As much as Facebook would like to sweep the current Cambridge Analytica scandal under the rug and continue with business as usual, signs continue to mount that the company is still playing fast and loose with user data. Even more disturbing, the company’s own auditors may be complicit in attempts to persuade users that Facebook has really, truly turned the corner on how it permits user data to be used and shared with third-party advertisers. All this raises the question of whether the 2011 FTC settlement with Facebook that resulted in an 8-count consent decree actually went far enough.
The 2011 FTC Consent Decree
In 2011, the FTC unveiled an 8-part complaint against the tech company Facebook, but stopped short of levying fines or penalties on the social media giant. Instead, the FTC settlement simply requested that Facebook overhaul and reassess its privacy policies as well as agree to be audited every two years for the next 20 years.
While the FTC settlement did not levy penalties on Facebook, it clearly noted that it had the power to fine Facebook anywhere from $16,000 to $40,000 per violation. Moreover, the FTC could assess those fines on a per user basis. At the time, Facebook had 800 million users, so even a single privacy violation could have enormous financial consequences.
What’s remarkable about the FTC Consent Decree in 2011 is that it directly addressed some of the issues currently plaguing Facebook today. For example, one of the 8 complaints listed in the consent decree covered third-party apps. Facebook specifically agreed that apps users installed would only have access to user information that they needed to operate – not the full spectrum of information that Facebook had been collecting on users. Another complaint in the FTC decree covered the subject of “Friends Only” data – Facebook had incorrectly represented the fact that user data could not be shared beyond the circle of friends.
Both of these clearly seem to have been violated in the Cambridge Analytica case, in which data collected by a Facebook quiz app on nearly 300,000 users led to a massive data breach affecting upwards of 87 million Facebook users. Even worse, Cambridge Analytica, a political consultancy based in London, may have used the data to influence the 2016 presidential election by constructing psychographic profiles of voters.
The glaring lack of any real change on the part of Facebook is a point that is now being highlighted by David Vladeck, former director of the Bureau of Consumer Protection at the FTC, who signed the original 2011 consent decree. As Vladeck sees it, the case of Cambridge Analytica represents a “serious breach” of the consent decree. In the nearly seven years that have transpired since 2011, it appears that Facebook has repeatedly violated the terms of that consent decree. Facebook privacy controls may be improved from a few years ago, but still leave much to be desired.
The PwC audit report
Despite these clear signs of potential violations of the FTC settlement, the company’s auditors have repeatedly said that Facebook is doing nothing wrong and that the company is doing everything it can to prevent future incidents. In April 2017, the auditing firm PwC gave Facebook a clean bill of health for its privacy practices, noting that, “In our opinion, Facebook’s privacy controls were operating with reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the Reporting Period, in all material respects for the two years ended February 11, 2017.”
The timing of the report is what is so controversial – it covers the period 2015-2017, which is when Cambridge Analytica gained access to the Facebook data. Given what we know now, the findings of the 2017 audit report are especially baffling.