Pilfered data launches Facebook into a battle with regulators, legislators

Where is Mark Zuckerberg? That question is repeated a lot lately, reflecting a desire to see the founder and CEO of Facebook personally respond to its latest imbroglio.

It is also being increasingly asked by reglators and legislators in the nation’s capital who want the CEO to account for the who, what, when, and why of an international firm, Cambridge Analytica, improperly using the personal data of 50 million Facebook users, without their consent. The company used psychological profiling, made possible by the data, in its well-compensated quest to sway election results.

Breaking an FTC consent decree

Despite Facebook’s spin that the scandalous data pilfering was not, technically, a “breach,” Cambridge Analyctica’s unauthorized use of data could mean the social media giant violated a 2011 consent decree with the Federal Trade Commission.

Facebook, at that time, agreed to settle FTC charges that it deceived consumers by telling them they could keep their information on the site private, and then repeatedly allowing it to be shared and made public.

The proposed settlement required Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established.

"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said Jon Leibowitz, then-chairman of the FTC. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."

The FTC complaint enumerated a number of instances in which Facebook allegedly made promises that it did not keep:

In December 2009, Facebook changed its website so certain information that users may have designated as private, such as their Friends List, was made public. They didn't warn users that this change was coming, or get their approval in advance.

Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need.

Facebook told users they could restrict sharing of data to limited audiences. In fact, selecting "Friends Only," for example, did not prevent their information from being shared with third-party applications their friends used.

Facebook had a "Verified Apps" program and claimed it certified the security of participating apps. It didn't.

Facebook promised users that it would not share their personal information with advertisers. It did.

Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.

Facebook claimed that it complied with the U.S.-EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.

The settlement barred Facebook from making any further deceptive privacy claims, requires that the company get consumers' approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years. Violating these terms could incur fines of at least $40,000 a day per violation.

According to the terms of the settlement, Facebook was:

barred from making misrepresentations about the privacy or security of consumers' personal information;

required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;

required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;

required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and

required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.

The proposed order also contained standard record-keeping provisions to allow the FTC to monitor compliance with its order.

With all that laid out for the company, did Facebook betray its promises, intentionally or not?

FTC Commissioner Terrell McSweeny is among those asking that question. “The FTC takes the allegations that the data of millions of people were used without proper authorization very seriously. The allegations also highlight the limited rights Americans have to their data. Consumers need stronger protections for the digital age such as comprehensive data security and privacy laws, transparency and accountability for data brokers, and rights to and control over their data.”

Congressional scrutiny geared up

While the FTC, internally, evaluates whether Facebook violated its consent agreement, Congress is sharpening its daggers. Multiple legislative committees are hoping to get a chance to grill Facebook over the data leakage.

Facebook has agreed to brief a handful of committees in both Congressional chambers. The scheduling of those meetings is being sorted.

Senator Mark Warner (D-Va.), a member of the Senate Intelligence Committee, was among those weighing in.

"This is more evidence that the online political advertising market is essentially the Wild West,” he said. “Whether it's allowing Russians to purchase political ads, or extensive micro-targeting based on ill-gotten user data, it's clear that, left unregulated, this market will continue to be prone to deception and lacking in transparency. This is another strong indication of the need for Congress to quickly pass the Honest Ads Act to bring transparency and accountability to online political advertisements."

Warner is seeking testimony from both Zuckerberg and Twitter CEO Jack Dorsey.

U.S. Senators Amy Klobuchar (D-Minn.) and John Kennedy (R-La,), used their bipartisan clout to ask Chairman of the Senate Judiciary Committee, Charles Grassley (R-Iowa), to hold a hearing with the CEOs of technology companies.

“Major social media platforms store an enormous amount of data and have a user base larger than all of the major broadcasting companies combined,” they wrote. “The remarkable innovation that these companies have championed has changed how we share and collect information. In the process, Facebook, Google, and Twitter have amassed unprecedented amounts of personal data and use this data when selling advertising, including political advertisements. The lack of oversight on how data is stored and how political advertisements are sold raises concerns about the integrity of American elections as well as privacy rights.”

 “A hearing featuring testimony with CEOs would provide the Committee the opportunity to hear an update on the progress of these companies' voluntary measures to combat attempted foreign interference and what is being done to protect Americans’ data and limit abuse of the platforms, as well as to assess what measures should be taken before the next elections. It is for these reasons that we request that you announce a hearing of the Judiciary Committee at which Senators can publicly question the CEOs of technology companies,” Klobuchar and Kennedy wrote.

Senator Edward J. Markey (D-Mass.), a member of the Commerce, Science, and Transportation Committee, called on that committee’s leadership to immediately hold a hearing on the matter.

“In light of these allegations, and the ongoing FTC consent decree that requires Facebook to obtain explicit permission before sharing data about its users, the Committee should move quickly to hold a hearing on this incident, which has allegedly violated the privacy of tens of millions of Americans,” Markey wrote.

Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, wrote “to learn how Facebook user data may have inappropriately obtained and abused by third parties to target and manipulate tens of millions of American voters without the knowledge or consent of those induvial

“The troubling reporting on the ease with which Cambridge Analytica was able to exploit Facebook’s default privacy settings for profit and political gain throws into question not only the prudence and desirability of Facebook’s business practices and the dangers of monetizing consumers’ private information, but also raises serious concerns about the role Facebook played in facilitating and permitting the covert collection and misuse of consumer information,” Wyden wrote. “With little oversight—and no meaningful intervention from Facebook—Cambridge Analytica was able to use Facebook- developed and marketed tools to weaponize detailed psychological profiles against tens of millions of Americans.”

He is demanding that Facebook answer a series of questions by April 13:

How many incidents during the past ten years is Facebook aware of in which third parties collected or processed user data in violation of Facebook’s Platform Policies? Please describe each incident, the number of users whose information was collected and misused, and what steps Facebook took to remedy the violation.

Has Facebook made any attempt to identify the 50 million users impacted and inform those users that their information was collected and misused? If not, why not?

Has Facebook ever notified individual Facebook users about inappropriate collection, retention, or subsequent use of their data by third parties? If not, why not?

According to Facebook’s Platform Policy, the company reserves the right to audit apps in order to ensure they are “safe” and do not violate the company’s terms of service. In each of the past ten years, how many apps has Facebook audited? Please describe the scope and findings of each audit.

Facebook has now suspended Strategic Communication Laboratories/Cambridge Analytica from its platform. However, Facebook has apparently known since 2015 that Cambridge Analytica had obtained and used data that had been obtained from Facebook in violation of your company’s policies. Why did you not suspend the company from your platform in 2015?

Is Facebook aware of any instances in which Cambridge Analytica or its clients utilized the Facebook user data to deliver targeted advertisements to users?

If Facebook is not aware of any instances, has your company examined historical advertising data to look for such patterns? If not, why not?

In 2011, Facebook entered into a consent agreement with the Federal Trade Commission. Under the terms of that agreement, Facebook is required to maintain “a comprehensive privacy program that is reasonably designed to address privacy risks related to the development and management of new and existing products and services for consumers, and protect the privacy and confidentiality of covered information. Please describe how, three years after Facebook entered into the consent order with the FTC, [a third party was] able to download sufficiently detailed data on 50 million Facebook users without their affirmative knowledge or consent.

The 2011 consent agreement also requires Facebook to obtain biennial privacy assessments and reports from an independent third-party professional with experience in the field of privacy and data protection. Facebook is required to provide the initial report to the FTC, to retain each subsequent report, and to provide a copy of them to the FTC, if requested.

To date, has the FTC requested any of the assessments or reports? If so, which assessments or reports were requested by the FTC and when were they requested?

Wyden added a request that Facebook provide him with a copy of every privacy assessment and report prepared in accordance with the 2011 consent agreement.

States on the case

New York State Attorney General Eric Schneiderman has announced that he and Massachusetts Attorney General Maura Healey sent a demand letter to Facebook as part of a joint probe stemming from the fallout.

“Consumers have a right to know how their information is used and companies like Facebook have a fundamental responsibility to protect their users’ personal information,” he wrote. “A long with Massachusetts Attorney General Healey, we sent a demand letter to Facebook, the first step in our joint investigation to get to the bottom of what happened.”

Connecticut Attorney General George Jepsen announced his own probe.

Jepsen’s questions demand a detailed accounting of Facebook’s privacy policies, and a timeline covering the company’s relationship with Cambridge Analyctica. The letter also demands: “Describe all steps taken by Facebook to prevent such disclosures or disseminations in the future, including all steps to ensure that users are fully informed of potential disclosures or disseminations of their personal user information and consent thereof.”