The Washington PostDemocracy Dies in Darkness

How big could Facebook’s fine theoretically get? Here’s a hint: There are four commas, and counting.

Facebook CEO Mark Zuckerberg sat down before lawmakers on April 10, and apologized, explained and defended the tech giant amid controversies over data privacy. (Video: Jenny Starrs, Bastien Inzaurralde/The Washington Post, Photo: Matt McClain/The Washington Post)

Former Federal Trade Commission officials have been pulling out their calculators in recent weeks trying to figure out just how big a fine the commission could levy against Facebook for its latest privacy mishaps. Then they look at the numbers on their screens — if their calculators can even handle 13 digits — and try to put the massive scale into words.

William Kovacic, a former FTC chairman, may have come closest when he joked that the potential fine as totaling “more money than there is on the planet.” In other words, the theoretical limit to the fines could reach into the trillions of dollars should the FTC — in the investigation it started last month — find Facebook violated its 2011 consent decree on a scale affecting more than 100 million Americans.

That should be a bracing bit of math for the company. As most of Washington focuses on the political theatrics of Facebook chief executive Mark Zuckerberg making his first appearance on Capitol Hill, it’s the FTC headquarters, an Art Deco-accented building a short walk away, that could pose the greater threat to the company.

There are important caveats, of course.

Caveat No. 1: The FTC has not yet found any new violations, and the investigation is in its early stages. Facebook has repeatedly said it did not violate the consent decree.

Caveat No. 2: Kovacic’s estimate of “more money than there is on the planet,” made in an interview with The Washington Post over the weekend, covers only the actual currency — bills and coins — in the world. This typically is estimated at several trillions of dollars, denominated in various currencies, and not the far larger number held in various accounts.

Caveat No. 3: The FTC would never levy a fine, the former officials agree, that’s so large that it would imperil the future of Facebook. Plus, FTC officials have presumably have had some visibility into the company's data practices since 2011, when the consent decree mandated that the FTC monitor Facebook's data privacy practices.

But what’s clear is that the FTC — after years of trying to assert itself as the federal government’s most important watchdog of digital privacy — has a hammer of potentially historic size to wield over Facebook. Should the current group of FTC officials decide to use this hammer, the company could be forced into major concessions that could affect how it collects and handles data — two issues at the core of how the business makes money.

That outcome is arguably more likely than Congress finally passing strong digital privacy legislation and getting it signed by President Trump, after years of legislative inaction.

David Vladeck, a former FTC director of consumer protection who oversaw the consent decree with Facebook, says he expects the commission to find new violations in light of the company’s revelations last week.

Though he downplays talk of fines in the trillions of dollars, he estimates the probable fines in the vicinity of $1 billion, a record for FTC privacy fines.

However large the fines might be, “I certainly think that it gives the FTC leverage,” said Vladeck, now a Georgetown University law professor.

Facebook declined to comment.

But here’s a look at the problem the company potentially faces. If you don’t have fairly advanced calculator handy, try a spreadsheet on your computer:

In the first column of your spreadsheet, enter 71 million. That’s how many Americans Facebook has said had their data collected by a researcher working with Cambridge Analytica, a political consultancy hired by President Trump and other Republican candidates over the past two federal election cycles. This is the piece that the FTC already has said it’s investigating. It’s also the piece that the former FTC officials are most confident could lead to findings of new violations of the consent decree. (Worldwide, the number was of affected users was 87 million, but the FTC covers only violations against Americans).

In the second column, enter 110 million, or half of its user base in the United States. That’s a rough (and conservative) estimate of how many Americans were affected by the “scraping” issue that Facebook acknowledged last week.

The company said “most” of its users probably had their data collected by “malicious actors” who abused Facebook’s search and account recovery tools. Though the data directly collected from Facebook was public profile data, the company has acknowledged that this scraping allowed the malicious actors to match phone numbers and email addresses collected on the “Dark Web” to identify the full names of users.

It amounts to a backdoor way to use Facebook tools to get sensitive personal information — and both phone numbers and email addresses typically qualify as “personally identifiable information” from a legal perspective — on users. With 220 million Americans using Facebook each month, it's fair to take half that number for this rough calculation.

This group no doubt overlaps in part with the 71 million affected by the Cambridge Analytica data problem, but the FTC could consider each incident a separate violation, effectively combining the two numbers for purposes of calculating a fine. Researchers also had warned Facebook for years of exactly this problem, and yet it continued, adding to the company's legal vulnerability under the consent decree.

So the third column should be the amount of potential FTC fines for each violation of a consent decree such as Facebook’s. That number goes up to a maximum of $41,484.

Now add the first column to the second and multiply that total by the third column.

The answer? $7.5 trillion.

But wait, it gets worse. The kind of data collection that led to Cambridge Analytica gaining access to detailed profile data on 71 million Americans — including their work histories, relationship statuses, their “likes” and much more — was routine for app developers before privacy changes that began in 2014.

Then there is the FTC’s definition of “violation.” Federal statutes give the FTC some latitude in defining the term for the purposes of setting fines. It could be every person affected. It could be every day that people overall were affected. It also could be the number of people affected times the number of days they were affected.

These forms of data collection happened on Facebook over the course of several years, the company has acknowledged. So as a very rough calculation, maybe multiply $7.5 trillion by five years by 365 days. That's not counting extra days for leap years.

At a certain point, of course, the answer to these calculations don’t matter. The FTC is not going to put Facebook out of business.

But the mere threat of a massive fine for Facebook, whose profits last year were $15.9 billion, gives the FTC rare power to demand that the company make changes in how it handles user privacy. The cost of these reforms — in terms of new staff to guard against intrusions or revenue foregone in the name of protecting users — could easily cost the company more money than any fine. Whatever the FTC demands, former officials say, Facebook is going to have a hard time refusing.