A smartphone lying on a table in the dark, displaying Facebook logo with finger above touch screen.
Facebook Responds to U.S. Lawmakers Questions on Data Privacy Practices in 747-Page Document

Facebook Responds to U.S. Lawmakers Questions on Data Privacy Practices in 747-Page Document

As long as U.S. Congressional lawmakers continue to have questions about Facebook’s data privacy practices, the Silicon Valley giant appears ready to oblige. The latest batch of answers came in the form of a massive, 747-page document delivered at midnight on Friday, June 29.

In response to over 1,200 questions posed by members of the House Energy and Commerce Committee, Facebook was more than happy to provide answers. As a result, new findings came to light that suggest even more questions might be forthcoming in the near future about the way Facebook handles user data.

Facebook had data partnerships in place with 52 different companies

According to responses from Facebook, 52 hardware and software companies had special access to user data as part of “integrations” designed to deliver Facebook and Facebook experiences to users. These included partnerships with both U.S. companies (Apple, Amazon, Microsoft) and foreign companies (Samsung, Huawei, Alibaba).

What’s particularly damaging about this revelation is that Facebook only admitted the existence of these partnerships after a major article appeared in the New York Times, which focused on the unique partnerships between Facebook and digital device makers. Thus, Facebook is telling us what we already knew, and what the media earlier disclosed.

In response to a question from lawmakers, Facebook admitted, “We engaged companies to build integrations for a variety of devices, operating systems and other products where we and our partners wanted to offer people a way to receive Facebook or Facebook experiences.” Facebook also noted that all of these “integrations” were solely for the benefit of users, and were approved by Facebook.

Fair enough. But didn’t Facebook earlier say that all data-sharing partnerships were cut off in May 2015? This is where things get tricky, because it appears that, time and time again, Facebook continually has found ways to keep data-sharing agreements in place, even when it had evidence that some unscrupulous developers were using this data in ways that were not originally intended.

Just in case, Facebook says, it has now terminated 38 of those 52 partnerships, and has plans to terminate another 7 of them by the end of July. Given all the concerns that lawmakers have about Facebook sharing data with Chinese companies (and, especially, Huawei), this decision to terminate the data-sharing partnerships may have been painful for Facebook to make, but will help to protect the company from future legal and regulatory risk.

Facebook gave 61 app developers a six-month data extension in 2015

In response to another question from lawmakers, Facebook admitted that it gave 61 app developers a special six-month extension in May 2015 to continue using data, even when it told everyone else that all sharing of user data with third parties had been effectively terminated. The list of apps that had access to this data includes AOL, Spotify, UPS, Nike and the dating app Hinge – so we’re not talking about random apps that nobody uses. According to Facebook, this six-month extension was critical in order to let these companies come into compliance with privacy policies.

The problem here, of course, is that the data being shared with the 61 apps included more than just a user’s own personal information – it included friends’ names, and identifying information such as gender and birth date. This is where things get tricky, because the ability to access information about all people in a social network, rather than just from one solitary user, is what got Facebook into trouble in the first place. That’s how Cambridge Analytica was able to access information from 87 million people – it’s not that 87 million people used a silly Facebook quiz app, it’s that every person who did also had hundreds or even thousands of friends.

Facebook does not track whether or not people understand its Terms of Service

Congressional lawmakers, well aware of how much data Facebook theoretically has at its disposal, asked the company point-blank whether it has any metric in place in order to track how users interact with its Terms of Service. Do people read it? Do they understand it? Facebook simply answered, “There is no single number that measures how much time people spend understanding how Facebook services work.” In other words, “Why are you asking us? We don’t know…”

What Facebook didn’t admit, divulge or answer

The good news is that Facebook is finally starting to open up about its data side deals and partnerships. The bad news is that many of the answers provided by Facebook are lacking in detail and appear designed to insulate the company from any further legal or regulatory action rather than to provide insight about the company’s data practices.

Take, for example, the way that Facebook answered questions about hardware and software partners that had access to Facebook data. Facebook is very much aware of its 2011 FTC consent decree, which requires that it must obtain permission if it shares a person’s data with a third-party not specifically designated by the user.

Within the 747-page document, Facebook continually attempts to make distinctions between developers and partners, and between suppliers and third parties. For example, Facebook refers to Samsung and BlackBerry as “suppliers,” not “third parties.” Thus, if Facebook did share data with Samsung, it was sharing data with a supplier and not a third party, and the 2011 FTC Consent Decree would not be triggered. See how clever highly paid lawyers can be?

Moreover, Facebook did not divulge how much information it collects about every user. In response to a specific question asking how much data Facebook collects, the answer was about as beige or vanilla as you could imagine, “As far as the amount of data we collect about people, the answer depends on the person.”

In response to #privacy questions, #Facebook tries to distinguish between developers and partners, suppliers and third parties.Click to Tweet

And, finally, Facebook didn’t provide any clear reason why it did not start an immediate audit of thousands of apps way back in 2015, instead of waiting for the Washington, DC hearings in April 2018 to trigger a sudden rush to audit apps. Facebook also did not respond directly to questions asking which employees or executives were responsible for the lack of oversight. (For obvious legal reasons)

Will we see a third round of questions and answers?

What is truly staggering is that, 747 pages later, Congressional lawmakers probably still have more questions about Facebook. For Facebook, this could work to its advantage – as long as the questions keep coming, and as long as Facebook’s lawyers can carefully vet all responses in advances, Facebook can safely delay and mitigate the risk of regulatory or legal action. One thing is for certain – Washington lawmakers who might have entertained the idea of hanging out at their summer beach house or enjoying time away from the nation’s capital now have some very serious and detailed “beach reading” to keep them occupied for quite some time.