FTC-mandated privacy assessments fall short of expectations

The US Federal Trade Commission is reviewing its light-touch approach to company compliance with the agency's security and privacy programs amid criticism it lets corporations such as Facebook and Google chose the terms of their own oversight.

The review comes during the agency’s ongoing investigation into Facebook for possible violations of a 2011 consent agreement the social media giant signed to forestall federal litigation over its privacy practices. The agreement required that Facebook institute a privacy program to be assessed by an outside firm, but the new probe — and the possibility of a record-setting fine — was spurred by press reports about the Cambridge Analytica scandal.

And the FTC hasn't stopped Facebook from permitting device manufacturers to access profile data that users had marked as private.

When Facebook and Google each signed consent agreements in 2011 promising to implement privacy programs, the effects were supposed to be dramatic. The companies would “go back and rebuild their business in a way that takes privacy into account,” FTC official David Vladeck boasted the next year. The forcing mechanism, said Vladeck, now a Georgetown law professor, would be the legally binding promises they made to implement protective measures and to verify their effectiveness through outside oversight at a rate of once every two years for the next two decades.

The programs and their assessments are a central component of the FTC’s decade-long push to promote privacy in the private sector. They rank among the FTC’s proudest achievements. But the outcome has mostly just been expensively produced paperwork.

Much of the disappointment stems from the language the agency uses to define the third-party oversight — specifically, as “assessment,” a crucial word choice. Outsiders say the agency should require something more robust and exacting.

“That is something that we have been looking at and we’re making progress,” FTC Chairman Joe Simons told MLex recently in a brief interview. “It’s something we’re looking at,’ he repeated when pressed for details.

A company undergoing an outside assessment decides for itself which standard assessors will use to measure its performance, and it can change the standard from one assessment to the next, as Facebook has.

Assessments also operate on a low threshold for evidence. Under widely-followed standards developed by the American Institute of Certified Public Accountants, an assessor only needs a “reasonable basis” for drawing conclusions, which in practice means written policies often constitute evidence. Those are the guidelines that Facebook assessor PricewaterhouseCoopers uses when assessing Facebook’s privacy program.

Assessments don’t judge “whether or not the controls or policies actually protect privacy. They assess things like ‘Do new employees have to sit through a training session where the following information is told to them?’ Not, ‘Do the people who sit through those trainings follow the rules?’” said a congressional staffer involved in Facebook oversight, speaking on condition of non-attribution.

“Now that we know what we know, we probably would write them differently,” Vladeck told MLex.

Less than a year after signing a consent agreement, the FTC sued Google for noncompliance. As with Facebook, the agency’s incitement to action wasn’t a finding contained in an assessment. Instead, it acted after The Wall Street Journal reported the Mountain View, California-based corporation bypassed privacy settings on the Apple Safari browser. The assessor — at the time, also PricewaterhouseCoopers — gave Google a clean bill of health, stating in a 2012 report that Google “has implemented and maintains a comprehensive Privacy Program.”

Facebook, meanwhile, has been battered by revelations about its hidden data sharing practices that suggest the possibility of violations of its 2011 consent agreement even while it argues that close legal parsing of its consent agreement puts Facebook in the clear. The company said it wouldn't comment due to the ongoing FTC investigation.

A June 2018 New York Times report detailed special access to profile information Facebook granted device makers including Apple, Amazon, BlackBerry, Microsoft and Samsung.

For a decade, some hardware manufacturers could retrieve personal information even from users’ friends who believed they had barred third-party sharing. Whether that was a violation of the 2011 consent agreement is a legal debate. Facebook, interpreting the consent agreement broadly, says it’s not — device makers were allowed privileged access under the agreement’s exception for “service providers.”

If it turns out that manufacturers misused the data, the FTC can’t also say that it wasn’t warned about the possibility.

Although PricewaterhouseCoopers has three times since 2011 bestowed on Facebook its verdict that the social media giant’s privacy controls are “operating with sufficient effectiveness to provide reasonable assurance,” it included a caveat in the very first assessment, delivered to the FTC in 2013.

Facebook required device makers to undergo a certification process before being granted access to its trove of data. Except Facebook gave its assessor little evidence that it checked manufacturers’ assertions made as part of that process.

“Lack of comprehensive monitoring makes it more difficult to detect inappropriately implemented privacy settings within these third-party developed applications,” wrote PricewaterhouseCoopers.

Facebook’s solution was to change the assessment standard, as detailed by a 2018 letter Facebook sent to Senator Ron Wyden, a privacy-minded Oregon Democrat. For the next two biannual assessments, Facebook changed the relevant privacy control — which it can do. In place of asking companies to validate compliance, Facebook instituted a new control that instead required manufacturers to agree to Facebook’s data use policy. “There were no exceptions listed in PwC’s testing of this new control,” noted Kevin Martin, Facebook’s vice president for US public policy.

“I don’t think there’s anyone in Washington who would say [assessments] are serving any purpose right now. They’re pretty clearly broken,” said the congressional staffer.