As much as Facebook would like to sweep the current Cambridge Analytica scandal under the rug and continue with business as usual, signs continue to mount that the company is still playing fast and loose with user data. Even more disturbing, the company’s own auditors may be complicit in attempts to persuade users that Facebook has really, truly turned the corner on how it permits user data to be used and shared with third-party advertisers. All this raises the question of whether the 2011 FTC settlement with Facebook that resulted in an 8-count consent decree actually went far enough.
The 2011 FTC Consent Decree
In 2011, the FTC unveiled an 8-part complaint against the tech company Facebook, but stopped short of levying fines or penalties on the social media giant. Instead, the FTC settlement simply requested that Facebook overhaul and reassess its privacy policies as well as agree to be audited every two years for the next 20 years.
While the FTC settlement did not levy penalties on Facebook, it clearly noted that it had the power to fine Facebook anywhere from $16,000 to $40,000 per violation. Moreover, the FTC could assess those fines on a per user basis. At the time, Facebook had 800 million users, so even a single privacy violation could have enormous financial consequences.
What’s remarkable about the FTC Consent Decree in 2011 is that it directly addressed some of the issues currently plaguing Facebook today. For example, one of the 8 complaints listed in the consent decree covered third-party apps. Facebook specifically agreed that apps users installed would only have access to user information that they needed to operate – not the full spectrum of information that Facebook had been collecting on users. Another complaint in the FTC decree covered the subject of “Friends Only” data – Facebook had incorrectly represented the fact that user data could not be shared beyond the circle of friends.
Both of these clearly seem to have been violated in the Cambridge Analytica case, in which data collected by a Facebook quiz app on nearly 300,000 users led to a massive data breach affecting upwards of 87 million Facebook users. Even worse, Cambridge Analytica, a political consultancy based in London, may have used the data to influence the 2016 presidential election by constructing psychographic profiles of voters.
The glaring lack of any real change on the part of Facebook is a point that is now being highlighted by David Vladeck, former director of the Bureau of Consumer Protection at the FTC, who signed the original 2011 consent decree. As Vladeck sees it, the case of Cambridge Analytica represents a “serious breach” of the consent decree. In the nearly seven years that have transpired since 2011, it appears that Facebook has repeatedly violated the terms of that consent decree. Facebook privacy controls may be improved from a few years ago, but still leave much to be desired.
The PwC audit report
Despite these clear signs of potential violations of the FTC settlement, the company’s auditors have repeatedly said that Facebook is doing nothing wrong and that the company is doing everything it can to prevent future incidents. In April 2017, the auditing firm PwC gave Facebook a clean bill of health for its privacy practices, noting that, “In our opinion, Facebook’s privacy controls were operating with reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the Reporting Period, in all material respects for the two years ended February 11, 2017.”
The timing of the report is what is so controversial – it covers the period 2015-2017, which is when Cambridge Analytica gained access to the Facebook data. Given what we know now, the findings of the 2017 audit report are especially baffling.
The PwC report is so important because it is specifically mandated as part of Facebook’s consent decree that it signed back in 2011 with the FTC – it is not an optional report that Facebook chose to release. The consent decree requires Facebook to beef up its privacy practices, and one of those methods is by getting a full outside audit.
As might be imagined, the response to the April 2017 PwC audit report has been one of surprise and incredulity. Marc Rotenberg, president and executive director of the Electronic Privacy Information Center (EPIC), has been particularly vocal about what he sees as PwC clearly dropping the ball when it comes to Facebook. Under a Freedom of Information Act (FOIA) request, he was able to obtain a redacted version of the full 54-page report, 30 pages of which described how PwC tested Facebook’s privacy practices.
Will the FTC impose monetary penalties on Facebook in 2018?
So the big question on the minds of many is the following: Will the FTC levy monetary penalties on Facebook to ensure that the company actually follows through on its privacy promises? There is nothing like the imminent risk of a multi-million-dollar fine to get the attention of senior executives. And those fines could be massive. If the FTC attempted to impose maximum penalties on Facebook, the Silicon Valley giant could be looking at hundreds of millions of dollars in fines as part of a proposed settlement.
The problem, quite simply, is that a program of self-regulation does not appear to be working. Even when the FTC tightened its focus on personal privacy with the appointment of Jessica Rich as the Director of the Consumer Protection Bureau in 2013, the FTC was apparently unwilling to go much further in enforcing the consent decree. Just one year after the consent decree, Facebook launched its much-heralded IPO, and the idea of clogging up a company like Facebook with millions of dollars of fines simply did not seem reasonable. As long as Facebook was willing to work alongside regulators and submit to third-party privacy audit oversight, it seemed like Facebook would eventually find its way out of the privacy maze.
But that simply hasn’t happened. Privacy settings remain difficult to change for millions of users, and even though Facebook says it remains strongly committed to protecting people, the actions are very different from words. And now public sentiment has definitely shifted against Facebook. If, before, it was taboo to slap hundreds of millions of dollars in fines on a hot new tech IPO company, things are very different now. Facebook is no longer the golden child of Silicon Valley, and sentiment is growing for stronger regulation and tighter penalties.
What did the FTC settlement really change?
One interesting note from the 2011 consent decree is that it specifically mentions that Facebook privacy practices did not comply with the US-EU Safe Harbor Framework, which governed how U.S. companies could use and collect the data of EU citizens. That framework is now especially relevant, given the current buzz over the European General Data Protection Regulation (GDPR), which is set to go into effect in May 2018. (Many social networks and website services in the U.S. have already started to send out notices of updates to their privacy policies in anticipation of the GDPR.) Thus, even if Facebook can show that it has cleaned up its act in terms of sharing data with third-party app developers and advertisers, it now potentially faces scrutiny from a new quarter: Europe.
All of this may be pointing the way to comprehensive privacy protection for U.S. users of Facebook and other social networks. Champions of privacy within the U.S. – including the Electronic Privacy Information Center – have long sought some sort of federal law to protect privacy. If there is an outcry for the FTC to pursue monetary damages against Facebook for having violated the consent decree of the FTC settlement, it might just open the door to that sort of comprehensive regulation sometime in the near future.