFCT, inevitably rely heavily on platform self-governance with some weakly institutionalized interfaces with civil society and governmental advisory committees.

If FBOB is an institutional innovation, it is far less impressive than ICANN was. Zuckerberg has spun out a rather independent oversight function but its members were selected by the Corporation and have no connections or any legitimacy with the world’s users. There was a hard and sometimes brutal pushback against Kate Klonick’s New Yorker article, which called the FBOB a “Supreme Court.” The Supreme Court metaphor raises hackles by vastly elevating the significance of the event. The  FBOB (if only we could call it FOBO) is not grounded in public law, is not all that binding, and only governs the decisions of a single business. See David Morar’s post about this from a year and a half ago.

But we also learned that some FBOB members do have grander ambitions for it. In a conversation with the Carnegie Endowment, the co-chair of the Board, Helle Thorning-Schmidt, has said that if the project proves to be a success, “other platforms and other tech companies are more than welcome to join and be part of the oversight that we will be able to provide.” They want to be the world’s content mod appeals court. Law scholar Annemarie Bridy replied, “one ring to rule them all? No thanks.”  Coming to the defense of a modified, limited One Ring, UCI Professor David Kaye tweeted that our goal should be “cross-industry, globally accessible, multi-stakeholder oversight of content moderation, carried out beyond the dictates of government but supported by regulatory requirements of company transparency & disclosure.” Try turning those requirements into a workable institutional design, that will keep the community busy for a few decades! A long tweet thread from our editor explored the ICANN comparison further.

Data enclosure and the battle of the platforms

A trend with important implications for privacy, data security and platform competition has been taking shape in the last two months. Google is pushing forward with its plan to remove a widely used tracking technology from its Chrome web browser, which has a 60% share of browser users. Simultaneously, Apple, whose iPhones account for 45% of the market in the US and 20% worldwide, is going to require apps to get opt-in permission from users to collect a widely used advertising identifier.

Both moves are seen as advancing privacy and data security, but advertisers and some app developers are claiming that these moves are anticompetitive because it would deprive them of access to data they think they need to survive. Indeed, the Wall Street Journal and other observers of this phenomenon have claimed that it shows that “protecting user privacy and promoting online competition can sometimes be at odds…”

Among the complainers about competition, ironically, is Facebook, one of the largest and most dominant platforms which thrives on user data and advertising. In late December, Facebook launched a PR assault against Apple, proclaiming that the upcoming changes to the iOS mobile operating system will hurt FB’s and small businesses’ ability to target advertising, which in turn will threaten free content. FB is arguing that “Apple is trying to shift the internet’s business model from being ad-supported to paid for.”

In our view, what’s happening is more like the beginning of competition over data than the suppression of it. Previously, cookie and adtech technology and many legacy internet protocols such as DNS, created a data commons which gave anyone and everyone access to the data generated by user actions on the internet. What’s happening now is the enclosure of that data, based on the realization of how valuable it is as well as how insecure and invasive uncontrolled access to that data can be. Platforms such as Google and Apple are simultaneously making privacy and data protection a competitive differentiator while excluding their competitors from their own customers’ data. In a paper to be delivered at this year’s TPRC conference, Brenden Kuerbis analyzes how DNS over HTTPS is one part of this growing data enclosure movement. DoH is seen as an example of platforms protecting and excluding others from their users’ data.

Cyber-insurance and information sharing

In previous posts we’ve suggested that attempts to use the SolarWinds hack to justify mandatory threat information sharing between the private sector and government are misguided. Fortunately, real-world responses to Solarwinds appear to be following a more productive path. Private sector investigations into the incident have highlighted the use of not yet seen-in-the-wild adversarial techniques. Security researchers have been identifying these techniques and categorizing them in familiar incident frameworks. This process largely relies on publicly available reporting, usually from Western-allied threat intelligence organizations. But this time there appears to be a new actor participating.

Zurich Insurance Group, one of many players in the burgeoning cyber insurance market, appears to be contributing data to researchers cataloging the techniques used. Zurich’s participation makes sense. Cybersecurity information sharing depends on getting incentives right.Information will be shared when it mutually benefits the parties and withheld when sharing exacerbates risks. Victims of Solarwinds may or may not be inclined to share data about an attack on their network, because it could just make them more vulnerable. For example, technologies used in Microsoft’s cloud-based services seem to be a vector in some of the subsequent network compromises. Microsoft has been transparent, publishing numerous reports to inform customers. But hundreds, if not thousands, of other victim organizations have understandably not shared anything publicly. Zurich, in contrast, has significant insight into victims networks if they are customers. It has strong incentives to pool unreported or underreported adversarial behavior data from its customers’ networks which were victimized, as well as strong incentive not to increase their risk. The data can be mapped to techniques and focus efforts to develop mitigations that can protect its customers and help lower the probability of future claims. This can be done while keeping the victims’ identity and other operational details confidential. Cybersecurity should benefit from this kind of information sharing. A mandatory requirement, on the other hand, is only likely to follow a prescribed checklist and offer little insight.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.