Facebook under scrutiny as FTC confirms it is investigating privacy practices
The Federal Trade Commission confirmed Monday that it had opened an investigation of Facebook, and the Senate Judiciary Committee called on the company’s chief executive, Mark Zuckerberg, to testify as scrutiny mounts over the social media giant’s handling of user data.
The unfolding crisis at Facebook caused shares to dive nearly 7% on Monday before rebounding to $160.06, just above their opening price. The company’s stock price has fallen 17% from its Feb. 1 high.
The continued backlash follows a weekend in which Facebook tried to contain the controversy by placing full-page ads in U.S. and British newspapers apologizing for the unauthorized leak of user data to Cambridge Analytica, a political consulting firm that reportedly used the information to try to sway voters.
Cambridge Analytica, which worked for President Trump’s campaign, allegedly acquired information from 50 million unsuspecting Facebook users through a quiz app developed by a psychology professor.
The revelation has brought mass attention to the risks of ad-supported platforms, which require users to share personal information in exchange for free access to sites and apps.
That model is now under pressure with the introduction of a European Union law in May that will limit how much user data tech companies can collect and store. Facebook and the wider U.S. tech industry are also under growing pressure at home.
The FTC is looking to see whether Facebook violated terms of a 2011 consent order in which the Menlo Park company agreed to get users’ permission for certain changes to privacy settings.
“The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers,” said Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection, before adding, “The FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook.”
Also on Monday, 37 attorneys general, including California Atty. Gen. Xavier Becerra, sent a letter to Facebook asking about the company’s policies for protecting user data and its role in the “manipulation of users’ data by Cambridge Analytica — without those users’ knowledge.”
Lawmakers in Washington are also looking at the issue more closely, including the Senate Judiciary Committee, which asked Google CEO Sundar Pichai and Twitter CEO Jack Dorsey to testify April 10 alongside Zuckerberg.
The rising backlash against Silicon Valley underscores a potential turning point for an industry that has thrived by bending rules and largely evading significant regulation.
An appearance by the three CEOs of Facebook, Google and Twitter would stand in contrast to congressional hearings about Russian meddling last year, in which the companies sent lawyers and lower-level executives to testify.
Twitter declined to say whether Dorsey would attend next month’s hearing. Facebook and Google did not respond to a request for comment on the hearing.
The office of Sen. Charles E. Grassley (R-Iowa), chairman of the Senate Judiciary Committee, said in a statement Monday that the hearing would broadly cover privacy standards for the handling of consumer data used for commercial purposes.
“It will also examine how such data may be misused or improperly transferred and what steps companies like Facebook can take to better protect personal information of users and ensure more transparency in the process,” Grassley’s office said.
In lieu of congressional action on user data privacy, the FTC has had to serve as the last line of defense in protecting personal information online. That has become increasingly difficult now that almost every industry relies on consumer data obtained online to inform its decisions — resulting in more instances of hacks and breaches of privacy.
“The FTC was never created as a pure data protection authority, but it’s stepped in to fill the void,” said Woodrow Hartzog, a law and computer science professor at Northeastern University. “Even after all the FTC has done, it’s still very limited in substantive authority and in terms of resources.”
The agency has launched investigations of dozens of tech companies over the years, including Uber, Google, Oracle and Lenovo, one of the world’s largest computer manufacturers.
The result has been more disclosures by the companies about what data they collect, which in itself has become another barrier for consumers.
“It’s like mortgages where you get 500 pages of mandatory disclosures,” said Larry Downes, project director at the Georgetown Center for Business and Public Policy. “You need a PhD to figure out where your data goes. If consumers want more control, then consumers have to work harder to figure out what that control means, which defeats the purpose.”
The FTC’s enforcement measures, which are relegated to fines and consent orders, have largely been dismissed as slaps on the wrist for the multibillion-dollar tech companies.
Facebook’s 2011 consent order came after regulators said the company deceived users about how much information it made available to third-party apps, such as a list of all contacts. The order bolstered Facebook’s transparency but did little to slow the social network’s collection of personal data.
That same year, Google agreed to introduce stronger user privacy policies after settling a case with the FTC, which accused the search giant of exposing users’ Gmail contacts to its now defunct social network, Google Buzz.
A year later, the FTC fined Google $22.5 million for violating that agreement after it was found tracking users on Apple’s Safari internet browser.
In both Facebook’s and Google’s cases, experts say the FTC identified a clear example of consumers being deceived about how their information was being tracked, stored and shared.
It will be harder to determine who is ultimately responsible for the Facebook imbroglio with Cambridge Analytica and the professor who developed the app, Aleksandr Kogan, experts added.
On one hand, Facebook has argued that it informed users who downloaded Kogan’s app that their information and some of their friends’ details would be shared. When Facebook learned that Kogan had sold the data to Cambridge Analytica, and in doing so violated the platform’s rules, the company received written assurances from the political consulting firm that the data had been destroyed.
Facebook, however, never informed users their data had been obtained by Cambridge Analytica (Zuckerberg has since pledged to tell them). And it never verified that the data had been destroyed.
In its new investigation, the FTC must determine whether Facebook’s response to the data leak amounts to a breach of its 2011 consent order to give “consumers clear and prominent notice” and obtain “consumers’ express consent before their information is shared beyond the privacy settings they have established.”
Facebook, which restricted the sharing of user data to third parties in 2015, said it welcomed the new investigation.
“We remain strongly committed to protecting people’s information,” Rob Sherman, Facebook’s deputy chief privacy officer, said in a statement Monday. “We appreciate the opportunity to answer questions the FTC may have.”
The investigation will be closely watched to see whether the FTC expands its oversight to punish companies, not for exploiting user data themselves but for providing the means for third parties to exploit it.
“It seems that the allegation that Facebook is culpable rests on the fact that it was a poor data steward,” said Hartzog of Northeastern. “That is, it failed to properly vet third parties and their data practices. But it’s not entirely clear from the consent order just what the exact threshold of good stewardship and due diligence is.
“The real problem here is that consent order is seemingly aimed at preventing certain kinds of deceptive and unfair practices, but the problem revealed by this incident is that the entire system is ripe for exploitation,” Hartzog continued. “That’s a heavy lift for consent orders.”
6:25 p.m.: This article was rewritten and updated with more context about past FTC investigations
3:45 p.m.: This article was updated with details about a Senate Judiciary Committee hearing on data privacy and Facebook stock’s closing price.
10:35 a.m.: This article was updated with comment from the FTC and with description of a letter sent by 37 attorneys general asking Facebook about its privacy policies.
9:55 a.m.: This article was updated with background information about Facebook’s reaction to “abusive apps,” with comments from professor Pai-Ling Yin and with information about Facebook’s access to call and text logs.
8:30 a.m.: This article was updated with more details on the Cambridge Analytica controversy and fallout.
This article was originally published at 8 a.m.