Two former federal officials who crafted the landmark consent decree governing how Facebook handles user privacy say the company may have violated that decree when it shared information from tens of millions of users with a data analysis firm that later worked for President Trump’s 2016 campaign.
Such a violation, if eventually confirmed by the Federal Trade Commission, could lead to many millions of dollars in fines against Facebook, said David Vladeck, who as the director of the FTC’s Bureau of Consumer Protection oversaw the investigation of alleged privacy violations by Facebook and the subsequent consent decree resolving the case in 2011. He left that position in 2012.
On Sunday morning, Vladeck said in an interview with The Washington Post that Facebook’s sharing of data with Cambridge Analytica “raises serious questions about compliance with the FTC consent decree.”
He added, “I would not be surprised if at some point the FTC looks at this. I would expect them to.”
The FTC did not immediately respond to requests for comment Sunday morning.
Facebook has denied violating the consent decree when it allowed an app developer working for Cambridge Analytica to gain access to information about an estimated tens of millions of people. The group included both the 270,000 Facebook users who downloaded a psychological testing app and the Facebook “friends” of those people. This included the preferences those friends had expressed by hitting the widely used “like” button on social media posts or news stories.
In a statement Saturday, Facebook said, “We reject any suggestion of violation of the consent decree. We respected the privacy settings that people had in place. Privacy and data protections are fundamental to every decision we make.”
Vladeck, now a professor at Georgetown Law, said violations of the consent decree could carry a penalty of $40,000 per violation, meaning that if news reports that the data of 50 million people were shared proves true, the company’s possible exposure runs into the trillions of dollars. Vladeck said that such a fine is unlikely but that the final penalty still could be very large.
“That’s the maximum exposure, though it’s not clear to me that the agency would insist on that kind of a penalty,” he said.
The FTC issue is rising as lawmakers in both the United States and Britain call for answers from Cambridge Analytica and Facebook — in some cases demanding that Facebook chief executive Mark Zuckerberg personally appear at legislative hearings.
The FTC consent decree required that users be notified and that they explicitly give their permission before data about them is shared beyond the privacy settings they have established. The developer of the app sought permission from those who downloaded it but not their Facebook friends. The app, called “thisisyourdigitallife,” offered personality predictions and billed itself on Facebook as “a research app used by psychologists.”
A key question now is what was allowed under Facebook’s privacy settings at the time, and whether those permissions were so broad as to allow routine violations of the 2011 FTC consent decree.
Hundreds of developers -- including those who made popular dating and gaming apps and those who built political apps for campaigns -- used Facebook to gain access to huge amounts of information about users and their Facebook friends. Data that could be easily accessed from friends included names of users, their education and work histories, birthdays, likes, locations, photos, relationship statuses, and religious and political affiliations.
The data collected by the app reportedly was shared with Cambridge Analytica and used to help the firm build profiles of individual voters and their political preferences to better target advertising to them. Cambridge Analytica has denied wrongdoing or improperly acquiring Facebook data.
Such collection techniques were within the bounds of Facebook's data-handling policy at the time, the company has said, but later were severely restricted through policy changes in 2014 and 2015.
Vladeck's view was echoed by another former official who also was closely involved with the crafting of the consent decree. Jessica Rich, who was then the deputy director for the Bureau of Consumer Protection and oversaw the FTC's privacy program, led the investigation into Facebook before the 2011 consent decree.
She said in an email to The Post on Sunday morning that Facebook's reported action, if true, “bespeaks the same recklessness with its users’ data that prompted the FTC to take action in 2011.”
Rich said the consent decree specifically prohibited deceptive statements, required users to affirmatively agree to the sharing of their data with outside parties and required that Facebook report any “unauthorized access to data” to the FTC.
“Depending on how all the facts shake out, Facebook's actions could violate any or all of these provisions, to the tune of many millions of dollars in penalties. They could also constitute violations of both US and EU laws,” wrote Rich, who is vice president for advocacy at Consumer Reports. “Facebook can look forward to multiple investigations and potentially a whole lot of liability here.”
Facebook said in a statement Sunday afternoon that it was renewing efforts to understand what happened with the data that reached Cambridge Analytica.
“We are in the process of conducting a comprehensive internal and external review as we work to determine the accuracy of the claims that the Facebook data in question still exists. That is where our focus lies as we remain committed to vigorously enforcing our policies to protect people’s information,” said Paul Grewal, Facebook's deputy general counsel in the statement.
Before the 2011 consent decree, Facebook had been the subject of intense criticism for its privacy and security practices. Consumer watchdog groups such as the Electronic Privacy Information Center had urged the FTC to investigate the company on grounds that it had deceived consumers, changing the way it handled users’ sensitive information with little warning.
The FTC agreed in November 2011, faulting Facebook for making some information, such as users’ friend lists, viewable by the public without first obtaining those users’ permission. The FTC also found that Facebook shared personal information with advertisers despite promising not to do so. The agency raised other issues about apps on Facebook, which regulators said had access to more information than they needed to operate.
As a result, the FTC required Facebook to obtain consumers’ consent before “enacting changes that override their privacy practices,” the agency said at the time. It also subjected Facebook to 20 years of independent, third-party privacy checkups to ensure that it followed the settlement.
Years later, though, the latest controversy is spurring demands for more action from consumer advocates, who say the FTC is partly to blame because it did not penalize the social media giant for other privacy mishaps.
“This is the consequence of the Federal Trade Commission’s failure to enforce the 2011 consent order with Facebook,” said Marc Rotenberg, president of the Electronic Privacy Information Center. “The United States needs a dedicated privacy agency and a comprehensive privacy law. The FTC can’t do the job.”
Some privacy advocates previously faulted the FTC for its response to a 2014 incident in which Facebook, which also owns the messaging app WhatsApp, began combining user data across its services after initially promising that it would keep them separate.
The incident later drew a formal investigation and fine from the European Union, which charged that Facebook had made misleading statements about its plans and practices. The FTC, for its part, only issued the company a warning letter — and it never appeared to take additional action.