Yes, the image that tries to illustrate this post is really crude and concocted; it’s not meant to be a meme, and it wasn’t even made using proper imaging software. Perhaps someone with the time and skills may take it upon his/herself to improve on it. However it might help get a point across.

Since Monday last week media outlets, ranging from Forbes, the Times and the WSJ to CNN EXPANSIÓN, have reported on a so-called «study» conducted by Facebook’s data scientists on hundreds of thousands of «randomly selected users», by manipulating the amount of positively or negatively charged posts made visible to them in their timelines, with which they were allegedly looking to establish how emotions spread on social media.

Although this remark’s probably been flogged to death already, I’m certain that social science and literature majors across the world are (again) going: «If he were alive, George Orwell would say «I hate to say I told, BUT I TOLD YOU!»». The machinery of the «Minitrue» in his novel «1984» would pale in comparison to the Web 2.0, and even more so the «Internet of Things».Episodes such as the panic raised by Orson Welles’s broadcast of «War of the Worlds» or the viral hoaxes of the late 90s and early XXth Century seem like child’s play now, compared to the episodes of panic and the threats to privacy posed by social media.

Facebook’s lawyers ought to be smelling a(nother) class action brewing miles away…Oh, no, wait! The Electronic Privacy Information Center has already filed a complaint with the Federal Trade Commission on account of this episode,claiming that «At the time of the experiment, Facebook did not stat in the Data Use Policy that user data would be used for research purposes. Facebook also failed to inform users that their personal information would be shared with researchers». So where exactly does that fin in the «How We Use Information we Receive» section of their Data Use Policy?

• as part of our efforts to keep Facebook products, services and integrations safe and secure;
• to protect Facebook’s or others’ rights or property;
• to provide you with location features and services, like telling you and your friends when something is going on nearby;
• to measure or understand the effectiveness of ads you and others see, including to deliver relevant ads to you;
• to make suggestions to you and other users on Facebook, such as: suggesting that your friend use our contact importer because you found friends using it, suggesting that another user add you as a friend because the user imported the same email address as you did, or suggesting that your friend tag you in a picture they have uploaded with you in it; and
• for internal operations, including troubleshooting, data analysis, testing, research and service improvement.»

This episode just adds to the social network’s poor privacy track record, tracing back to the «Beacon» shortly after its inception, which has now again put it in hot water, as it did in the episode that ended with the 2012 consent decree entered into with said FTC, and adds to privacy and ethics concerns raised by other technology companies and seemingly rouge scientists in their employment, such as the one about Google Street View picking up information from unencripted WiFi networks, which got it fined by Germany, and Orbitz’s profiling of PC and Mac users, pointing to how easily (and perhaps even dangerously) online media could manipulate us users on a global scale.

While it seems likely for Facebook to hold that the study was fair game under the blanket consent that must be granted to sign up for and continue to use the service (when its Terms of Use and/or Privacy Policy are modified or updated), privacy activists and common sense are likely to contend that notion. This instance will undoubtedly be hotly debated in court in more than one jurisdiction; that raises (again) a question of Internet law that has been debated since its early days: whether or not Internet-based businesses are under obligation to abide on a global scale by the laws of each and every jurisdiction their operations might extend to, which is a daunting thought for undertakings that can reach any corner of the world with Web access. That point of law has been taken a stab at by courts since the Tribunal de la Grand Instance ruled against Yahoo! in the 2000 case of la Ligue contre le Racisme et l’Antisemitisme c. Yahoo! Inc, to the more recent one where the Supreme Court of British Columbia enjoined Google from displaying links to search results for the sale of infringing software.

However the issues at the core of those cases are more complex than Facebook’s instance. I see no difficulty in Facebook sorting out where the users singled out for its trials reside in order to secure their consent prior to their engagement in them. And that’s the question at the core here: whether or not Facebook erred by not having done so. General consensus, whether stemming from public opinion, ethical guidelines or the law is it did. While product testing is an every-day need and reality in business, when a product or service has the ability to mess with people’s minds there ought to be a heightened duty of care, and of accountability, on the part of the product or service provider, given the harm it may inflict upon the subjects involved, the people near them and even their communities.

The atrocities of World War II yielded the Nuremberg Code, which lays down the principles of ethics to be met in all human experimentation that are (to be) followed in such undertakings and extend to everyday medical practice, and which cornerstone is voluntary and duly informed consent of the subject(s), which appears to have been largely absent here. Granted, whereas psychiatry is medical practice, psychology is not. However Standards 3.10 and 8.02 of the Ethics Code of the American Psychological Association prescribe as follows:

3.10 informed consent

(a) When psychologists conduct research or provide assessment, therapy, counseling, or consulting services in person or via electronic transmission or other forms of communication, they obtain the informed consent of the individual or individuals using language that is reasonably understandable to that person or persons except when conducting such activities without consent is mandated by law or governmental regulation or as otherwise provided in this Ethics Code.

8.02 informed consent to research

(a) When obtaining informed consent as required in Standard 3.10, Informed Consent, psychologists inform participants about (1) the purpose of the research, expected duration, and procedures; (2) their right to decline to participate and to withdraw from the research once participation has begun; (3) the foreseeable consequences of declining or withdrawing; (4) reasonably foreseeable factors that may be expected to influence their willingness to participate such as potential risks, discomfort, or adverse effects; (5) any prospective research benefits; (6) limits of confidentiality; (7) incentives for participation; and (8) whom to contact for questions about the research and research participants’ rights. They provide opportunity for the prospective participants to ask questions and receive answers.

An important conclusion stems from the above: informed consent in the practice of psychology is not the same as a privacy notice under US laws, regulations and/or ethical standards. The same is true under the Code of Ethics of the Mexican Psychology Society, which article 118 states that informed consent must be obtained whether for therapy, research or other procedures. It is also not the same as a «consent notice» or «aviso de privacidad» as provided for in the Mexican privacy law. This refers back to the question a few paragraphs above: was Facebook under obligation to abide by the laws and regulations of the domicile of each and every single one of its almost 700,000 users targeted in its «study»? That will be the subject matter of another entry herein; at this point the last idea I want to convey as far as Mexican privacy law and practice go is the following:

Although the requirements of voluntary informed consent in the practice of medicine and psychology may overlap, as the investigation and MXN$485,700.00 fine assessed by IFAI, the Mexican data protection authority, fined WTC Sports Clinic, a physical therapy and outpatient surgery clinic, show, the means to secure such consent as per each of the laws and regulations governing each area of practice do not suffice to meet with the requirements of the others, so that practitioners in the aforesaid fields need proper legal advice in order to avoid failing to comply with the novel legal framework for privacy, which provides for a consent notice as additional to that mandated by the Regulations (Normas Oficiales Mexicanas) which require that letters of written informed consent be included in each patient’s file and that such consent be included in human research protocols as a requisite for their authorization by the Mexican health authority, which is also a mandate of the Regulations to the General Health Law in Health Research (article 14, Roman numeral V).