© Yoan Valat/Pool via REUTERS

On May 10, 2019, Facebook founder and CEO Mark Zuckerberg arrived at the Élysée Palace in Paris for a meeting with French President Emmanuel Macron. The images that were released to the press uncannily resembled those from a traditional head-of-state working visit: two men square off across a table in a gilded room, leading their respective teams into negotiation, notepads at the ready, steely and determined looks on their faces.

Today’s tech firms are some of the most valuable corporate entities in history, with revenues higher than many countries’ GDP and user bases larger than the populations of many more. Many of their policy decisions—for example, on the bounds of acceptable public speech online—certainly have significant global ramifications, and squarely lie in the realm of essential human rights, making them significant political actors.

Denmark, having recognized the political influence and impact of the tech sector, appointed a “tech ambassador” to Silicon Valley in August 2017. “Companies such as Google, IBM, Apple and Microsoft are now so large that their economic strength and impact on our everyday lives exceeds that of many of the countries where we have more traditional embassies,” the then Danish foreign minister, Anders Samuelsen, said when announcing the position.

It has become almost a cliché to point out how powerful and “state-like” major technology companies like Facebook, Google, Amazon, Apple, and Microsoft have become. For some, the Macron-Zuckerberg meeting provides the latest case-in-point: government and firm appearing seemingly as equals, on a level playing field.

But do these companies indeed have “foreign policies” of their own, and if so, what are they trying to achieve? How have tech giants navigated the world’s diplomatic halls? More critically, how might firms like Facebook and Microsoft benefit from being portrayed—and portraying themselves—as diplomatic actors?

Facebook’s Rocky International Record

Mark Zuckerberg has a mixed relationship with European politicians, evading some and embracing others.

For example, a British parliamentary committee investigating “Disinformation and Fake News” tried every trick in the book to get the Facebook CEO to testify in late 2018, including issuing a host of formal summons letters, physically seizing confidential documents from the founder of an American company engaged in a lawsuit against Facebook, and repeatedly highlighting Zuckerberg’s refusal to fill the empty chair via all available channels. In a begrudging hearing in Brussels earlier that year, Zuckerberg managed to set the terms for a remarkably lopsided debate format, fielding questions for 45 minutes and collectively responding for 25—dodging pointed questions, and not providing an opportunity for MEPs to follow up.

Zuckerberg’s April 2019 visit to Berlin included meetings with the Justice and Consumer Protection Minister at the time, Katharina Barley, a member of the center-left Social Democrats, and the co-leader of the Greens, Robert Habeck, who had come out in favour of breaking up Facebook a year earlier. These were markedly less formal than the Macron meet-up. Barley in particular dismissed Zuckerberg’s call for stronger state engagement in a broad range of internet affairs. “Regardless of state regulation, Facebook today already has every possibility to guarantee its users the highest standards of data protection,” she said. Unlike in France, Zuckerberg’s reception in Germany was subdued and not particularly reminiscent of the world of international diplomacy in substance, tone, or optics.

Public-private negotiations clearly lack the protocol and formality of state negotiations. Rather, they depend on the goals the tech firms and states are pursuing, and the images they are trying to project.

Style Not Substance

Among nation states, the principle of sovereign equality applies. When it comes to negotiating with tech firms, however, states ultimately still have the upper hand—whether the setting is formal or informal.

Much of this is due to the tenuous legal standing of digital platforms for user-generated content. Internet companies have long faced a conundrum, summarized by digital media scholar Tarleton Gillespie in his recent book Custodians of the Internet: to avoid offending users and advertisers, firms have needed to develop systems for policing and removing objectionable or illegal material. But by doing so, they appear to take on responsibilities for that content as its publishers. This leaves them exposed to lawsuits and legal sanctions that can threaten their commercial viability.

The answer, enshrined in early internet law in the United States and the European Union, was a principle called “intermediary liability,” intended to grant some protection to companies that made those kinds of “moderation” decisions. Without this limited immunity of sorts, platforms could be found legally responsible for every copyright infringing video they hosted, every piece of libel or defamation that was published on someone’s profile page, and every instance of illegal content accessible in a country (such as Nazi material in Germany).

Lobbyists With Deep Pockets

The majority of international “foreign policy” activities by the advertising-dependent platforms are about avoiding the costly repudiation of these legal frameworks. They have been savvy in terms of their use of political voice, engaging in massive international lobbying efforts, shaping legislation, and crucially, rallying support amongst civil society and advocacy groups to prevent major legislative changes.

According to the Corporate Europe Observatory’s LobbyFacts project, Google spends more on EU lobbying than any other individual company (over €6 million in 2017 alone) and even many industry associations. Microsoft is not far behind, having spent around €4.5 million a year on Brussels lobbying in the past decade, topping firms such as Shell, ExxonMobil, and Bayer. And while it remains a controversial subject, growing attention is now being paid to the way that large amounts of funding from platform companies may affect the willingness of civil society groups (especially American ones with ties to Silicon Valley) to advocate for or against certain forms of regulation.

One might look at the Global Internet Forum to Counter Terrorism (GIFCT)—a coalition of firms that have committed to combating the spread of terrorist material—where tech executives, academics, and the Western national security establishment rub shoulders. They give the impression of attending a high-flying forum for international diplomacy. But GIFCT was created at the behest of the European Commission, which coerced the firms into a set of commitments through its Code of Conduct on Countering Illegal Hate Speech Online. Despite its trappings as an international organization, it is effectively about pacifying regulators.

Microsoft: An Image of Neutrality

The biggest American tech firms are not merely reactive; they also attempt to proactively set the agenda themselves.

In early November 2018, for example, Microsoft President Brad Smith swept into the main chamber of the International Court of Justice (ICJ) at The Hague’s iconic Peace Palace to deliver an address on contemporary peace and conflict. He presented a video—“Cybersecurity and the World: A Time to Reflect, a Time to Act”—which featured himself and Microsoft’s communications director, Carol Ann Browne, walking the battlefields of Verdun and discussing the perils of war and arms races with the head of the French war graves authority. The message eventually pivoted to the May 2017 WannaCry ransomware attack that hit the British National Health Service and other businesses around the world, apparently in order to demonstrate the impending threat of World War I-like catastrophic digital conflict.

Microsoft has been uniquely proactive in pitching itself as a particularly security-aware and responsible international technology company. As a creator of consumer software and hardware as well as a provider of enterprise IT services, Microsoft is less worried about intermediary liability regulation. Instead, it has sought to increase its international profile and legitimacy within contemporary cybersecurity policy debates.

In a related 2017 speech, Smith called for a “Digital Geneva Convention” to limit the use of offensive cyber operations by states, and has since spearheaded a complex lobbying effort focused at various private and public stakeholders in the internet and cybersecurity governance ecosystem. These varied efforts have been unified by their use of loaded internationalist imagery and concepts—such as the ICJ’s halls, the Geneva Conventions, the Red Cross, and the battlefields of Verdun—to grab hold of the lineage of international peacebuilding efforts and emphasize Microsoft’s role as a legitimate, savvy, and important player and measured mediator in international politics.

Cybersecurity Statesman

Smith frequently appears at international events with foreign ministers and other high-ranking officials, which in effect grants him authority as a cybersecurity statesman of sorts. He has been an effective operator thus far, playing a leading role in crafting the declaratory “Paris Call for Trust and Security in Cyberspace,” announced at the 2018 Internet Governance Forum alongside the World War I Armistice commemoration. The call brings together a large group of states, civil society organizations, and firms in a commitment to increase digital security: “States must work together, but also collaborate with private-sector partners,” the agreement reads.

Alongside this effective instance of agenda-setting, it is worth pointing out that Microsoft’s own recent past of public-private interaction includes being the NSA’s very first partner in the infamous PRISM surveillance program disclosed by Edward Snowden. In recent months, the company has faced criticism and internal controversy due to new contracts with US Immigration and Customs Enforcement and the Department of Defense. Smith’s presentations also conveniently avoid any specific responsibility Microsoft may have had in the incidents he discusses, including WannaCry (which involved a vulnerability in Windows systems).

A charitable interpretation might suggest that the imagery of international diplomacy is both substantively appropriate considering the gravity of the issues at stake, as well as stylistically helpful in describing the situation at hand. A more critical perspective, however, might suggest that Microsoft and its shareholders clearly benefit from the association, and the company is itself actively pushing this framing.

Partners in Governance?

While Amazon and Twitter have kept a low profile, Facebook, Google, and Microsoft appear to increasingly be seeking a greater public role in governance. They are attempting to move away from the coercive, hierarchical relationship that was evident in processes like the EU Internet Forum and resulted in the hate speech code of conduct.

Macron drew Zuckerberg to Paris by threatening new legislation, but also dangled a carrot to match his stick. He proposed a “co-regulation” approach to content governance that offered Facebook a seat at the negotiating table, providing the company with a potential opportunity to shape policy outcomes to better suit their own preferences.

This initiative and Microsoft’s role in the Paris Call demonstrate how Big Tech has been exploring ways through which it can de-politicize the policymaking process, making it less confrontational and more akin to equals or colleagues steering outcomes towards a set of common goals—be it “protecting the accessibility and integrity of the Internet” (in the case of the Paris Call) or “combating the dissemination of content that incites hatred” (in the French example).

While other governments seem to be less enthusiastic than France about granting tech firms co-equal partnership, momentum appears to be building across Europe. A recent Council of Europe initiative announced with Apple, Facebook, and Google intends to “strengthen its cooperation with the private sector in order to promote an open and safe internet,” creating a framework through which companies can “sit side-by-side with governments when shaping internet policy.”

Even though such initiatives may be non-binding, they carry weight by ceding some responsibility from elected officials to company representatives. Both politicians and the public should be mindful of portraying tech firms and states as equal partners, and transferring diplomatic metaphors to the public-private realm. This imagery may be more helpful to Big Tech’s public relations efforts than to crafting sound public policy.

The post Big Tech Hits the Diplomatic Circuit appeared first on Berlin Policy Journal - Blog.

© REUTERS/Yves Herman

Ever since Facebook CEO Mark Zuckerberg testified before the US Congress in early April, European Union politicians have been demanding he face questions in Brussels as well. After all, not only does Facebook have more users in the EU than in the US, it also represents the website’s main privacy regulator.

Facebook stalled on the invitation for weeks. Zuckerberg also declined a request to appear before the British Parliament to answer questions about the Cambridge Analytica scandal, in which a British company gained access to millions of American users’ data and used them for targeted advertising benefiting the Trump campaign.

But last week Facebook had a sudden change of heart. European Parliament President Antonio Tajani announced on Twitter that the Facebook CEO had relented to the mighty European Parliament and agreed to testify before it.

However, just hours after the announcement, it emerged that Zuckerberg had in fact only agreed to meet privately with the Parliament’s “Conference of Presidents’”—the leaders of its eight political groups. The meeting would be held behind closed doors.

Members of the parliament and the public were infuriated by the bait-and-switch. After relentless public pressure over the weekend, Tajani announced that Facebook had agreed to let the hearing be web-streamed. It wasn’t ideal for many privacy advocates, who said the better venue would be the Parliament’s civil liberties committee—MEPs who know the details of the relevant legislation. Having Zuckerberg be interrogated by group presidents who don’t know the details of the relevant legislation would be pointless, they said.

But it quickly got worse. Tajani then took the decision to give the meeting a bizarre format. Zuckerberg would give opening remarks, eleven MEPs would ask questions, and then Zuckerberg would give one response collectively for all questions. There would be no opportunity for follow-up.

The result on Tuesday night was predictable. Zuckerberg’s opening statement was largely a repeat of what he told the US Congress. The MEPs asked their questions, but Zuckerberg largely chose to ignore them. He seemed to many to be trying to run out the clock, and he did.

When he finished, and Tajani said “that’s a wrap,” the MEPs howled in protest. Several shouted out objections that he hadn’t answered their questions, including one on “shadow profiles” that Facebook compiles about non-users and one on whether the company is linking data from Facebook and the chat service Whatsapp in order to develop big data to sell to advertisers. The MEPs began bickering, there in the live feed for all the world to see, before Tajani abruptly brought things to a close.

It remains unclear whose idea the format was. Did Facebook request the private session and format without follow-ups? Or was it offered to them by Tajani as an enticement for Zuckerberg to come to Brussels and be treated with kid gloves? Neither side will say.

Farage Enters

To reestablish trust with European lawmakers, Zuckerberg had to assure them of three things: that Facebook is tackling fake news and election interference, that Facebook is going to be fully compliant with the EU’s new data privacy rules (GDPR) that take effect on May 25, and that Facebook is not a monopoly that needs to be broken up.

But his assertions were full of the same platitudes he had given the US Congress. “Facebook plays a positive role in elections around the world, by helping leaders like you directly connect with voters,” he told the MEPs.

At least members of the US Congress were able to follow-up when they felt their questions weren’t being answered

Claude Moraes, the chairman of the parliament’s civil liberties committee who was invited to attend the hearing, emerged saying the whole thing had been a farce, though he acknowledged that perhaps it was better than nothing. Guy Verhofstadt, the leader of the liberal ALDE party caucus, said he will be demanding written answers from the company for the questions that were not addressed by Zuckerberg.

Not every MEP left the room furious with Zuckerberg, though. Nigel Farage, the Brexit champion who leads the Euroskeptic parliament group Europe of Freedom and Democracy, told Zuckerberg during the hearing: “I’m probably your best friend in this room”.

Facebook shouldn’t be making any changes, Farage said. It should remain a neutral platform that isn’t in the business of deciding what is or isn’t “fake news.” He then accused the service of starting to show a bias against the right-wing following the Cambridge Analytica scandal.

“My Facebook clicks and views have fallen by 25 percent since the start of the year,” he complained.

The whole episode was less than reassuring for Facebook users watching at home who are concerned about their privacy. And it likely didn’t fill them with confidence about the European Parliament either.

And, as if to symbolize the embarrassing affair, during the hearing a portion of the ceiling collapsed in the press room where Tajani was due to give his press conference afterwards—alone, of course, without Zuckerberg. The journalists in the room couldn’t decide what they found funnier: the shambles unfolding on the viewing screen, or the pieces of plaster covering the floor.

The post Zuckerberg’s Easy Ride appeared first on Berlin Policy Journal - Blog.

© REUTERS/Stephen Lam

Expectations were low when Germany’s new federal justice minister hauled in Facebook executives to explain their latest data scandal. But even by those standards, it was clear the social media giant had under-delivered when Katarina Barley went before the press after the March 26 meeting in Berlin.

“Facebook admitted abuses and excesses in the past, and gave assurances that measures taken since will prevent them from happening again,” she said. “But promises aren’t enough. In the future we will have to regulate companies like Facebook much more strictly.”

But Facebook isn’t the only one making empty promises. Politicians across Europe have been astir with indignation, muttering empty threats since Cambridge Analytica admitted that information it bought on Facebook users was used to influence the 2016 US presidential election. The company bought the data—illegally—from the developers of a personality app that quizzed users to determine their personalities, political leanings, and more. Until 2014, Facebook’s default settings allowed any app installed by one Facebook user to scrape data off all of a user’s friends, too—without informing them or asking for explicit permission.

Cambridge Analytica has been bragging about its coup since Donald Trump was elected, but it took a company whistleblower to make clear the extent of the manipulation. Now that the consequences of the data-trading have become clear, Facebook claims to be shocked—shocked!—by what happened.

Caught

In reality, Facebook is shocked because it was caught. It walked into this with its eyes open, allowing problematic data-collection via third-party apps. And it earned money in the process from data-collecting app developers it knew it couldn’t control.

They got away with it because, well, they can.

Under current EU law, Germany’s federal justice minister can investigate consumer law breaches involving Facebook. But it has no ability to police Facebook data breaches—even if they happen in Germany or, as Barley said after their meeting, affect 130,000 European Facebook users.

Because Facebook and other tech giants have their international headquarters in Ireland, front-line responsibility for policing them falls to the Irish data protection regulator (DPC). And for years, the DPC has faced accusations from German and other authorities of sitting on its hands.

It is a heated, polarized argument that has much to do with interpretation of laws dating back to before Facebook was even invented. But just as crucial are cultural norms—and misunderstandings.

Germany’s robust data protection rules and privacy culture are a product of bitter experience of surveillance, under first the Gestapo and then the Stasi. Ireland has a much looser attitude to privacy and data protection, more similar to British and US perspectives, and the Irish DPC is a reflection of this. But the status quo of EU data regulation means the Irish philosophy has prevailed.

Since 2011 Ireland’s regulator has been investigating Facebook’s operations in Europe following a complaint filed by Austrian privacy campaigner Max Schrems that the company was operating outside EU law. He took his case to the European Court of Justice in Luxembourg and won, forcing the EU to close down problematic transatlantic data transfer channels.

But in his 2011 complaint to the Irish DPC, Schrems also flagged as illegal Facebook apps’ practice of pulling in the data of both users and their Facebook friends. While Facebook maintains contracts with developers forbidding the onward sale or disclosure of data to third parties without user consent, he dismissed these as worthless.

“No one knew for sure who was behind these apps and no one knew what happened to the data collected,” said Schrems. “It could disappear into another country or end up being used—as Cambridge Analytica shows—in an election campaign.”

Asking Questions

Asked about Schrems’s concerns, Facebook claimed back in 2011 that its users had agreed to share their data with apps in friends’ profiles through the concept of “third party consent.” The Irish regulator flagged this as problematic, and ordered changes back in 2011 and 2012; but we still don’t know if the DPC viewed the practice as illegal. Indeed, it was a whole three years after the first complaint that Facebook restricted its “third party consent” sharing of data, and then only because the social network updated its platform.

Ask the Irish DPC what took so long and you hear a lot about consensual audits and how effective data protection regulation requires an “iterative approach.” This is the kind of talk that drives German data regulators to distraction—they prefer to stop problematic practices first and ask questions later.

Years of pan-EU frustrations could come to an end in May, when new EU data protection rules come into force. The Irish regulator will remain the frontline regulator for Facebook, Twitter, and Google, all based in Dublin. But the new rule book, known as the General Data Protection Regulation (GDPR), foresees greater leeway to act—and huge fines for regulation breaches.

German Green MEP Jan Philipp Albrecht, who pushed GDPR through the European Parliament, says the new rules will increase pressure on the Irish DPC to explain to partner agencies in other EU member states how it is regulating—or not regulating—big tech companies in its territory. Should it fail to make a convincing case, Albrecht says, “it will lead quickly to outside control of the Irish regulator.”

For Albrecht, a data protection veteran, the EU regime will do more to rein in Facebook data breaches than any national politician or regulatory body. Albrecht added: “I for one am happy that the Irish regulator will, through GDPR, be expected to apply common rules more quickly and consequentially.”

The post Unlike appeared first on Berlin Policy Journal - Blog.