Over the past year, Facebook chief executive Mark Zuckerberg has repeatedly made statements that, as the founder of the company, he takes full responsibility for privacy lapses on the social networking platform. Now, it turns out, the Federal Trade Commission (FTC) may decide to hold him at his word. According to two anonymous sources quoted by the Washington Post in a recent report, the FTC is seriously thinking about ways to make Mark Zuckerberg personally accountable for any and all privacy lapses at the social networking giant. Doing so as the result of its year-long Facebook investigation would send a strong message to other tech companies in Silicon Valley that they need to start taking privacy more seriously.
Details of the Facebook investigation into privacy breaches
At the same time, Facebook is the subject of countless other investigations, lawsuits and inquiries. For example, in addition to the Facebook investigation by the FTC, there are investigations underway by the FBI, Securities and Exchange Commission (SEC), and the U.S. Justice Department. And that’s just in the United States – in Europe, Facebook is now being investigated for possible breaches of the European General Data Protection Regulation (GDPR). And, seemingly every month, there is a stunning new disclosure about the fast-and-loose approach to privacy at Facebook. (This month, it was the disclosure that millions of Instagram users may have had their password security violated when passwords were stored on the site in plain text, completely unencrypted.)
Obviously, then, the FTC has plenty of reasons to hold CEO Mark Zuckerberg accountable for privacy breaches as the result of its Facebook investigation. This is not a single isolated case. And it is not a single bad actor. This is a systemic problem at Facebook and all of its affiliates (including Instagram). For years, Facebook has promised that self-regulation would be the solution. And, for years, Facebook has strenuously protested that it has done nothing wrong – despite mounting evidence to the contrary. So, if the FTC really did want to hold Mark Zuckerberg responsible as part of its Facebook investigation, there seems to be a relatively strong case in their favor. Even if the move were entirely symbolic (as some Internet analysts have suggested), it would still send a clear message to other big tech giants, such as Google, that there has been a real change in the regulatory posture of the FTC and other federal agencies.
What would holding Zuckerberg “personally accountable” really mean?
The Washington Post reported that the FTC is nearing the end of its Facebook investigation, and is now considering several options at its disposal. One option might be requiring Facebook CEO Mark Zuckerberg to periodically certify Facebook privacy practices with the company’s Board of Directors. This, of course, would be in addition to the current privacy assessments being carried out at the company every two years, as mandated by the 2011 FTC settlement. Forcing Zuckerberg to personally certify the privacy practices at Facebook would make him directly responsible for any mishandling of users’ data, any privacy breaches involving users’ personal information, and any shady data sharing deals with third-party data brokers, app developers or advertisers.
Another option might be additional oversight into the actual day-to-day operations of Facebook. Here, too, Facebook CEO Mark Zuckerberg would be held accountable. If, for example, the FTC required regular updates from Facebook about steps being taken to protect personal information and Facebook data, it would likely require Mark Zuckerberg to deliver those updates in person. Or, if the FTC required Facebook to make changes to the way it approves new apps, or to the way that users’ data is protected, it would likely require Mark Zuckerberg to play a key role and accept full responsibility for the results. Doing so, of course, would result in greater oversight of his leadership.
The third option on the table is to assess billions of dollars in fines against Facebook. If, as the result of its Facebook investigation, the FTC found that Facebook was in violation of its 2011 settlement, it could theoretically hand out a multi-billion-dollar fine. In practice, though, this might not be feasible. In the past, the previous record for a fine handed out in a similar case was the $22.5 million fine against Google for its privacy violations related to Apple’s Safari browser. So, going from $22.5 million to $1 billion or more would represent a huge leap for the FTC.
Waiting for the final results of the Facebook investigation
Facebook, as might be expected, has been working overtime to prevent any of these scenarios from happening. In fact, in the wake of each new Facebook investigation, stories have appeared in the mainstream media suggesting that Facebook is fighting to “shield” Mark Zuckerberg from any financial or legal problems. And a Facebook spokesperson has suggested that any new anonymous reports are not to be trusted – they represent just a “recycling” of old stories, many of them that never came to pass. For example, for years, we have heard stories that a massive fine was about to be levied against Facebook, but what has really happened? And, indeed, legal experts are mixed on whether the FTC can actually hold executives accountable in the way that the Washington Post has reported.
As part of the investigation into Facebook and the Cambridge Analytica scandal, CEO Mark Zuckerberg offered public testimony in front of Congress, “It was my mistake, and I’m sorry… I run [this company], and I’m responsible for what happens here.” Having this on the record is obviously going to make it much harder for Zuckerberg to wiggle out of his current jam. Everyone agrees by now that Facebook’s fast-and-loose approach to personal privacy has to change. Now, it’s just a matter of deciding what the final punishment is going to be.