If there's one person outside of government who has stood against Facebook's crashing wave, it's Ashkan Soltani.

Late last year, the independent privacy researcher was suddenly called to speak before the UK Parliament about Facebook's privacy practices, simply because he happened to be in London and, in his own words, "was just a dick on Twitter."

Soltani wasn't just some random Internet troll: he understood the company's technical practices in a way that few did, and, better yet, he could explain them in a way that most civilians would understand.

Ars Technica Live The rise of tech-worker activism

Why Silicon Valley’s “growth at any cost” is the new “unsafe at any speed”

Oakland official: “We want to get Americans out of their cars and solve racism”

How to make elections secure in the age of digital operatives

How Oakland sets the new standard for meaningful police tech oversight View more stories Months earlier, Soltani had given similar testimony before a US Senate subcommittee, where he unequivocally said: "No other single company has done more to erode consumer privacy than Facebook."

Earlier in 2018, Soltani also helped author the new California Consumer Privacy Act, which was signed into law last June, just a few years after being named as the chief technologist at the Federal Trade Commission.

Years ago, the Californian began his career researching undeletable browser cookies. Over time, he's come to a stark realization.

"We have very little privacy protection in the US," he explained at our most recent gathering of Ars Technica Live, our monthly event (second Wednesday of the month) at a local bar in Oakland, Eli's Mile High Club.

"We have very few privacy laws," Soltani said. "What we have is FTC, Section 5, which governs unfair and deceptive trade practices."

In short, one of the FTC's primary jobs is to simply enforce whether companies are abiding by the lengthy, verbose, and legalistic terms that customers agree to.

On January 18, The Washington Post reported that the FTC is homing in on imposing potential fines to Facebook over the recent Cambridge Analytica debacle that erupted in March 2018. That now-defunct British data-analytics company was revealed to have retained data on 50 million Facebook users despite claiming to have deleted it. That's on top of myriad other breaches, bug disclosures, and more.

"When the incentive is to grow at any cost, these violations don't seem like violations—they almost seem intentional," Soltani said.

Or, as he told the Senate committee: "'Growth at any cost' is the new 'unsafe at any speed' and must be treated as such."

A losing battle

Soltani quickly zeroed in on two primary reasons why it has been difficult for American regulators to wrap their arms around companies like Facebook. First, the California tech giant does provide a useful service: politicians want to reach voters and want to communicate with family members, too.

But the second issue is tougher, Soltani explained.

"Historically, if you wanted to govern airbags, there was a model year, you would recall a certain version, and you would hold a company liable," he said. "Software, particularly Web apps and cloud-based software, is constantly changing. It's not the same for you or [me]. You might be in a test group that I'm not in. To know this version versus that version and [how] the law should affect it this way is incredibly difficult."

It's impossible, he explained, for most people to keep track of the ins and outs of APIs and other data-sharing practices.

As an example, Soltani pointed to his June 2018 testing—at the request of The New York Times—which revealed how much a Facebook app on a BlackBerry phone could access. Facebook has maintained "data-sharing partnerships" with numerous device makers, which allows access to friends' data even after saying that it would no longer do so.

"When you're talking about these kinds of violations and these kinds of lies that the companies are telling, it feels like, as a consumer, it's hard for us to make good decisions," he said, pointing out how, when we buy food at the grocery store, all the choices must abide by labeling requirements.

"None of [the foods in the grocery store] can include arsenic, [but] we're not required to test our products," he added. "That's kind of the online regime that we have for digital safety and digital security."

The researcher has repeatedly called on federal regulation to help turn the tide.

Interested in coming to our next Ars Live event? It will be held at 7pm on Wednesday, February 13, 2019, at Eli's Mile High Club, at 3629 Martin Luther King Jr. Way in Oakland.

Listing image by Ashkan Soltani