Facebook Fails to Police Device Makers’ Use of Personal Data

Last month, Facebook admitted that it failed to properly oversee the seven device manufacturers that the company allowed to access personal data of hundreds of million of people in order to build a so-called Facebook Experience. The Silicon Valley company detailed its errors, which was detected by its own government-approved privacy monitor in 2013, in a letter to Senator Ron Wyden (D-Oregon), a privacy advocate and frequent Facebook critic. Meanwhile, Facebook users whose data was compromised have not been alerted.

The New York Times reports that most of the impacted Facebook users “had not explicitly given the company permission to share their information.” The seven device makers used the data to build custom software to allow their customers to access Facebook on their phones. Because the partnerships dated back to “at least 2010,” they “fall under a consent decree with the Federal Trade Commission drafted in 2011 and intended to oversee the company’s privacy practices.”

That opened the floodgates to Facebook forming “dozens of similar data-sharing partnerships,” until the Cambridge Analytica scandal forced it to retreat from these arrangements.

In 2013, PricewaterhouseCoopers, conducted the first FTC-mandated assessment and found “limited evidence” that Facebook had monitored compliance with two partnerships, Microsoft and Research in Motion. But when the FTC released a public version of the report in June, this finding was redacted.

“Facebook’s own, handpicked auditors said the company wasn’t monitoring what smartphone manufacturers did with Americans’ personal information, or making sure these manufacturers were following Facebook’s own policies,” said Wyden. “It’s not good enough to just take the word of Facebook — or any major corporation — that they’re safeguarding our personal information.”

A Facebook spokeswoman responded that the company remains “strongly committed to the consent order and to protecting people’s information.”

Facebook and other companies under FTC consent decree “largely [dictate] the scope of each assessment,” and a Wyden aide who read the unredacted assessment said that, “they contained no evidence that Facebook had ever addressed the original problem.” The Electronic Privacy Information Center, a consumer rights group that helped obtain the 2011 consent decree, is suing the FTC “for release of the full assessments, arguing that the public cannot otherwise judge how effectively the FTC is policing privacy violations.”

“What is clear is that the FTC has failed to enforce the consent order,” said the organization’s president Marc Rotenberg.

NYT adds that, “because the United States has no general consumer privacy law, FTC consent decrees have emerged as the federal government’s chief means of regulating privacy practices at Facebook, Google and other companies that amass huge amounts of personal data about people who use their products.”

Related:
Delay, Deny and Deflect: How Facebook’s Leaders Fought Through Crisis, The New York Times, 11/14/18
Facebook at War: 6 Key Takeaways From The Times’s Investigation, The New York Times, 11/14/18