As 2018 winds down, we are exhausted by the moral and political chaos represented by the current administration. Yes, more people voted than ever before in the mid-term elections, but we also witnessed blatant examples of voter suppression. Yes, the president faces opposition, course correction and perhaps even impeachment proceedings from the House of Representatives, but the Senate leader has blocked a bipartisan bill on criminal reform from coming to the floor. Meanwhile Senator Lindsey Graham’s bill, the Special Counsel Independence Protection Act, co-sponsored by other members of the Senate Judiciary Committee, and mirrored as an identical act on the House side, is also sidelined. We wait for further actions by the Special Counsel and additional indictments at this time.
Congress’ split attention span has mean that, other than hearings from time to time, our problematic large technology companies continue to do business without much interruption or correction. The European Union’s implementation of the Global Data Protection Regulation (GDPR) last May has meant that corporate entities who do business in Europe must have adapted their practices of data mining to GDPR, which interprets privacy as a fundamental right of the citizen/user/consumer. The first outcome in this country of the new rule is the estimated $1.6 billion fine likely to levied on Facebook for a data breach that hit 50 million users, only 10% of whom reside in the European Union. You could say that the European Union is doing more to regulate large American technology companies than our own regulators.
There is no doubt that the executive suite at Facebook is gearing up for even more Congressional hearings, and for recommendations that the company be more firmly regulated. Right now, Facebook files its 10K reports with the Securities & Exchange Commission (SEC); and is regulated by the Federal Trade Commission, which needs to be modernized, but which is nonetheless about to find the company in violation of the 2011 privacy consent order, which carried no fines at the time. At the same time, the company’s two most prominent faces – CEO Mark Zuckerberg and COO Sheryl Sandberg – turn out to have been engaging in their own versions of opposition research and character smearing of public figures like Tim Cook and George Soros.
Rather than spend more time on this issue here, I’d like to turn to the larger question of how Facebook, Amazon and Google are each driving aspects of their business in new directions that raise questions about their rationale for doing so, as well as questions about whether or not such new directions are appropriate, given their lack of robust regulation.
Let’s take Facebook: About a year ago, Facebook rolled out an artificial intelligence (AI) tool they described as “software to save lives.” Since then, Facebook has been scanning all posts for “patterns of suicidal thoughts, and when necessary send mental health resources to the user at risk or their friends, or contact local first responders. (https://techcrunch.com, 11/27/2017). AI sends such posts to “human moderators,” who then can act. Constine points out in his article that there is no way to opt out of such a service. He also indicates that there really is nothing to stop Facebook from using AI for other purposes, including censorship or law enforcement. Thus the question: “Just because we can, does that mean we should?”
Or let’s take Amazon: Earlier this month, it announced Amazon Comprehend Medical, a “natural language processing service that uses machine learning to extract relevant medical records of patients from unstructured text” to build applications for clinical decision support and clinical trial management. Is Amazon Comprehend Medical HIPAA-compliant? No, it is “HIPAA eligible.” What does that mean? Will it always meet the requirements for de-indentification of protected information under HIPAA? It identifies protected health information while “keeping up to the standards for General Data Protection Regulation (GDPR).” (All quotations from “Amazon confirms plan to sell a HIPAA-eligible software,” https://hub.packtpub.com, 12/9/2018.) Evidently, Amazon has been trialing the service with patient records from Fred Hutchinson Cancer Research Center. Since this is an institution that drives many research trials, one would guess that patients have signed away their rights to their own data some time ago. Given other buys that Amazon has made, like PillPack earlier this year, one senses a whole new market opening up for Amazon, leading again to the question: “Just because we can, does that mean we should?”
Finally, Google: Its Dragonfly project has drawn attention primarily in the high tech press, though the employee objections were captured by major media. Since early in 2017, Google (formerly known by its mantra of “Do No Evil”) has been working secretly on a new search engine for China that would use a Chinese partner data center to house the servers and related infrastructure. The project is led by the head of Google’s China team, who has ignored concerns related to security and privacy. Is this a platform that would deploy with permission from the Chinese government to catch and punish its citizens? Once the project was exposed and written about, 14 leading human rights groups have condemned Google for building what is essentially a censored search engine which could result in Google “directly contributing to, or [becoming] complicit in, human rights violations.” Again the question: “Just because we can, does that mean that we should?”
Each of these three cases is different, but all stem from a company’s desire to drive new markets and extract large profits in doing so. That is, after all, what Wall Street asks of them. In the case of Facebook and Amazon, we are asked to believe that the company is doing good while it makes money. The case of Google is less clear, but here we compare the new secret project to Google’s principled withdrawal from China in 2010 after being hacked by the Chinese government to target human rights activists. What has changed for Google – or for Facebook or for Amazon – that reputation is now irrelevant when they have such powerful tools to unleash, largely without any form of regulation?
“Reprinted with permission from ASA News & Notes, December 10, 2018 issue.”
Annie Searle
Searle is an Associate Teaching Professor Emeritus at the University of Washington. She is founder and principal of ASA Risk Consultants, a Seattle-based advisory firm. She spent 10 years at Washington Mutual Bank, most of them as a senior executive. Annie is a member of the CISA 10 Regional Infrastructure Security Group. She was an inaugural inductee in 2011 into the Hall of Fame for the International Network of Women in Homeland Security and Emergency Management. She writes a column monthly for ASA News & Notes and is the author of several books or book chapters. She is also a member of the emeritus board of directors for the Seattle Public Library Foundation.