The Federal Trade Commission’s Bureau of Consumer Protection confirmed Monday that has undertaken a non-public investigation into Facebook’s data practices, according to a statement from Tom Pahl, the agency’s acting director. The announcement comes just over a week after The New York Times and the The Guardian published explosive reports about the reported improper use of data belonging to 50 million Facebook users by the Trump-campaign affiliated data firm Cambridge Analytica.
This isn’t the first time the FTC has investigated the social network’s data practices. In 2011, Facebook agreed to settle charges—though admitted no actual fault—that it “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” among other overreaches.
The settlement barred Facebook from making further deceptive privacy claims, required it obtain a user’s explicit approval before changing the way it handles their data, and mandated that Facebook receive periodic assessments of its privacy practices by third-party auditors for the next 20 years. It didn’t carry, however, any financial penalties.
‘The Federal Trade must bring an enforcement action against Facebook.’
Marc Rotenberg, EPIC
The 2011 consent decree also required that users be notified explicitly if their data is shared beyond the privacy settings they have configured. Specifically, the FTC accused Facebook of telling users that they could limit their data to “Friends Only,” whereas in fact this setting did not prevent their information from being shared with third-party applications their friends used. Facebook finally did change this setting in 2014, but it was too late. Facebook may have violated that portion of the settlement by allowing Aleksandr Kogan, an academic at Cambridge University, to obtain data belonging not only to people who downloaded an app he created, called “thisisyourdigitallife,” but also those individuals’ friends. The data collected from the app was later passed on to Cambridge Analytica, which reportedly retained it even after telling Facebook it had been deleted.
“Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements,” Pahl said in the statement Monday announcing the probe. “Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Today, the FTC is confirming that it has an open non-public investigation into these practices.”
Facebook says it is willing to answer the FTC’s questions. “We remain committed to protecting people’s information. We appreciate the opportunity to answer questions the FTC may have,” Rob Sherman, Facebook’s deputy chief privacy officer, said in a statement.
For privacy advocates, the investigation is a long time coming, but also underscores the FTC’s inability to regulate big platforms. “The confirmation of the investigation is good news. The Federal Trade must bring an enforcement action against Facebook for the violation of the 2011 Consent order,” Marc Rotenberg, the president of the Electronic Privacy Information Center, said in a statement. EPIC has pushed for the FTC to take greater measures to regulate Facebook’s data practices for years.
“Almost everything [the FTC] does is not public, that is a huge drawback to that enforcement approach,” says Michelle De Mooy, the director of the Privacy & Data Project at the Center for Democracy & Technology. She says that even if the FTC finds that Facebook violated its consent decree, the process by which it came to that conclusion likely won’t be made public. The agency’s secrecy makes it difficult to know how its enforcement methods may have failed to prevent Facebook and other online platforms from repeatedly engaging in deceptive privacy practices. “From our perspective it highlights the need for a national privacy law,” De Mooy says. “It would ideally give more enforcement powers either to the FTC or to a new agency.”
If the FTC finds that Facebook failed to comply with the consent decree it agreed to in 2011, it could be liable for trillions of dollars in fines, according to experts who spoke to The Washington Post. Violations of the agreement could carry a financial penalty of $40,000 per violation, meaning that if the social network mishandled 50 million Americans’ data, it could face fines up to $2 trillion. It’s not clear though that the FTC would necessarily seek the maximum penalty—but even a fraction of that could put a strain even on as large a company as Facebook.
Facebook’s Data Fallout
UPDATED: Marcy 26, 2018, 1:12 p.m.: This article has been updated to include comment from the Center for Democracy & Technology
This article was syndicated from wired.com