News reports about Facebook’s role in the aggressive form of data collection also have raised serious questions about whether the company violated a landmark consent decree with a federal watchdog agency designed to prevent privacy violations. Two former U.S. officials who negotiated the 2011 agreement between the Federal Trade Commission and Facebook say the company may have broken its promises, potentially triggering many millions of dollars in fines.
“I would not be surprised if at some point the FTC looks at this. I would expect them to,” said David Vladeck, a former director of the FTC’s Bureau of Consumer Protection. In that role, he oversaw the investigation of alleged privacy violations by Facebook and the resulting consent decree.
Vladeck said the law allows fines up to $40,000 per violation. With a reported 50 million people affected, he said, the “maximum exposure” could reach into the billions of dollars. It is more likely that, if the FTC found violations, Facebook would face far smaller but still substantial fines as well as other consequences.
Facebook has denied violating the agreement with the FTC, which did not respond to requests for comment Sunday. But the surge of political and regulatory scrutiny over the weekend again turned a harsh spotlight on a company that has been scrambling to protect its reputation since allegations emerged about Russian agents using the social media platform in an attempt to manipulate American voters during the 2016 election season and beyond.
The latest revelations concern how people working for Cambridge Analytica, which the Trump campaign paid at least $6 million to assist in its digital operations, used an app to gather research on 270,000 users in 2014 and 2015.
But the number of affected people was many more — probably in the tens of millions — because the data routinely available to app developers in that era also included information on a user’s list of friends, including names, education, work histories, birthdays, likes, locations, photos, relationship statuses, and religious and political affiliations. That kind of information is extremely valuable to political campaigns for tailoring messages, ads and fundraising pitches.
Though both Facebook and Cambridge Analytica have been embroiled in investigations in Washington and London for months, some of this weekend’s demands have taken on a more personal tone, focusing explicitly on Zuckerberg, who has not testified publicly on these matters in either capital.
“They say ‘trust us,’ but Mark Zuckerberg needs to testify before the Senate Judiciary Committee about what Facebook knew about misusing data from 50 million Americans in order to target political advertising and manipulate voters,” Sen. Amy Klobuchar (D-Minn.) said in a statement.
Rep. Adam B. Schiff (Calif.), the highest-ranking Democrat on the House Intelligence Committee, echoed the call for Zuckerberg to appear for questioning on Capitol Hill.
“I think it would be beneficial to have him come testify before the appropriate oversight committees, and not just Mark but the other CEOs of the other major companies that operate in this space,” Schiff said in a phone interview Sunday. “There’s still a lot we’re learning about foreign issues on these platforms.”
Similar calls for official investigation came from several other U.S. lawmakers, the European Union’s justice commissioner and a British lawmaker, Damian Collins, head of a parliamentary committee that has been investigating Facebook and Cambridge Analytica.
“I will be writing to Mark Zuckerberg asking that either he or another senior executive from the company appear to give evidence in front of the committee as part our inquiry,” Collins said Sunday. “It is not acceptable that they have previously sent witnesses who seek to avoid asking difficult questions by claiming not to know the answers.”
At least two state attorneys general, from Massachusetts and Pennsylvania, also have announced plans to investigate.
Facebook declined to comment on the requests for Zuckerberg to testify. The company said in a statement Sunday afternoon that it was renewing efforts to investigate what happened with the data that reached Cambridge Analytica.
“We are in the process of conducting a comprehensive internal and external review as we work to determine the accuracy of the claims that the Facebook data in question still exists,” Paul Grewal, Facebook’s deputy general counsel, said in the statement. “That is where our focus lies as we remain committed to vigorously enforcing our policies to protect people’s information.”
Zuckerberg generally has kept a low profile as controversy over the political uses of the Facebook platform has intensified. He has written blog posts and spoken by video link from Facebook’s headquarters in Menlo Park, Calif. But Zuckerberg has not yet been exposed to the rough-and-tumble of legislative questioning, designating that job to senior attorneys such as general counsel Colin Stretch.
Facebook executives throughout the weekend also resisted allegations that Cambridge Analytica’s actions amounted to a “breach” of its systems because Facebook’s systems were not compromised and the app developer worked within the company’s terms of service, at least initially.
Facebook suspended from its service the parent company of Cambridge Analytica and two of its former employees Friday for improperly sharing the data that was collected through the app and not destroying it at Facebook’s request in 2015. Cambridge Analytica has repeatedly denied wrongdoing or improper use of Facebook data.
“We worked with Facebook over this period to ensure that they were satisfied that we had not knowingly breached any of Facebook’s terms of service and also provided a signed statement to confirm that all Facebook data and their derivatives had been deleted,” Cambridge Analytica said in a statement Saturday.
Facebook said it also is investigating its hiring of Joseph Chancellor, who is identified in corporate documents as an official of the parent company of Cambridge Analytica and is now at the social network, focusing on virtual reality. Facebook would not say whether it was aware of Chancellor’s role at Cambridge Analytica at the time of his hiring.
While a Zuckerberg appearance on Capitol Hill could make compelling political theater, the possibility of renewed investigation by the FTC presents a more immediately serious problem.
The consent decree the agency signed with Facebook in 2011 required that users be notified and that they explicitly give their permission before data about them is shared beyond the privacy settings they have established. The developer of the app that collected data for Cambridge Analytica in 2014 sought permission from those who downloaded the app but not their Facebook friends. The app, called Thisisyourdigitallife, offered personality predictions and billed itself on Facebook as “a research app used by psychologists.”
A key question now is what was allowed under Facebook’s privacy settings at the time Cambridge Analytica’s app was active, and whether those permissions were so broad that they allowed routine violations of the consent decree with the FTC.
In a 2014 news release announcing new restrictions to its developer policies, a Facebook executive wrote, “We’ve heard from people that they are often surprised when a friend shares their information with an app.” That admission may indicate that Facebook users had not been given adequate understanding of how their data and their friend’s data was used by third-party developers such as Cambridge.
Facebook said in a statement Saturday: “We reject any suggestion of violation of the consent decree. We respected the privacy settings that people had in place. Privacy and data protections are fundamental to every decision we make.”
The view held by Vladeck, the former FTC official who is now a Georgetown University law professor, is shared by another former agency official who was closely involved in the crafting of the consent decree. Jessica Rich, who was the deputy director for the Bureau of Consumer Protection and oversaw the FTC’s privacy program in 2011, led the investigation into Facebook before the consent decree.
She said in an email Sunday morning that Facebook’s reported action, if true, “bespeaks the same recklessness with its users’ data that prompted the FTC to take action in 2011.”
Rich, now vice president for advocacy at Consumer Reports, listed multiple conditions in the consent decree that Facebook may have breached, including those about seeking explicit permission from users before sharing their data.
“Depending on how all the facts shake out, Facebook’s actions could violate any or all of these provisions, to the tune of many millions of dollars in penalties,” Rich said. “They could also constitute violations of both U.S. and E.U. laws. Facebook can look forward to multiple investigations and potentially a whole lot of liability here.”
Facebook has long been the subject of intense criticism for its privacy and security practices. Consumer watchdog groups such as the Electronic Privacy Information Center often urged the FTC to investigate the company, saying that it had deceived consumers by changing the way it handled users’ sensitive information with little warning.
The FTC agreed in November 2011, faulting Facebook for making some information, such as users’ friends lists, viewable by the public without first obtaining those users’ explicit permission. The FTC also found that Facebook shared personal information with advertisers despite promising not to do so. The agency raised other issues about apps on Facebook that regulators said had access to more information than they needed to operate.
As a result, the FTC required Facebook to obtain consumers’ consent before “enacting changes that override their privacy practices,” the agency said at the time. It also subjected Facebook to 20 years of independent, third-party privacy checkups to ensure that it followed the settlement.
Years later, though, the latest controversy is spurring demands for more action, with consumer advocates saying the FTC is partly to blame because it did not penalize the social media giant for other privacy mishaps.
“This is the consequence of the Federal Trade Commission’s failure to enforce the 2011 consent order with Facebook,” said Marc Rotenberg, president of the Electronic Privacy Information Center. “The United States needs a dedicated privacy agency and a comprehensive privacy law. The FTC can’t do the job.”
The rising clamor on Capitol Hill for answers was heavier on the Democratic side. But Republican Sen. Marco Rubio (Fla.) also criticized Facebook on NBC’s “Meet the Press.”
“Sometimes, these companies grow so fast, and get so much good press, they get up high on themselves that they start to think perhaps they’re above the rules that apply to everybody else,” Rubio said.