It’s been confirmed: insiders said last week that Facebook would be wrist-slapped with a $5 billion fine for losing control of users’ data, and the Federal Trade Commission (FTC) said on Wednesday that yes indeed, that’s what’s happening.
It’s a record-breaking penalty, but it doesn’t satisfy the “break it up” crowd – not at all. Last week, a chorus of Democrats called it a slap on the wrist. An early Christmas present. A drop-in-the-bucket penalty. Chump change. A mosquito bite.
Senator Elizabeth Warren, for one, pointed out that Facebook made $5 billion in profits in just the first three months of last year.
But as the Washington Post reports, over the course of its 16-month privacy investigation, the FTC stopped short of putting some real hurt on Facebook.
Initially, the FTC had entertained the possibility of much tougher punishments, such as a fine that would have reached tens of billions of dollars. Facebook recorded nearly $56 billion in revenue last year.
Ten people familiar with the matter told the Post that the FTC had also considered imposing more direct liability for the company’s chief executive, Mark Zuckerberg. As you might recall, in November 2018, Senator Ron Wyden floated the idea of sentencing execs up to 20 years when they let users’ privacy details slip through their greasy fingers.
Facebook successfully fought tooth and nail to make sure that Mark wouldn’t be wearing orange anytime soon, forcing the commission to back off and settle on the $5 billion wrist-slap. As the Post notes, this is a David and Goliath situation, but David only has marshmallows in his slingshot: Facebook’s revenue last year was about 200 times the budget that federal regulators were working off of.
The gist of Wednesday’s announcement is that the Department of Justice (DOJ) will file a complaint on behalf of the Commission, alleging that Facebook “repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order.”
These tactics allowed the company to share users’ personal information with third-party apps that were downloaded by the user’s Facebook “friends.” The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing.
In addition, the FTC alleges that Facebook took inadequate steps to deal with apps that it knew were violating its platform policies.
That’s a pile of words that add up to “Cambridge Analytica (et al.)”
Cambridge Analytica recap
According to multiple whistleblowers, Facebook basically turned a blind eye to Cambridge Analytica and other developers scraping away its users’ data.
In a lawsuit against Facebook brought by the tiny, your-Facebook-friends-in-bikinis-centered developer Six4Three – and published during the UK’s Parliamentary probe into fake news and the platform’s privacy practices – Six4Three alleged that Facebook turned off the Friends data API spigot as a way of forcing developers to buy advertising, transfer intellectual property or even sell themselves to Facebook at bargain-basement prices.
In other words, the user data that Facebook claimed that Cambridge Analytica wrongly got away with is a bargaining chip, according to the fake news inquiry and the private emails of Facebook staff that the inquiry got out of the Six4Three lawsuit and which it subsequently published.
In October, the UK’s Information Commissioner’s Office (ICO) fined Facebook £500K for the CA saga. $5 billion may well be chump change, but £500K is more like lint from a chump’s pocket.
It’s the best the ICO could do in pre-GDPR days, though. Those days ended when the body handed out what seemed, at least before this $5b bite, to be whopper fines for data breaches at Marriott and British Airways.
Separate action against Cambridge Analytica
At the same time the FTC announced the Facebook fine, it also said that Cambridge Analytica isn’t off the hook. Nor is former Chief Executive Officer Alexander Nix. Nor is Aleksandr Kogan, whose company, Global Science Research (GSR), created the “thisisyourdigitallife” personality quiz that played the starring role of “straw” for sucking in unsuspecting users’ data in the Cambridge Analytica/Facebook debacle.
The FTC is alleging that they employed “deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting.”
The FTC describes how Cambridge Analytica, Kogan and Nix used the information from the personality quiz to train an algorithm that then generated personality scores for the app users and their Facebook friends. Then, they matched the personality scores with US voter records. That matching was like steroids for the company’s voter profiling and targeted advertising services.
The FTC alleges that Kogan re-purposed an existing app he had on the Facebook platform, which allowed the app to harvest Facebook data from app users and their Facebook friends. Then, in April 2014, Facebook shut off the spigot, announcing that no longer would it allow app developers to access data from an app user’s Facebook friends.
… Well, except for the developers who were already chugging along, that is. Facebook gave developers with existing apps another year to keep guzzling data. The FTC alleges that the GSRApp – another name for thisisyourdigitallife – took advantage of that grace period to collect Facebook profile data from 250,000 to 270,000 users in the US, as well as 50 million to 65 million of those users’ Facebook friends, including at least 30 million identifiable US consumers.
The FTC found that nearly half of the app users originally refused to provide their Facebook profile information. So the GSRApp allegedly began sweet-talking them, telling app users that it wouldn’t “download your name or any other identifiable information – we are interested in your demographics and likes.”
Lies, lies, lies, the FTC alleges. While it was sweet-talking, that app was also reaching its hands into users’ data, the FTC says. The GSRApp went right ahead and collected users’ Facebook User IDs, which connect individuals to their Facebook profiles, as well as other personal information such as their gender, birthdate, location, and their Facebook friends list.
Among other allegations of false privacy claims, Kogan and Nix have been prohibited from making false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information, as well as the purposes for which they collect, use, share, or sell such information. The FTC is also requiring them to delete or destroy any personal information collected from consumers via the GSRApp and any related work product that originated from the data. Nix and Kogan have agreed to the settlement.
As far as restricting Facebook goes, the FTC has a new 20-year settlement order that it says will overhaul how the company makes privacy decisions and boosts accountability at the board level. It will establish an independent privacy committee of Facebook’s board of directors, thereby removing “unfettered control” by Zuckerberg over decisions affecting user privacy.
Members of that privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors.
Facebook is also being ordered to appoint compliance officers who’ll oversee its privacy program. They’ll have to pass muster with the new board privacy committee, and the privacy committee is the only one that can remove them.
Zuckerberg and those compliance officers will have to submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. If they try to pull any shenanigans in those certifications, they’ll be liable, as individuals, to civil and criminal penalties.
On Wednesday, Facebook said it’s already made large strides on privacy, but more changes are in the works. Facebook’s Colin Stretch, in a blog post:
We will be more robust in ensuring that we identify, assess and mitigate privacy risk. We will adopt new approaches to more thoroughly document the decisions we make and monitor their impact. And we will introduce more technical controls to better automate privacy safeguards.
Also on Wednesday, the Securities and Exchange Commission (SEC) got in on the act, saying that it would fine Facebook $100 million for misleading investors about the risks it faced from misusing user data.
The Department of Justice (DOJ), which worked with the FTC, said that it “expects Facebook to treat its privacy obligations with the utmost seriousness” going forward.
FTC Chairman Joe Simons:
The relief is designed not only to punish previous violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.