Troubles continued this week for social media giant Facebook with confirmation that the Federal Trade Commission is investigating whether the exposure of personal data belonging to an estimated 50 million users is a violation of a 2011 consent decree with the company over privacy failings. The announcement has sent the company’s stock price tumbling and fragged down numerous other tech stocks amid fears that more regulation is the end game of legislators and state officials.
In a worst-case scenario, assessing a $40,000 fine for each violation of Facebook’s consent decree could, theoretically, amount to a company running $2 trillion fine, when assessing a violation to each affected user.
The international political consultant Cambridge Analytica appears to have improperly used the personal data of 50 million Facebook users, without their consent. The company used psychological profiling, made possible by the data, in its well-compensated quest to sway election results around the globe.
Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection, issued the following statement regarding reported concerns about Facebook’s privacy practices:
“The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers. Foremost among these tools is enforcement action against companies that fail to honor their privacy promises, including to comply with Privacy Shield, or that engage in unfair acts that cause substantial injury to consumers in violation of the FTC Act.”
“Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements,” he added. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. The FTC is confirming that it has an open non-public investigation into these practices.”
After remaining low key and hard-to-find as news broke of the scandal, Mark Zuckerberg, founder and CEO of Facebook, emerged from hiding to offer apologies and explain his company’s view of the controversy.
“We have a responsibility to protect your data, and if we can't then we don't deserve to serve you,” Zuckerberg wrote on Facebook’s corporate blog. “I've been working to understand exactly what happened and how to make sure this doesn't happen again. The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there's more to do, and we need to step up and do it.”
The fix, according to Zuckerberg, includes several initiatives.
“First, we will investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity,” he wrote. “We will ban any developer from our platform that does not agree to a thorough audit. And if we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps.”
Facebook will also further restrict developers' data access to prevent other kinds of abuse. “For example, we will remove developers' access to your data if you haven't used their app in three months,” Zuckerberg said. “We will reduce the data you give an app when you sign in, to only your name, profile photo, and e-mail address. We'll require developers to not only get approval but also sign a contract to ask anyone for access to their posts or other private data.”
The company also plans to simplify new and existing privacy tools while introducing more granular controls for people to decide what information to share with apps.
Facebook also plans to expand its bug bounty program and reward those who uncover flaws, vulnerabilities, and misuses of data by app developers.
On the Congressional front, Zuckerberg is expected to testify before legislative committees. An April 10 appearance before the Senate Judiciary Committee has been tentatively scheduled. Also invited to appear at the hearing are Google CEO Sundar Pichai and Twitter CEO Jack Dorsey.
Adding to the scrum is a bipartisan coalition of 37 state Attorneys General. On March 26, they demanded answers about the company’s business practices and privacy protections in a letter to Zuckerberg.
“Just because they use Facebook and signup for apps does not mean consumers have signed a lifetime agreement to give up their privacy,” says Oregon Attorney General Ellen Rosenblum. “We have asked Facebook several important questions and we expect clear answers from them. We must be assured that a breach or ‘leak’ of this nature will not happen again.”
The letter to Zuckerberg raises a series of questions about the social networking site’s policies and practices, including:
Were those terms of service clear and understandable?
How did Facebook monitor what these developers did with all the data that they collected?
What type of controls did Facebook have over the data given to developers?
Did Facebook have protective safeguards in place, including audits, to ensure developers were not misusing the Facebook user’s data?
How many users in the states of the signatory Attorneys General were impacted?
When did Facebook learn of this breach of privacy protections?
During this timeframe, what other third party “research” applications were also able to access the data of unsuspecting Facebook users?
“Facebook apparently contends that this incident of harvesting tens of millions of profiles was not the result of a technical data breach; however, the reports allege that Facebook gave away the personal data of users who never authorized these developers to obtain it, and relied on terms of service and settings that were confusing and perhaps misleading to its users,” the letter says.
The AGs also requested an update “about how Facebook will allow users to more easily control the privacy of their accounts.”
States and territories represented in the letter include Connecticut, Montana, Oregon, Pennsylvania, South Dakota, Alabama, American Samoa, California, Delaware, the District of Columbia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan,
Minnesota. Mississippi, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Rhode Island, Tennessee, Vermont, Virginia, and Washington.
A forceful rebuke of Zuckerberg comes from SumOfUs, an international consumer watchdog that claims to have more than 14 million members around the world. It is demanding that Facebook CEO Mark Zuckerberg step down amid several now-public controversies regarding the company’s use of user data, and its collection and distribution.
The group’s capital market’s advisor Lisa Lindsley issued the following statement:
“Last year, we worked with Facebook shareholders to urge that the company create an independent board chair, warning that the current structure, where Zuckerberg serves as his own boss, was a recipe for disaster. Multiple scandals later, it’s clear that enough is enough. Zuckerberg has proven himself unable or unwilling to protect Facebook’s user data or privacy, which is why we firmly believe that shareholders should take action to remove him as CEO and board chair.”