Facebook logo seen in the background of a silhouette woman holding a mobile phone showing leaked documents shows issue with user data and privacy regulations

Leaked Documents From Facebook Indicate Engineers Have Lost Control of User Data, Can’t Keep Up With International Privacy Regulations

Facebook grew to be a $500 billion enterprise almost entirely on its mass collection of user data and application of it in targeted advertising. The sprawling advertising juggernaut is plugged into tens of millions of websites and apps, and may have now grown to the point that its own engineers cannot keep track of it all. Leaked documents indicate that the company is struggling to keep up with privacy regulations around the world, primarily because it cannot identify exactly where data goes once it enters the system.

A spokesperson for Facebook responded to the leaked documents by claiming that they do not demonstrate failure to comply with privacy regulations and are not an accurate representation of measures in place to manage data.

Leaked documents suggest Facebook engineers have lost visibility into user data flows

The leaked document saw a Facebook engineer lament the international privacy regulations that the company is now subject to, describing them as a “tsunami.” Facebook has had the most legal trouble with the EU’s General Data Protection Regulation (GDPR), but now faces some sort of compliance requirement in over 100 countries and is seeing a patchwork of state regulations emerge in its own.

The leaked document also expressed surprise at the development of privacy regulations in India and Europe in 2021, with one of the primary issues in Europe being the final judgment on the company’s appeal of the Schrems II decision. This decision has essentially rendered transfers of personal data from Europe to the US untenable for the company, with Facebook even publicly mulling the prospect of pulling out of the region entirely in response. Other developing issues are the EU Digital Services and Digital Marketing Acts, which are aimed squarely at big tech platforms and tighten existing privacy regulations even further.

Cillian Kieran, CEO and founder of Ethyca, elaborates on this last element: “This leaked document and its implications have even further relevance in the wake of the Digital Service’s Act recent advances in the EU this past week. Even in jurisdictions that already have leading regulations on personal data processing, the technical rule-making is not slowing down—it’s only getting steeper … Engaging the engineering teams in privacy from the outset of software development brings Privacy by Design within reach. Business can and should aspire to proactive alignment with laws like GDPR. The law demands it, and the human users of tech deserve it.”

The crux of the problem is that the company cannot guarantee to regulators that it will not use “X” user data for “Y” purpose, as it does not have an “adequate level of control and explainability” over its internal systems. The leaked document expresses a desire to comply with privacy regulations, but concern that the company will unwittingly misrepresent what it is doing with user data given its current lack of visibility.

There does not appear to be an immediate fix available for this problem either, as Facebook says that its policy enforcement plans were insufficient to handle second-party data issues “on any timeframe” and that the problem has only become more acute with the new first-party user data protections that have emerged in India and Europe. Facebook says that the only path out is a multi-year investment in overhauling its ad system and internal infrastructure.

With regards to the impact that the average Facebook user can expect this state of affairs to have on their own personal privacy, Daniel Markuson, a cybersecurity expert at NordVPN, says: “Unfortunately, even if you are not an active user or don’t even have an account, your data is probably still not as private as you would expect. Numerous sites on the internet  use Facebook’s plugins (the “Like” or “Share” buttons), logins, and ads analytics tools. Facebook collects data on everyone who visits websites like these, whether they’re registered users or not. It is hard to believe that the company will start to take care of the privacy of its users and security of data they collect, so every person should stay cautious while using social media and take steps to be more private. You may think it’s not a big deal if a social network knows your IP address, workplace, or telephone number. But what if a cybercriminal does? Considering Facebook’s sad history of data leaks (including the latest, which happened in April 2021) and the findings of the recent report, we can never be sure where our data may end up once we give it to Facebook.”

Privacy regulations spurring major reforms at Facebook

The leaked document did some spinning of the user data situation, attributing it to Facebook’s “culture of open systems” aimed at “contributor empowerment” rather than any sort of mismanagement or shortsighted development. The analogy used to describe the situation was not flattering, however: an engineer described user data as a bottle of ink being dumped into an ocean, and privacy regulations asking the company to subsequently track down all of that ink and ensure that it does not flow where it is not supposed to.

Facebook calls this its “data lineage” issue, and it appears to be one that the company was not fully thinking about until the GDPR came into effect in 2018. The company was able to deal with just one major new regulation coming on line each year from 2018 to 2020, but got caught by the “tsunami” of regulations that started in 2021.

While the leaked document might initially indicate serious compliance trouble for the company, it could end up being part of a “too big to fail” gambit, as an anonymous former employee interviewed by Motherboard speculates. Facebook might make the claim that their unique scale of user data collection and longstanding infrastructure makes it impossible for them to know exactly what they have, something they might try to parlay into some sort of special regulatory considerations.

Some privacy researchers and advocates see this from the opposite end; essentially a confession by Facebook that it cannot and does not comply with the GDPR (nor potentially any number of other national regulations), and a revelation that could open up fresh scrutiny and legal action. It could also force the hand of the Irish Data Protection Commission in its ongoing investigation into Facebook’s ad business, which had previously appeared to be taking a direction very favorable to the social media giant.