Facebook’s disclosure this week that its search tools were used to collect data on most of its 2.2 billion users could potentially trigger record fines and create new legal vulnerability for not having prevented risks to user data, three former federal officials said.
The three former officials, all of whom were at the Federal Trade Commission during the privacy investigation that led to a 2011 consent decree with Facebook, said the company’s latest mishap may violate the decree’s provisions requiring the implementation of a privacy program.
The language was written to require Facebook to identify and address emerging threats to user privacy as its business practices changed over the 20-year term of the consent decree, said David Vladeck, who was head of the FTC’s bureau of consumer protection when the decree was drafted and signed by Facebook. That meant the company was required to limit its sharing of user data and prevent outsiders from improperly gaining access, he said.
“Is it possible that this episode is also a violation of the consent decree? I would say yes,” said Vladeck, now a Georgetown University law professor.
He predicted Facebook may face fines of $1 billion or more for this and a previously reported mishap in which a political consultancy, Cambridge Analytica, improperly gained access to information on as many as 87 million Facebook users, of whom 71 million are Americans.
“The agency will want to send a signal … that the agency takes its consent decrees seriously,” Vladeck said.
The stakes for Facebook are particularly high given the rising political scrutiny of the company in Washington, where Zuckerberg is expected to testify before congressional committees this week.
Facebook declined to comment Friday on the possibility that the collecting of user data by malicious actors could have violated the FTC consent decree. Company officials have repeatedly denied the sharing of user data with Cambridge Analytica violated the decree.
“We’ve worked hard to make sure that we comply” with the consent decree, CEO Mark Zuckerberg said in a call with reporters on Wednesday. “I think the reality here is that we need to take a broader view of our responsibility, rather than just the legal responsibility.”
The FTC last month announced it was investigating the Cambridge Analytica incident, but it declined to comment on Wednesday’s revelation about unauthorized scraping of user data.
Facebook disclosed the latest mishap in a blog post saying it was disabling two search tools because they had been so widely abused.
“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” the post said.
Company officials later explained that “malicious actors” were collecting fragments of personal information on the “Dark Web” — typically phone numbers and email addresses posted after large-scale data breaches — then using the Facebook search tools to match this information with users of the social media platform.
In this way, criminals could expand their fragmentary information to include the full names of people, along with whatever information was public as part of their profiles, such as their profile photos, home towns and educational and work experience. Users could block such access by changing their privacy settings to prevent searches based on phone numbers and email addresses. But research has consistently shown that most people stick with default privacy settings and have little understanding of what kinds of data can be collected by outsiders.
The collecting of user information was not a data breach in the traditional sense because Facebook’s systems were not improperly penetrated, and data that users designated as private — such as family pictures or personal notes — were not accessed, according to the company.
But the abuse of Facebook’s search tools enabled the discovery of personal information that otherwise would have remained private. Gaining access to such data is important for criminals looking to steal identities or commit other types of fraud.
Security researchers had warned about such risks for years. One Britain-based researcher, Reza Moaiandin, warned about the problem in an April 2015 blog post titled, “Facebook: Please fix this security loophole before it’s too late.”
In the post, Moaiandin published evidence of exchanges with Facebook in which company representatives appeared to downplay the problem even after he raised it directly with them.
Wired reported Thursday that another researcher, Brandon Copley, the CEO of Giftnix, raised the same issue with Facebook in 2013 and was told that the company did not consider it a security problem.
Such prior warnings about the ease of scraping Facebook information could complicate its dealings with the FTC, given that the consent decree focuses on whether a data privacy problem is “reasonably foreseeable” and preventable, said Vladeck and the other two former FTC officials.
“Whether or not this violates the order will turn on the reasonableness of Facebook’s actions,” said Jessica Rich, who led the FTC’s investigation into Facebook before the 2011 consent decree and now is vice president for advocacy at Consumer Reports. “Did Facebook know about this at some point and fail to address it?”
Told of the previous warnings by researchers, Rich said, “These would be loud facts for them and may show complete lack of commitment [to making sure] that this data wasn’t vulnerable.”
Violations of the FTC consent decree also carry the possibility of fines that could top $40,000 per “violation.” With more than 200 million Americans using Facebook, the fines could — at least in theory — reach into the trillions of dollars if the FTC found violations. (Facebook last year earned profit of $15.9 billion on $40.7 billion in revenue.) The former FTC officials said the actual fines would be far smaller but could easily top the previous record of the $168 million civil penalty by the FTC against the DISH Network for violating telemarketing rules.
After the FTC announced in 2011 that it would punish Facebook for mishandling its users’ data, it heralded the consent decree as the best way to advance “the privacy interests of the nearly one billion Facebook users around the world.” Officials wrote at the time, “We intend to monitor closely Facebook’s compliance with the order and will not hesitate to seek civil penalties for any violations.”
More than six years later, Facebook serves twice as many users. In the eyes of the FTC’s experts and veterans, the credibility of the agency and its enforcement powers are at stake as it decides what to do about Facebook’s latest privacy problem.
Kovacic, who is the director of the Competition Law Center at George Washington University, said it was the “commission saying, ‘You watch. We’re on it. This shows we’re serious. We’re credible.’ ... If you don’t back that up, I think your program suffers badly.”
A former Justice Department official, Gene Kimmelman, agreed that Facebook faces the possibility of heavy fines but said the focus should be on preventing future privacy problems, with Facebook spending money on fixing its internal policies and systems rather than paying a massive penalty to the federal government.
“Rather than fight about how big a fine they can justify, I hope the FTC will focus on how Facebook must be required to resource a forward-looking solution that prevents this from ever happening again,” said Kimmelman, now president of Public Knowledge, an advocacy group. “It would be a shame to quibble over the precise level of a fine rather than just invest in fixing the problem for good.”
Elizabeth Dwoskin contributed to this report from San Francisco.