Testimony of Ashkan Soltani1
Independent Privacy Researcher and Consultant
United States Senate Committee on Commerce, Science, and Transportation
Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security
Hearing on:
Cambridge Analytica and Other Facebook Partners: Examining Data Privacy Risks
Tuesday, June 19, 2018
Chairman Moran, Ranking Member Blumenthal, and distinguished members of the
Subcommittee: Thank you for the opportunity to testify about the ongoing risks posed to
consumer digital privacy and how to approach consumer data privacy going forward.
My name is Ashkan Soltani. I’m a technologist specializing in privacy, security, and behavioral
economics with over 25 years of experience. I previously served as one of the first technologists
at the Federal Trade Commission (FTC), and later as Chief Technologist under Chairwoman
Ramirez. I also served a brief stint as a senior advisor to the Chief Technology Officer in the
White House Office of Science and Technology Policy under President Obama.
For over a decade, I have researched and written on digital privacy and consumer expectations
online. My work originated in my graduate research,
​
​Knowprivacy,2 in which my team and I
explained that although companies posted lengthy privacy policies online, consumers often had
little real understanding of what those policies did, and how their data would be used once
collected. More disturbingly, our research concluded that companies, including Facebook rarely
followed their own stated policies.3
I had the honor of addressing this very committee in 2011 to describe “The State of Online
Consumer Privacy.”4 During that hearing, I described the pervasiveness of online tracking, how
“notice and choice” is ineffective, and the need for technical and regulatory interventions. Today,
some seven years later, nearly all of what I said then still applies, if anything with much greater
scale and urgency. While companies have grown in technical capability and ability to influence
consumers’ behaviors, the government has remained static, and has not brought its
considerable resources to bear on this issue.
1

My oral and written testimony today to the Committee represent my own personal views, and do not
reflect the views of any of the organizations I have worked for in the past.
2
​KNOWPRIVACY​, http://knowprivacy.org (last visited June 18, 2018).
3
​ ​KNOWPRIVACY​, ​Site Profiles: Facebook, http://knowprivacy.org/profiles/facebook (last visited June 18,
2018).
4
Testimony of Ashkan Soltani, United States Senate Committee on Commerce, Science, and
Transportation, Hearing on The State of Online Consumer Privacy (Mar. 16, 2011), https://www.commerc
e.senate.gov/public/_cache/files/f4645a61-b16e-4fa7-a18c-f0361268f356/F94C2CFDD06D91AE3A9E04
4F9D888E6E.soltani-testimony.pdf.

1

 Today, online giants collect private information from laptops, tablets, smartphones, televisions,
and whatever other gadgets they happen to devise and connect to the Internet. They measure
not only what we do online, but connect it to what we see and buy in the real world.5 And still,
consumers have little actual understanding of what they provide and how it’s used, nor has any
meaningful regulation been introduce to balance this erosion of personal privacy.
Members of the Subcommittee: I cannot stress enough that Cambridge Analytica’s theft of
person information is not a new problem. It is neither novel nor limited to one bad actor—albeit a
strikingly egregious example. This problem is endemic to the online ecosystem and creates real
harm to every American who uses the Internet, including the honorable members of this
Subcommittee and their colleagues.
Today, I will highlight for the committee three main points regarding digital privacy online
generally and Facebook’s practices specifically.
First,​ ​I will explain that “notice and choice,” the current federal framework for online privacy, is
grossly inadequate to protect consumers. Next, I will provide examples of some of the
particularly harmful practices of Facebook, including their leading role in the behavioral
advertising “race to the bottom;” their policy of “two steps forward, one step backward;”and how
they do, in fact, effectively “sell” user data. Lastly, I will describe how behavioral advertising and
the practices enabling it are at least as intrusive as activities already barred under federal law
and I will suggest some steps for legislating in the federal space.
The Current Notice and Choice Framework Is Inadequate to Protect Consumers
The current privacy framework is one of notice and choice—a company must provide its users
with information on its practices, and a user consents to those practices when using the
company’s site or service. The FTC’s privacy enforcement authority is based entirely on this
framework. However, in practice, this does nothing to protect users: it is well known that users
neither read nor understand most company’s privacy practices. Mr. Zuckerberg himself,
testifying earlier this year in front of the joint Commerce and Judiciary Committees, admitted that
he did not expect users to read lengthy, verbose privacy policies.6 A recent panel of witnesses
recently before the House Energy & Commerce Subcommittee on Digital Commerce and
Consumer Protection also unanimously agreed that consumers do not have a “clear

Maureen
​
Morrison, ​Facebook Links Actual Store Visits to Marketers’ Ads and Sales, ​ADAGE​ (June 14,
2016), http://adage.com/article/digital/facebook-adds-store-visits-measurement-tools/304493.
6
Kaleigh Rogers, ​Zuckerberg Says People Don't Understand How Facebook Uses Their Data Because
Privacy Policies Are Hard, ​VICE ​(Apr. 10, 2018), https://motherboard.vice.com/en_us/article/mbx5py/zucke
rberg-says-privacy-policies-too-long.
5

2

 understanding” of the contents of privacy policies.7 Compounding the harm, the FTC has made
clear that under this framework, a practice is generally permissible so long as it is disclosed.
Even if users did actually read the privacy notices, they have no way—short of boycotting a
service—to object to privacy practices they find overly intrusive. For the vast majority of services
and devices, the user “choice” is whether to accept the practices and use the service or to
object and not use it at all. While some claim that users additionally have the choice to use
competing services, in reality there is not meaningful opportunity to do so. In the same
testimony where he acknowledged that users do not read privacy policies, Zuckerberg was also
unable to name a direct competitor to Facebook that provided the same suite of services.8
Indeed, in addition to being a social networking destination, Facebook is now the de facto
method by which users log in to third-party applications, such as other social applications,
dating applications, and social lending sites. Many applications and online features require or
strongly suggest verification with a Facebook profile, significantly limiting the availability of web
services for anyone who chooses to not have a Facebook page.
Facebook Leads A Race to the Bottom for Online Privacy
No other single company has done more to erode consumer privacy than Facebook. This is not
simply a function of Facebook’s cavalier treatment of the data of its own users, although those
practices remain disturbing. Rather, Facebook’s business practices have driven the entire online
advertising industry to adopt increasingly invasive tracking practices in what amounts to a race
to the bottom for privacy. To be sure, Facebook is responsible for moving the advertising
goalposts from tracking based on pseudonyms and anonymous markers to tracking based on
an individual’s real names, age, and location.
This is not simply conjecture. It is widely acknowledged in the industry that the primary reason
that then-Google CEO Larry Page tied all employee bonuses to “the success of Google’s social
strategy” and so hastily implemented their social network (Buzz) was to compete with the rapid
growth of Facebook.9 Buzz’s implementation and data use subsequently landed Google under
an FTC consent decree, wherein Google promised to maintain its privacy promises to
consumers. However, even under FTC decree, Google has continued its behavioral tracking
​ENERGY & COMMERCE COMM.​, ​Press Release: #SubDCCP Holds Hearing on Digital Advertising
Ecosystem (June 14, 2018), https://energycommerce.house.gov/news/press-release/subdccp-holds-heari
ng-on-digital-advertising-ecosystem (“Vice Chairman Adam Kinzinger (R-IL) ​posed​ an important question
to our expert panel, ‘Do any of you believe consumers have a clear understanding of what’s contained in
a privacy policy?’ To which all four witnesses answered with a unanimous no.”).
8
Sarah Jeong, ​Zuckerberg Struggles to Name a Single Facebook Competitor, ​VERGE​ (Apr. 10, 2018),
https://www.theverge.com/2018/4/10/17220934/facebook-monopoly-competitor-mark-zuckerberg-senatehearing-lindsey-graham.
9
​See Nicholas Carlson, ​Larry Page Just Tied All Employees' Bonuses to the Success of Google's
Social Strategy, ​BUS. INSIDER​ (Apr. 7, 2011), http://www.businessinsider.com/larry-page-just-tied-employee
-bonuses-to-the-success-of-the-googles-social-strategy-2011-4.
7

3

 with users’ real identities to further erode the ability of users to engage online privately.10 These
industry-wide practices, led by Facebook, continue to substantially intrude into users’ private
lives and expose them to risk of exploitation and manipulation by corporate and government
actions.
Facebook Employs a Privacy Policy of “Two Steps Forward, One Step Back”
To reiterate, nothing we have seen this year is new behavior from Facebook. As the principal
technologist at the FTC responsible for investigating Facebook's practices, I saw that time and
again, Facebook was engaged in unfair and deceptive practices. Specifically, in 2011,
Facebook agreed to settle charges that it deceived consumers by, among other things:
1) narrowing its definition of privacy without notifying consumers, allowing previously
private consumer information to be accessible to anyone on the web;
2) allowing apps to have sweeping access to user data after telling users that they could
keep their information private from those apps;
3) telling users they could restrict sharing of data to limited audiences—for example with
"Friends Only"—but in fact allowing sharing with third-party applications used by their
friends;
4) claiming to verify the security of apps when it did not do so; and
5) retaining user information even after users deleted their accounts.11
These alleged practices, along with numerous other privacy infringements throughout the
company’s history, have led to few or no meaningful repercussions to Facebook’s success.12
For example, as an independent researcher, I demonstrated that Facebook was intercepting the
contents of user conversations in order to detect references to other brands or websites.13 It
would then share information about those conversations with the operators of those pages or
websites by reporting a “Like” from the user on the Facebook page—providing those third
parties an open window into users’ private conversations.14 The latest Cambridge Analytica
missteps by Facebook are only the latest in a series of bad actions taken by the company.

Julia Angwin, ​Google Has Quietly Dropped Ban on Personally Identifiable Web Tracking, ​PROPUBLICA
(Oct. 21, 2016), https://www.propublica.org/article/google-has-quietly-dropped-ban-on-personally-identifia
ble-web-tracking.
11
​FED. TRADE COMM’N​, ​Facebook Settles FTC Charges that It Deceived Consumers by Failing to Keep
Privacy Promises (Nov. 29, 2011), https://www.ftc.gov/news-events/press-releases/2011/11/facebook-sett
les-ftc-charges-it-deceived-consumers-failing-keep.
12
Alyssa Newcomb, ​A Timeline of Facebook's Privacy Issues—And Its Responses, NBC (Mar. 24, 2018),
https://www.nbcnews.com/tech/social-media/timeline-facebook-s-privacy-issues-its-responses-n859651.
13
Kashmir Hill, ​Facebook Scans Private Messages to Hand Out Public 'Likes', ​FORBES​ (Oct. 4, 2012),
https://www.forbes.com/sites/kashmirhill/2012/10/04/facebook-scans-private-messages-to-hand-out-publi
c-likes/#735fb4fd2738.
14
Wendy Davis, ​Facebook Agrees to Settle Class-Action Over Message Scans, ​MEDIAPOST​ (Dec. 23,
2016), https://www.mediapost.com/publications/article/291771/facebook-agrees-to-settle-class-action-ove
r-messag.html.
10

4

 Facebook Leverages Its Control of Consumer Information for Growth in Market Share
Facebook is the custodian of user information, and it allows its commercial partners access to
that data in exchange for growth and expansion opportunities. Recent reporting by the ​New
York Times detailed Facebook’s practice of giving certain device maker partners privileged
access to the platform and allowing those partners to override users’ privacy controls without
notifying affected users.15 I was provided one of these “privileged access tokens” by the
reporters investigating the story and personally tested this functionality. With it, I was able to
view vast amounts of information about a user’s friends by simply emulating the access given to
the privileged partner—access which allowed me to override the user’s chosen platform privacy
settings that would normally block these types of third parties from accessing their information.16
Follow-up reporting by the ​Wall Street Journal confirmed that in addition to hardware makers,
certain Facebook “platform partners” (i.e. website and app developers) were also provided
privileged access to users’ private information.17 There is quite a bit of confusion about the exact
details reported,18 but my understanding is that while in April 2014, Facebook announced that it
would not allow app developers to access certain information (such as information about a
user’s friends), it did not enforce this policy until one year after the announcement—in May
2015. When that time came around, however, Facebook selectively granted extensions to
certain of its more prominent advertisers, included a major automotive company and a large
Canadian bank.
These types of “privacy for sale” walkbacks are par for the course. For example, in response to
the current Cambridge Analytica scandal, Facebook initially sought to banish all data brokers
from the platform. However, Facebook “quickly softened its stance after big marketers
threatened to pull their ad dollars” from the platform.19
While Facebook claims it does not sell user data to advertisers,20 it commodifies this data and
brokers access to consumer information to achieve unparalleled growth and dominance online.
Gabriel J.X. Dance, et al., ​Facebook Gave Device Makers Deep Access to Data on Users and Friends,
N. Y. TIMES ​(June 3, 2018), https://www.nytimes.com/interactive/2018/06/03/technology/facebook-device-p
artners-users-friends-data.html.
16
For example, the access token that was granted to me by the ​Times allowed me to access information
on the reporter's friends—overriding the friend’s privacy settings. ​See @ashk4n, ​TWITTER ​(June 4, 2018,
8:19 AM), https://twitter.com/ashk4n/status/1003657433770811393.
17
Deepa Seetharaman & Kirsten Grind, ​Facebook Gave Some Companies Special Access to Additional
Data About Users’ Friends, ​WALL ST. J.​ (June 8, 2018), https://www.wsj.com/articles/facebook-gave-some
-companies-access-to-additional-data-about-users-friends-1528490406.
18
@facebook, ​TWITTER ​(June 8, 2018, 4:34 PM),
https://twitter.com/facebook/status/1005231609619021827?s=21.
19
Joel Schectman, ​Facebook Releases New Privacy Safeguards After Ceding to Pressure from
Advertisers, ​REUTERS (J​une ​13, 2018), ​https://www.reuters.com/article/us-facebook-privacy-broker/faceboo
k-releases-new-privacy-safeguards-after-ceding-to-pressure-from-advertisers-idUSKBN1J924P.
20
Jordan Crook, ​Mark Zuckerberg: “We Do Not Sell Data to Advertisers”, ​TECHCRUNCH
(Apr. 10, 2018), https://techcrunch.com/2018/04/10/mark-zuckerberg-we-do-not-sell-data-to-advertisers.
15

5

 While many view Facebook as a two-sided marketplace—connecting consumers and
advertisers—in fact, it also services a crucial third market. In order to thrive, Facebook must
attract developers, who create new apps and features for Facebook akin to a traditional
“Channel Partner” in sales.21 Rather than directly paying in currency, Facebook reimburses
them “in kind” with access to consumer information—often much more than necessary to create
a functional service on the website and often for great benefit to the developers.
So, rather than selling data outright, the company instead rewards developers with broad
access to consumer’s information via its Application Programming Interface (APIs) and other
integration tools. Those developers then create third-party applications or plug-ins that allow
Facebook to thrive and spread across the web. This model allows Facebook to dominate, as
users quickly realize that to use other basic web services they must use Facebook as a way to
log-in.22 Facebook treats these developers as major stakeholders in the business, and provided
them with incredible access with little or no oversight. As Facebook employee 51, Katherine
Losse explains, Facebook treated developers as trusted insiders, courting them with parties and
“look[ing] away from the fact that almost all of Facebook users’ data was available to them
through the platform. Technically, [the developers] were supposed to scrub their servers of the
data every twenty-four hours but, if they didn’t, we had no way of knowing. Mark [Zuckerberg]
implicitly trusted developers.”23
The business model of rewarding developers with private user data and refusing to take even
basic steps to protect that information from abuse is exactly what has put users directly in the
line of fire in this latest Facebook privacy lapse. The larger harmful effects of this model should
not be overlooked. “Growth at any cost” is the new “unsafe at any speed,” and must be treated
as such.
Behavioral Profiling Can Be as Invasive as Wiretapping
Perhaps the clearest comparison that can be drawn about the invasiveness of Facebook’s
insights is one to the physical world. One need not look further than the rash of stories
surrounding Facebook’s purported access of smartphone microphones and cameras. Time and
again,24 individuals make allegations that Facebook surreptitiously monitored them through a
smartphone’s microphone or camera in order to eavesdrop on conversations and target them
21

A channel partner typically partners with a company to co-brand or co-develop technologies or new
products.
22
Amanda Schupak, ​What Are You Sharing When You Sign In with Facebook or Google?, CBS (Nov. 3,
2015), https://www.cbsnews.com/news/what-are-you-sharing-when-you-sign-in-with-facebook-or-google.
23
​KATHERINE LOSSE, ​THE BOY KINGS: A JOURNEY INTO THE HEART OF THE SOCIAL NETWORK​ (Free Press 2012).
24
​See Joanna Stern, ​Why It Feels Like Facebook Is Listening Through Your Mic,
WALL ST. J. (​Mar.​ 7, 2018), ​https://www.wsj.com/video/series/joanna-stern-personal-technology/why-it-feel
s-like-facebook-is-listening-through-your-mic/AAB3CF21-F765-4C6A-920A-FB2DA950288E;
Is Your Phone Listening In? Your Stories, B
​ BC NEWS (​Oct. 30, 2017)​, ​https://www.bbc.com/news/technolo
gy-41802282.

6

 with advertisements based on those discussions. These users believe this because the
inferences made by Facebook and advertisers are so deeply intimate that the individuals
conclude that those inferences could only be made by monitoring the private conversations of
those individuals. To be clear, I and other researchers have found little evidence to support
claims of Facebook surreptitiously accessing users’ microphones. Despite this, the claims
themselves shed a light into how invasive behavioral inferences can be, and the visceral
response users have to the monitoring they are subjected to by Facebook and its partners.
Congress and the legal system are no strangers to protecting private information when it is
monitored by phone or camera. Our society has long recognized that an individual has a right to
private communication and a right to be left alone. We have taken great strides to advance
those rights and protect them when new technology threatens to infringe. Now is such a time,
and federal action is required. Protecting privacy is now more critical than ever.
Federal Regulation is Necessary to Prevent Future Harms
So what can be done to protect digital privacy online? “Privacy” as a concept can no longer be
considered simply as the individual right to prevent the publication of private information or to
keep prying eyes out of one’s home. We now live in a world where our most private
details—conversations with friends, romantic preferences, and financial information—reside by
necessity with online companies. Those companies then use that data to market to and sell the
ability to target citizens based on those traits. The same tools can also be used to influence our
perception of the world around us and influence our decisions therein, such as when Russia
took active steps to sow propaganda in America to create discord in our recent political cycle.
We’ve seen the harmful effects of the erosion of user privacy, and can no longer simply content
ourselves with imagining this debate as a squabble between privacy advocates and online data
companies. The rules on what private information can be collected, how it can be used, and by
whom it can be used have enormous impacts on the wellbeing of large swaths of society, and
indeed, on the legitimacy of our democracy writ large.
The government must take meaningful action to prevent Facebook and other Internet giants
from causing lasting harm to American discourse and democracy. The FTC has called
repeatedly for an omnibus privacy regulation that would give it meaningful authority to set
appropriate rules of the road for consumers online. That authority would provide a real step
forward in providing flexible, fair rules that respect both business needs and consumer
vulnerability.
Any federal legislation should aim to address many of the key problems facing consumers
online: lack of meaningful consent, inadequate data security practices, and a lack of any real
transparency from large online companies. These issues arise time and again, and have

7

 spurred action at the state level, such as with the California Consumer Privacy Act,25 a ballot
initiative I helped to write. That initiative, and others like it,26 might well provide the state-level
experimentation necessary to create meaningful federal policy in Washington.
I thank you for your time, and look forward to answering any questions you might have.

​CA. CONSUMER PRIVACY ACT, ​https://www.caprivacy.org (last visited June 18, 2018).
​NAT’L CONF. STATE LEGS., ​Privacy Legislation Related to Internet Service Providers—2018,
http://www.ncsl.org/research/telecommunications-and-information-technology/privacy-legislation-related-t
o-internet-service-providers-2018.aspx (last visited June 18, 2018).
25
26

8