Facebook subpoenas reveal broad scope of Massachusetts probe into app data collection

Facebook has received investigative subpoenas sent by Massachusetts Attorney General Maura Healey that focus on two turning points in the company’s privacy practices: its 2014 decision to scale back apps’ access to user data, and what it did to investigate rogue apps after the Cambridge Analytica scandal erupted in 2018.

The civil investigative demands Massachusetts sent Facebook in June and November 2018, obtained by MLex through a public records request, show investigators tightening their focus to train their attention on the internal “App Developer Investigation.” Facebook launched the ADI in the wake of its acknowledgment that as many as 87 million Facebook users’ data had found its way to the political data-mining company before the 2016 US presidential election.

The subpoenas show that the broad focus of Massachusetts investigators — a probe that remains active to this day and is one of three state AG privacy inquiries into Facebook — is on whether Facebook honored its legal obligation to protect the user data it allowed outside app developers to harvest starting in 2007, when the company created the “Facebook Platform” allowing millions of independent apps to collect and broadly share the data of users and their friends of the social network.

Facebook disclosed that it suspended 425 apps in 2018 during a full review of all the apps that had access to “large amounts” of Facebook user data, the Massachusetts documents show. But investigators wanted much more detail about how and why Facebook took that action, and what executives knew when they concluded four years previously that Facebook should dramatically scale back apps’ access to user data.

The 44 pages of documents obtained by MLex focus on two important periods in the evolution of the Facebook Platform: what the company knew about misuse of personal data of its users in the time prior to its 2014 decision to scale back apps’ access to data, and what specific steps Facebook took in 2018 to discover and ban privacy-violating apps and their developers after the Cambridge Analytica scandal erupted, including previously unknown privacy breaches by other apps in prior years.

Prior to 2014, Facebook allowed apps to access the Facebook data of not only people who downloaded the app, but also of their friends on the social network. That was how app developer Alexandr Kogan’s GSR personality quiz app, even though it was downloaded by no more than 270,000 Facebook users, was able to access the data of multiple tens of millions of people, which ultimately was sold to Cambridge Analytica.

The inquiry reaches back to an era before Facebook was a public company with billions of dollars of monthly advertising revenue driven by personal data. It was a time when the social network was largely accessed on desktop computers rather than smartphones, when Facebook users could access as many as 9 million independent apps to play games such as the once hugely popular “Farmville,” or for myriad other purposes.

The partnership with independent apps brought Facebook revenue at a time before it developed its massive advertising business, and it helped the social network make the eight-fold jump from the 360 million regular users it had in 2010 at the start of the period being probed by Massachusetts, to the more than 2.9 billion regular users it has today. But it may also have created regulatory risk on privacy that, like a long-neglected toxic dump, is only bubbling to the surface now.

A spokeswoman for Healey declined to comment on the state’s CIDs. Facebook declined to comment.

Multiple CIDs

Both CIDs demand documents and data going back to Jan. 1, 2010, about the company’s data protection policies on Facebook Platform, and how Chief Executive Officer Mark Zuckerberg and other executives made the decision to cut back apps’ data access, a change that didn’t fully take effect until 2015. They seek to learn whether Facebook had clear warning flags of developer data misuse up to seven years prior to the Cambridge Analytica scandal.

For example, Massachusetts sought documents including a PowerPoint presentation on a “map of the vulnerabilities for user data on Facebook's platform” that Sandy Parakilas, a former Facebook employee who oversaw privacy and policy compliance for the Facebook Platform in 2011 and 2012, may have given to senior executives. The Massachusetts CID also seeks Facebook’s communications with RapLeaf, a now defunct data broker that has been accused of harvesting Facebook data for use in political campaigns.

Massachusetts is also looking into Facebook’s creation of app “White Lists,” which Facebook explained in 2018 was a practice where in “some situations, when necessary, we allowed developers to access a list of the users’ friends. This was not friends’ private information but a list of your friends (name and profile pic).”

As part of that inquiry, investigators asked Facebook for communications sent or received about White Lists by Parakilas, and other Facebook employees John Anderson and Amanda Earheart, who between 2010 and 2014 was a Facebook “risk ops manager” who policed developers integrating Facebook Credits, a form of virtual currency used by gaming and other apps.

Massachusetts investigators also demanded “data sharing agreements [Facebook] entered into with device manufacturers, including but not limited to, Apple, Amazon, Blackberry, Microsoft, Samsung, and Huawei, and any makers of operating systems,” a list that would also appear to include Google.

The June 2018 CID, the second of three CIDs Massachusetts sent Facebook that year, also demands documents that were the legal basis for Zuckerberg’s statements in an online post promising to get to the bottom of how the GSR app, and potentially other apps, were able to improperly access or share Facebook data.

Massachusetts investigators demanded that Facebook turn over documents “sufficient to state all bases for the following statements by Mark Zuckerberg on March 21, 2018 on Facebook.”

“First, we will investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity,” Zuckerberg said in that post, about a week after the Cambridge Analytica news broke. “We will ban any developer from our platform that does not agree to a thorough audit. And if we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps.”

Final CID

The third and final CID was the result of about eight months of prior CIDs and other communications between Massachusetts investigators and Facebook, which are referenced in the documents obtained by MLex. It focuses much more tightly on what was known internally at Facebook as the ADI probe that Zuckerberg said in March that Facebook would perform.

That probe, headed by law firm Gibson Dunn & Crutcher, is the subject of ongoing litigation between Facebook and Massachusetts, which says the facts unearthed by the ADI can be used for its investigation of whether Facebook violated its legal responsibility to protect user data. Facebook, however, says the ADI is an attorney-privileged product off-limits to investigators. The Massachusetts Supreme Judicial Court ruled in the state’s favor earlier this year.

While Facebook told users in a September 2019 post that “tens of thousands” of apps associated with about 400 developers had been suspended for failing to cooperate with Facebook’s internal probe, the company has not disclosed the final result of the ADI. A Facebook spokesperson told MLex last month that the company had nothing to add about the probe’s conclusions, and said today that position is unchanged.

The ADI was the specific focus of the third and final CID that Massachusetts investigators delivered to Facebook’s offices in downtown Boston on Nov. 5, 2018. The ADI was a three-phase inquiry, with Gibson Dunn and a Facebook internal team first looking at lists of apps with access to large amounts of users’ data, before a second phase that flagged potential problem apps for a more detailed review.

The third phase was enforcement, including apps and their developers permanently or temporarily banned from the Facebook Platform for misuse of data, or for failing to cooperate with the ADI.

Massachusetts demanded data from Facebook from all three phases of the ADI, including an initial phase that examined all apps with access to large amounts of user data. For those apps, investigators asked Facebook to disclose the date each app was first released to the public, and the date the app's privacy policy was “first reviewed” by Facebook.

From the second phase of the ADI, Massachusetts demanded information on each app for which “actual misuse” was identified, including the documents Facebook used to identify the “actual misuse,” a list of each app that was banned from the Facebook Platform for “actual misuse,” and a list of apps that were banned  because they failed to cooperate with the ADI.

From the enforcement phase, the state focused on what happened to developers, not just the apps they built. Investigators demanded documents that showed each app that was deleted by Facebook and the date of deletion; each app developer account that was disabled; each app developer that was banned from creating other apps on Facebook, and the duration of those bans; and a list of all developers who were banned personally from Facebook, and the duration of those bans.