Facebook's privacy practices are audited every two years, and the most recent audit found no problems — even though it covered the time Facebook knew that data-mining firm Cambridge Analytica had improperly obtained private data from millions of users.
The audit by PricewaterhouseCoopers is available on the Federal Trade Commission's website, though it is heavily redacted. It covers Feb. 12, 2015, to Feb. 11, 2017.
Facebook agreed to outside audits every two years as part of a 2011 settlement with the FTC over the company's privacy practices. The FTC's complaint against Facebook at the time included claims that Facebook deceived users about what amount of their information would be kept private from third-party apps.
It is not clear from the 2017 audit, as posted online, whether Facebook told PwC about the Cambridge Analytica issue.
In the 54-page audit — more than half of which is fully redacted — PwC says: "In our opinion, Facebook's privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information."
This month, it became clear that the personal information of as many as 87 million Facebook users was improperly shared with Cambridge Analytica.
That happened after a psychology professor developed a quiz app that enabled him to collect data from nearly 300,000 people who chose to use the app. He also was able to collect data from their Facebook friends. The professor then broke Facebook rules by sharing the data with Cambridge Analytica, a data-mining and political consulting firm that worked on President Trump's campaign and reportedly used the data to identify swing voters.
PwC declined to comment, but Facebook said Friday that keeping data secure is a priority. "We remain strongly committed to protecting people's information," Rob Sherman, Facebook's deputy chief privacy officer, said in a statement. "We appreciate the opportunity to answer questions the FTC may have."
The fact that PwC found no issues could raise questions about whether such audits are useful.
In its 2011 complaint, the FTC said Facebook told users that third-party apps they installed would have access to only as much information as the apps needed to operate — but, the FTC said, the apps took far more. The agency also alleged that personal information labeled as to be shared only with friends had been shared with third-party apps when a friend installed the apps. The FTC also accused Facebook of sharing personal information with advertisers.
Facebook did not admit to violating any law. The settlement noted that the company denied the FTC's allegations. But Facebook agreed to get express consent from users before changing how it shares their information.
In 2011, FTC officials noted in a conference call with reporters that the proposed settlement was written broadly — to extend to other potential privacy breaches not explicitly covered in the settlement.
The 2011 consent decree bound Facebook to a 20-year privacy commitment. In his congressional testimony last week, Facebook Chief Executive Mark Zuckerberg said he did not remember if the agreement carried a financial penalty.
It does. Any violations of the 2011 agreement could subject Facebook to fines of $41,484 per violation per user per day. To put that in context, Facebook could theoretically owe about $8 billion for one single-day violation affecting all its U.S. users, or about half the profit that the company booked for all of last year.
Facebook is also under a separate investigation by the FTC because of the Cambridge Analytica scandal. The agency is looking at whether Facebook has engaged in "unfair acts" that cause "substantial injury" to consumers.
Times staff writer Jaclyn Cosgrove contributed to this report.
10:30 a.m.: This article was updated with additional details and context.