Facebook privacy promises loom large in FTC investigation of Cambridge Analytica leak

10 April 2018 4:08pm
FTC Sign

10 April 2018. By Mike Swift.

Facebook made a series of specific promises to the US Federal Trade Commission in 2015 about the privacy of user information it shares with developers, “assertions” that the enforcer is certain to scrutinize as it probes whether Facebook violated a consent decree in the Cambridge Analytica privacy breach.

To comply with a 2012 FTC order, Facebook must file detailed reports with the agency every two years about its efforts to protect users’ privacy. As part of those reports, Facebook’s in-house counsel in 2015 signed off on a series of nine “assertions” about its data protection actions between 2013 and 2015, including promises to tightly limit the disclosure of Facebook user information to third-party app developers.

“Facebook protects personal information of users against unauthorized access,” the company said in “Assertion F” in its 2015 report. It said in “Assertion G” that “Facebook discloses personal information to third-party developers only for the purposes identified in the notice and with the implicit or explicit consent of the individual.”

Facebook also promised the FTC in “Assertion E” that the company “limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent.” Those privacy promises, and six others, were made to the FTC under the signatures of Edward Palmieri, Facebook associate general counsel for privacy, and Daniel Li, product counsel.

Whether up to 87 million Facebook users who had their personal information shared with Cambridge Analytica had the fair chance to provide implicit or explicit consent for that sharing is likely to be a threshold question in the FTC’s investigation.

MLex obtained Facebook’s 2015 compliance report, as well as an earlier privacy assessment from 2013, from the FTC through a series of Freedom of Information Act requests.

Facebook’s top executives, including Chief Operating Officer Sheryl Sandberg, have said in recent days that the company did not violate the FTC’s order. But not everyone agrees. The FTC’s investigation is likely to last months, but a former FTC official who helped negotiate the consent decree says the Cambridge Analytica privacy leak appears to violate Facebook’s pledges to the regulator.

“My view [is] they violated multiple provisions” of the consent decree, David Vladeck, the FTC’s former director of the Bureau of Consumer Protection, said Thursday at a public discussion of the Cambridge Analytica case. “I think there’s likely to be a very substantial penalty.”

Prior to 2014, a Facebook user downloading an app was able to give the app permission to also collect information about the user's Facebook friends. Facebook changed that practice in 2014, but it gave developers a year to migrate to a new system where users could no longer opt their friends into data collection by third-party apps, a Facebook spokeswoman told MLex, on condition that she not be directly quoted.

Facebook briefed the FTC on its privacy notice changes as they were made and received approval, and believes its privacy controls are more extensive than mobile app platforms, such as Google's Android and Apple's iOS, the spokeswoman said.

2012 Consent Order

The FTC alleged in 2011 that Facebook had deceived its users by making public and sharing information it had initially told its users would be kept private. The consent decree that settled the FTC’s allegations prohibits Facebook from misrepresenting its privacy practices to consumers.

If the FTC finds that Facebook failed to comply because of the Cambridge Analytica case, the company could be subject to financial penalties of up to $16,000 per violation. Any financial penalty would be based on the FTC’s definition of “violation,” but Google paid a penalty of $22.5 million in 2012 for violating an FTC consent decree over its unauthorized changes to Apple’s Safari browser.

The 2012 Facebook order was based on actions the social network took in December 2009, when it changed its privacy practices so information such as users’ Friend lists, which previously were private, were made public, the FTC charged. The commission said Facebook did not warn users the change was coming and failed to get their approval in advance.

Facebook, the FTC said, also incorrectly told users that third-party apps downloaded from the social network would only have access to whatever user information they needed to operate. In fact, the FTC charged, those apps had access to a broad array of user information.

The FTC agreement, Facebook CEO Mark Zuckerberg wrote in a blog post in 2012, "means we're making a clear and formal long-term commitment to do the things we've always tried to do and planned to keep doing -- giving you tools to control who can see your information and then making sure only those people you intend can see it."

Data Harvesting by Apps

That use of data by third-party apps, and whether Facebook users consented to it, has come to the forefront again with Cambridge Analytica.

Zuckerberg will tell Congress this week that the personality quiz app created by Cambridge University researcher Aleksandr Kogan in 2013, during the period covered by the nine 2015 privacy assertions, ultimately allowed Cambridge Analytica to harvest the data of up to 70 million US Facebook users, according to prepared testimony released Monday by the House Commerce committee.

Kogan’s personality quiz app was installed by about 270,000 Facebook users who agreed to share their information as well as some information from their friends whose privacy settings allowed it, Zuckerberg will testify. That gave Kogan access to a database of up to 87 million Facebook users, a database he subsequently shared with Cambridge Analytica -- without Facebook’s permission, Facebook says.

When Facebook learned in 2015 that Cambridge Analytica had acquired the app data, it ordered Cambridge Analytica to destroy it. Instead, the British company used the database to profile US voters and in the 2016 Presidential election on behalf on Donald Trump.

Vladeck was the director of the FTC’s consumer protection bureau from 2009 to the end of 2012. A key question for the FTC, he and other critics say, is whether the friends of people who downloaded Kogan’s app were given the chance to provide meaningful consent to having their data harvested and reused for political purposes.

"In my view, the question for Facebook users is, in 2013 or any time after the consent decree, would friends of friends understand the scope of harvesting of their data? That’s the question,” Vladeck said. “The answer, I think, is plainly no.”

Zuckerberg will tell Congress this week that Facebook in 2014 changed “the entire platform to dramatically limit the Facebook information apps could access,” and banned Cambridge Analytica as soon as it learned through reports by investigative journalists that the data had not been deleted.

But the 2012 consent decree was specifically focused on reining-in third party app collection, Vladeck said, because it had already been identified as a problem by the FTC.

“I’ve seen this movie before,” he said. “And it didn’t end well.”

- With assistance from Amy Miller in San Francisco.

Global Privacy in 2018