Facebook's 'comprehensive' privacy improvements after US FTC order had 'gaps and weaknesses,' independent assessment concludes

17 September 2021 23:33 by Mike Swift


Facebook’s internal response to its landmark $5 billion privacy settlement with the US Federal Trade Commission last year had significant “gaps and weaknesses,” despite reflecting Facebook’s commitment to rebuilding its privacy compliance structure into an “appropriately comprehensive” framework, an independent assessment obtained by MLex has found.

The initial assessment by global consulting firm Protiviti, covering the six-month period ending in April after the FTC’s privacy order against Facebook took effect, “confirms that the [FTC] Order constituted a watershed moment at Facebook,” leading to “substantial investments” by Facebook in compliance, Facebook’s chief privacy officer for product, Michel Protti, told the FTC in a letter delivering the Protiviti report on July 1.

However, the independent assessor concluded in the executive summary of the 230-page report, completed in late June, that “substantial” shortfalls remained that Facebook must address.

'Substantial additional work'

“The gaps and weaknesses noted within our review demonstrate that substantial additional work is required, and additional investments must be made, in order for the program to mature,” Provititi concluded in the executive summary, which was heavily redacted by Facebook and the FTC before it was released to MLex following a public records request.

Facebook moved too slowly in several specific areas to implement the program, the assessor concluded. “We believe there are significant further opportunities in this area that should be prioritized and accelerated,” Protiviti said. Details of those “opportunities,” which appear to refer to the use of artificial intelligence and other automated technologies, were redacted by Facebook and the FTC

Protiviti said the study was independently done without relying on the assertions of Facebook’s management, and used National Institute of Standards and Technology (NIST) principles as the basis for its evaluation. The consultant concluded that Facebook has put the foundations in place for organizational changes that, for a company with a history of serial privacy violations, may improve that record.

Facebook told the FTC in its July 1 response to the assessor’s report that it is aware it must make more progress and is working to make its new internal Privacy Organization operate as an independent compliance force within the company, even as “Facebook continues to develop a Company-wide ‘risk and controls’ mindset” on privacy.

Perhaps the key change Facebook made was to create an internal Privacy Organization headed by Protti, who reports to Facebook Chief Technology Officer Mike Schroepfer, who reports to CEO Mark Zuckerberg. Protti said in a blog post this year that the Privacy Organization is made up of “dozens of teams, both technical and non-technical, focused solely on privacy and led by some of our most experienced leaders.”

“We believe the overall scope of the program and structure into which the program is organized is logical and appropriately comprehensive. As a result, the key foundational elements necessary for an effective program are now in place, although their maturity and completeness vary,” Protiviti concluded in the summary of its assessment.

Need for standards

The specific “gaps and weaknesses” in Facebook’s evolving privacy program were redacted by Facebook and the FTC in documents released to MLex. However, one problem identified by the assessor was the continuing need for Facebook to “fully establish and mature” independent standards and oversight on privacy.

“In our experience, nearly all effective privacy programs operate according to a model where front-line product teams are responsible for performing day to day control activities that are designed to manage the risk associated with those products,” Protiviti concluded. Further details on that topic were redacted by Facebook and the FTC before the document was released to MLex.

Facebook has hired new members to its Privacy Organization under Protti, with additional hires expected through the end of 2021, but the number of people Facebook hired and plans to continue to hire were redacted from the documents. A Facebook spokesman declined to provide those numbers today.

Facebook views its revamped privacy program as having three lines of defense against misconduct: Its product and business teams are being held more accountable to privacy values in day-to-day work; internal legal and policy teams and the new Privacy Organization set privacy standards and have oversight of product and business teams; and an independent assessor has oversight over the first two levels of defense.

Facebook has long been known as a company that operates under Zuckerberg’s infamous slogan: “Move Fast and Break Things,” a rallying cry that for years was posted in red-lettered signs in Facebook offices around the world. But Protti told the FTC in delivering the initial assessment in July that its order has successfully produced lasting change at Facebook, from the chief executive officer on down.

“Facebook’s completely redesigned and exponentially expanded Privacy Program reflects the degree of change Mr. Zuckerberg envisioned when the order was announced,” Protti told the FTC. “The Program benefits from multiple levels of oversight, governance and accountability, including the independent Privacy Committee [on the board of directors], senior leadership and the Privacy Org.”

An FTC spokeswoman declined to comment today on what steps, if any, the agency will take in response to the gaps in Facebook's progress in the initial assessment.

Facebook response

Protti said in a written statement to MLex that Facebook understands its privacy efforts are a work in progress.

“This report does exactly what the Order mandates: presents an objective view of our program and ‘identifies any gaps or weaknesses’ that we can improve," Protti said. "As the initial six-month assessment of a 20-year Order, it evaluates the progress we’ve made so far. We will continue engaging with the FTC and our Assessor as we keep strengthening our privacy program to deliver even more progress in the months and years ahead."

Facebook was able to force the FTC to redact massive parts of the reports before releasing them to MLex because of a 2019 US Supreme Court decision, Food Marketing Institute v. Argus Leader Media, that requires the FTC to accept Facebook’s definition of what constitutes private or closely held information unless the agency can prove that Facebook doesn’t treat the information in that way.

Much of the attention on the FTC’s settlement with Facebook was on the size of the $5 billion fine Facebook paid to settle the FTC’s allegations that Facebook had violated an earlier settlement with the regulator in 2011 through its leaking of user data to the political data-mining firm Cambridge Analytica, its use of facial recognition technology without user consent and other violations. But the FTC order relies on mandated organizational changes to drive lasting change at the tech giant.


One key change is that Zuckerberg must personally certify compliance with the FTC privacy order each quarter, a requirement that will kick in at the conclusion in the fourth quarter of 2021.

In addition to creating an independent committee of its board of directors to monitor Facebook’s privacy practices, the FTC order required Facebook to create a “Mandated Privacy Program,” or MPP, addressing 10 specific areas of focus on privacy, and to submit an initial independent report six months after the effective date of the FTC order and every two years thereafter.

Less than one month after the FTC settlement was approved by a federal judge, Facebook in May 2020 named three members of its board to serve as the independent privacy committee — Peggy Alford, Nancy Killefer, and Robert M. Kimmitt, with Killefer serving as the chair.

“We’ve spent six months implementing this program,” a person familiar with the construction of the MPP, who spoke on condition of anonymity, told MLex. While Facebook had an existing privacy oversight program from its 2012 settlement with the FTC, the company’s senior leadership made the decision to start over from scratch with the second FTC order. “What we decided to do was take everything down to the studs and rebuild from the ground up. We did exactly that,” the person said.

Addressing weaknesses

Facebook was not surprised that the initial assessment would point out gaps and weaknesses in the program, the person said, and the company is committed to addressing those. “This is a program that’s six months into a 20-year order. We feel proud, but there’s still obviously work to do,” the person said.

The period covered by the initial assessment began when the settlement was finalized by the FTC in April 2020, with the order giving Facebook 180 days to make changes by Oct. 24, 2020. The Protiviti executive summary obtained by MLex through a public records request was the first independent privacy assessment done by Protiviti, a subsidiary of Robert Half International, for the six-month period that began the day after the Oct. 24 deadline and concluded on April 22 of this year.

Protti told the FTC in the July 1 letter that “Facebook has been moving quickly to address findings as they surfaced” from the independent assessor. Protti, the chief privacy officer and designated compliance official within Facebook for the FTC order, assured the FTC that Facebook is responding to three key findings by Protiviti.

“First, Facebook is enhancing the Privacy Org’s oversight role and capabilities to ensure it operates as an independent compliance function,” Protti told the FTC. He said Facebook is working toward a company-wide “mindset that prioritizes rigorous compliance documentation and facilitates effective oversight.”

Finally, Facebook will continue to deploy new technology to protect privacy, Protti told the FTC. “Facebook continues to expand its application of technology-based solutions to ensure that the Program leverages the Company’s core strengths in automation and analytics.”

Related Articles

No results found