Worried about election interference? It's time to take a look at internet and wireless providers

Recent concerns about malicious foreign actors interfering with American elections have become synonymous with Facebook, Google and Twitter. This is an inaccurate and potentially dangerous mistake. The vulnerability revealed by America’s 2016 election experience involves the use of massive amounts of granular data to target specific Americans with highly personalized messaging designed to distort our political dialogue and ultimately influence our elections.

That vulnerability, however, extends beyond just social media and search engine companies. It also encompasses companies that hold even more detailed information about American voters: Internet and wireless providers and, moreover, the mega-corporations that increasingly control both “the pipes” and “the content” that deluge all of us. If bad actors can buy, leverage, or steal the even more granular data those companies possess on American voters, the result would be election interference on a scale that would make 2016 look like child’s play.

Concern about data collection by the private sector is not new, as UC Berkeley professor Chris Jay Hoofnagle highlights in his book "Federal Trade Commission Privacy Law and Policy." Prior to the 1970s, credit card companies kept data files on individuals that were accessible to virtually anyone and contained data from mundane to highly personal. The Fair Credit Reporting Act of 1970 limited some of that flow of data, becoming one of the first consumer information privacy laws.

However, data sets could be, and still are, sold to third parties to create anonymous, aggregated lists. Originally, these lists were used by direct marketers to send you catalogs and other advertising that may — or may not — interest you. As advertisers and marketers became more sophisticated, the data required to power their pitches became more complex. Those possessing such data soon realized that, the more granular the data, the more they can charge those wanting to power their advertising campaigns with it.

Of course, Facebook, Google and Twitter have loads of such data. That’s because, for example, Facebook’s 2.2 billion users have already given it away. In the admiring words of The Atlantic’s Michael Hirschorn, written during Facebook’s early days: “you can play with your privacy settings to prevent this, but as you become acculturated to the site, you realize that you have to give information to get information.”

So it’s not surprising that Facebook has been front and center in the post-2016 election reckoning, given their massive global user base and the apparent violations of Facebook’s standards and practices by companies like Cambridge Analytica. Ultimately, however, if you’ve read and accepted the terms of service that govern access to Facebook, you’ve generally surrendered your rights to that data to Facebook for its use. Almost every free website on the internet works that way, especially those supported by advertising.

Facebook creates profiles when you sign up and then collects even more from you based on your offline data, your interests, and your digital interactions. But all of that still pales in comparison to data sets that others in the digital ecosystem can amass, let alone what malicious actors can do with those data sets if they’re able to buy or steal them.

Today, internet and wireless providers have access to even more data about you — perhaps more than any private entities have had in human history. These companies know not just detailed facets of your identity but also what influences that identity. They know which websites you visit, when you visit them, and how much time you spend on them. They know which apps you have on your phone and where you’ve traveled. They know whom you text and whom you call. And, because your internet and wireless accounts are tied to your home address, they can pull in commercially available household information pegged to your address to fill out their profiles of you.

The notion that these companies might fuse this wide-ranging information isn’t paranoid; it’s already happened. In 2012, Verizon started collecting subscriber information across every interaction on a user’s wireless device, then both used it to sell ads on media properties and shared it with outside advertising partners. Soon the program was extended to include any device, even those without Verizon connections. While an FCC settlement limited selling targeted ads to owned and operated properties, the ongoing consolidation between media companies and telecoms continues to raise concerns about the feasibility of enforcing those limits.

This consolidation of media and telecoms has been happening for almost two decades, highlighted by AOL and Time Warner's merger — one of the largest mergers ever seen. And the possibility of controlling both “the pipes” and “the content” has loomed ever larger, with Verizon acquiring Yahoo!, Comcast purchasing NBC and Google owning YouTube. These mega-corporations are designed to capture as much data about users as possible and have as much reach as possible in order to generate as much revenue as possible.

Given the financial pressure on these companies, concern about what they’ll do with that data and to whom they’ll sell it — plus how carefully they’ll safeguard it — is well grounded. Right now, if you wanted to opt out of this superstructure, theoretically you might still be able to by avoiding certain providers, carriers, apps and websites and overriding the default settings on those apps and websites that you do use.

But, soon, even that theoretical possibility will have disappeared as consolidation continues. And, because most Americans won’t take those time-consuming steps anyway, our collective vulnerability to malicious actors using these data sets to corrupt our democracy or otherwise precisely target certain Americans with disinformation would persist.

There’s some hope that Americans are beginning to think about addressing these concerns. For example, the Honest Ads Act introduced in Congress would require the same level of disclosure for political ads online as is required for television and radio commercials. The bipartisan bill, which both of us have publicly endorsed, would impose ad transparency requirements on internet companies with 50 million unique visitors a month.

But this single piece of legislation, focused on sites like Facebook, must be the start of the process, not the end. Our vulnerabilities to malicious actors keen to interfere with our elections are bigger than just political advertising, and they’re bigger than just Facebook, Google and Twitter. They extend to internet and wireless providers, whose personal data gathering and use have almost entirely escaped public and congressional scrutiny in the post-2016 election review.

This despite the fact that they offer incredible possibilities for foreign actors to buy or steal exactly the sort of granular information on U.S. voters that would enable a far more effective election interference campaign than Moscow’s 2016 effort. And those vulnerabilities grow with every industry consolidation of control.

Rather than just asking how Facebook can prevent the next Cambridge Analytica scandal, we and our legislators should be asking who else knows what else about Americans — and how bad actors might be able to buy, leverage, or steal that information to use it against all of us and the democracy we hold dear.

Joshua A. Geltzer is executive director and visiting professor of law at Georgetown Law’s Institute for Constitutional Advocacy and Protection as well as ASU Future of War Fellow at New America. He served as senior director for counterterrorism and deputy legal adviser at the National Security Council from 2015 through 2017.

Bryan Jones is a technology executive and angel investor, having founded several companies in the mobile, advertising and healthcare sectors. Jones has been issued several patents related to digital advertising. He also serves on the Board of Directors of Stand Up Republic.