Failed by Facebook, We’ll Return to the Scene of the Crime. We Always Do

As Mark Zuckerberg, Facebook’s co-founder, begins two days of testimony on Capitol Hill, where he will undoubtedly face withering criticism over his site’s handling of user data, millions of people will spend the day the way they always do: scrolling through their News Feeds, sending each other messages and “liking” posts, oblivious to any privacy concerns.

The reality is that when it comes to privacy, the trade-off has already been made: We decided long ago to give away our personal information in exchange for free content and the ability to interact seamlessly with others.

With the latest disclosure about Facebook’s data missteps — that the personal information of some 87 million users had been improperly harvested and shared with a British analytics firm — politicians can scream from the rooftops about privacy, and they should. But the public has proved over and over again that it doesn’t care.

The evidence is all too clear: After just about every big privacy hack over the past decade, people quickly returned to scene of the crime, using the same store or online site that had been compromised. Remember the massive breaches at Home Depot, Target and Yahoo? The number of consumers who never went back is minuscule.

Perhaps Facebook’s latest privacy scandal — combined with its role in the spread of false news and in foreign interference in United States elections — will be a turning point in consumer behavior. But if history is any guide, we won’t do anything differently, unless regulators take steps to save us from ourselves.

For all the head-scratching and criticism over Facebook’s slow response to various breaches and privacy fiascos, it wasn’t completely irrational. The incentive for companies to go to great lengths to protect our data — with the exception of banks and financial firms — just isn’t there.

Benjamin Dean, the president of Iconoclast Tech, a technology consulting firm, and a former fellow in cybersecurity and internet governance at the Columbia School of International and Public Affairs, has studied some of the biggest data hacks, pouring over companies’ financial records before and after a breach. The financial pain they experienced was small, he found.

“The actual expenses from the recent and high-profile breaches at Sony, Target and Home Depot amount to less than 1 percent of each company’s annual revenues,’’ he wrote in a 2015 article titled “Why Companies Have Little Incentive to Invest in Cybersecurity.’’ “After reimbursement from insurance and minus tax deductions, the losses are even less.”

When Google first introduced Gmail in 2004, this newspaper raised questions about the prospect of users objecting to a service that displayed advertising to them based on the content of their email: “For many, the bottom line appears to be that sifting through personal email with an eye toward making a sale is beyond the pale.”

Well, now more than 1.2 billion people have active accounts with Gmail, a service whose entire business model rests on Google being able to sift through your private messages. Apparently, it wasn’t beyond the pale.

For consumers, the transaction has always been pretty clear: The convenience of free service in exchange for information that allowed advertisers to specifically target us. The distinction in that equation was motivation; we figured our data was being used by benign companies seeking to sell us that pair of sneakers we wanted, not by bad actors trying to influence our political votes — or incite violence in places like in Myanmar.

None of this is to suggest that Facebook handled these situations properly; it clearly did not. And over the past week, Mr. Zuckerberg has repeatedly said as much to just about anyone who would listen.

The problem is that Mr. Zuckerberg has been apologizing for years for all sorts of breaches of trust with his “community.” And guess what? After each mea culpa, the Facebook community has grown.

Notwithstanding the #DeleteFacebook campaign, the only way companies are going to change the way they protect our data is if users abandon them — or if regulators step in.

Perhaps the biggest obstacle to behavioral change — besides our insatiable desire for all things “free” — is that it is unusual for most consumers to truly feel the effects of a massive data breach. For most people, it’s a theoretical problem — the way some people view climate change or the growing national debt.

The people who are most directly affected by privacy breaches are those who have had money stolen or whose email was exposed. But in huge data breaches, those people are a statistical anomaly.

Amy Pascal, the former of top film executive at Sony Pictures, has an authentic claim to being a victim of a data breach; she suffered national embarrassment when her emails were revealed, and she later lost her job. John D. Podesta, Hillary Clinton’s campaign chairman in 2016, also had his email compromised, to deleterious effect.

But most people don’t feel it.

Over the weekend, I asked users on Twitter whether they had deleted their Facebook accounts or reduced their activity on it. Nearly 700 users replied. For every one saying they were spurning Facebook, there were more saying they were continuing to use it.

“Understand nothing in social media is truly private and recognize that in most areas of life someone is trying to sell you something or affect your behavior,” one user wrote. Another wrote: “People love the service they get from Facebook but forget nothing is free. We pay for using it by providing our demographic and personal information so that they can sell ads to businesses to better understand and target us. We benefit by getting more relevant ads sent to us.”

And while a number of people said they were distancing themselves from Facebook, they cited not only privacy concerns but said the service had become less relevant to them.

In 2010, Mr. Zuckerberg was asked about privacy during an interview. His answer reflected where we are right now.

“People have really gotten comfortable not only sharing more information — and different kinds — but more openly with more people,’’ he said. “And that social norm is just something that’s evolved over time. And we view it as our role in the system to constantly be innovating and updating what our system is, to reflect what the current social norms are.”

Unless our social norms change, Facebook and other sites probably won’t, either.

Content originally published on https://www.nytimes.com/2018/04/09/business/dealbook/facebook-data.html by Andrew Ross Sorkin