When Facebook said Tuesday that it was suspending the accounts of a team of NYU researchers, it made it seem like the company’s hands were tied. The team had been crowdsourcing data on political ad targeting via a browser extension, something Facebook had repeatedly warned them was not allowed.
“For months, we’ve attempted to work with New York University to provide three of their researchers the precise access they’ve asked for in a privacy-protected way,” wrote Mike Clark, Facebook’s product management director, in a blog post. “We took these actions to stop unauthorized scraping and protect people’s privacy in line with our privacy program under the FTC Order.”
Clark was referring to the consent decree imposed by the Federal Trade Commission in 2019, along with a $5 billion fine for privacy violations. You can understand the company’s predicament. If researchers want one thing, but a powerful federal regulator requires something else, the regulator is going to win.
Except Facebook wasn’t in that predicament, because the consent decree doesn’t prohibit what the researchers have been doing. Perhaps the company acted not to stay in the government’s good graces but because it doesn’t want the public to learn one of its most closely guarded secrets: who gets shown which ads, and why.
The FTC’s punishment grew out of the Cambridge Analytica scandal. In that case, nominally academic researchers got access to Facebook user data, and data about their friends, directly from Facebook. That data infamously ended up in the hands of Cambridge Analytica, which used it to microtarget on behalf of Donald Trump’s 2016 campaign.
The NYU project, the Ad Observer, works very differently. Facebook doesn’t give it access to data. Rather, it’s a browser extension. When a user downloads the extension, they agree to send the ads they see, including the information in the “Why am I seeing this ad?” widget, to the researchers. The researchers then infer which political ads are being targeted at which groups of users—data that Facebook doesn’t publicize.
Does that arrangement violate the consent decree? Two sections of the order could conceivably apply. Section 2 requires Facebook to get a user’s consent before sharing their data with someone else. Since the Ad Observer relies on users agreeing to share data, not Facebook itself, that isn’t relevant.
When Facebook shares data with outsiders, it “has certain obligations to police that data-sharing relationship,” says Jonathan Mayer, a professor of computer science and public affairs at Princeton. “But there’s nothing in the order about if a user wants to go off and tell a third party what they saw on Facebook.”
Joe Osborne, a Facebook spokesperson, acknowledges that the consent decree didn’t force Facebook to suspend the researchers’ accounts. Rather, he says, Section 7 of the decree requires Facebook to implement a “comprehensive privacy program” that “protects the privacy, confidentiality, and integrity” of user data. It’s Facebook’s privacy program, not the consent decree itself, that prohibits what the Ad Observer team has been doing. Specifically, Osborne says, the researchers repeatedly violated a section of Facebook’s terms of service that provides, “You may not access or collect data from our Products using automated means (without our prior permission).” The blog post announcing the account bans mentions scraping 10 times.
Laura Edelson, a PhD candidate at NYU and cocreator of the Ad Observer, rejects the suggestion that the tool is an automated scraper at all.
“Scraping is when I write a program to automatically scroll through a website and have the computer drive how the browser works and what’s downloaded,” she says. “That’s just not how our extension works. Our extension rides along with the user, and we only collect data for ads that are shown to the user.”
Bennett Cyphers, a technologist at the Electronic Frontier Foundation, agrees. “There’s not really a good, consistent definition of scraping,” he says, but the term is an odd fit when users are choosing to document and share their personal experiences on a platform “That just seems like it’s not something that Facebook is able to control. Unless they’re saying it’s against the terms of service for the user to be taking notes on their interactions with Facebook in any way.”
Ultimately, whether the extension is really “automated” is sort of beside the point, because Facebook could always change its own policy—or, under the existing policy, could simply give the researchers permission. So the more important question is whether the Ad Observer in fact violates anyone’s privacy. Osborne, the Facebook spokesperson, says that when the extension passes along an ad, it could be exposing information about other users who didn’t consent to sharing their data. If I have the extension installed, for instance, it could be sharing the identity of my friends who liked or commented on an ad.