Facebook's mishandling of its users’ personal information prompted stiff penalties from the U.S. government in 2011 — including a requirement that the social giant submit to regular privacy checkups for the next two decades.
However, Facebook got to handpick its own reviewers, global accounting firm PwC, which didn’t appear to catch marketers, political consultants and malicious actors as they tapped public and private profile data on Facebook without users’ permission or knowledge, even years after the social giant’s first major privacy mishap.
To government officials and consumer watchdogs alike, it’s a sign that a key element of Washington’s chief mechanism for overseeing Facebook — and many of its privacy-infringing tech industry peers — isn’t sufficiently independent and may lack teeth.
“It’s a struggle to make sure third-party assessments are truly independent,” said Terrell McSweeny, a Democratic commissioner at the Federal Trade Commission, the agency that brokered the settlement with Facebook and other tech companies.
In an interview, she said the FTC would benefit from “additional resources to look into the information that goes into those assessments.”
The FTC is investigating Facebook again over its entanglement with Cambridge Analytica, a political consultancy that improperly accessed 87 million users’ names, “likes” and other personal information. Facebook also has acknowledged that malicious actors scraped public profile data from practically all its 2.2 billion monthly users. If the agency ultimately finds that the company violated its previous settlement, it could face steep fines — potentially into the billions of dollars.
In a statement, Facebook said, “We take our commitments to the FTC seriously, including the ongoing audits of our privacy program.”
Yet Facebook isn’t the only company under such oversight at the FTC. The agency has brokered similar agreements in recent years with tech giants like Google, Twitter and Uber for their data mishaps, requiring each of them to undergo regular privacy assessments by a third party, which would then report its findings back to the FTC. The mechanism spares the cash-strapped, understaffed agency from having to fund efforts to monitor these multibillion-dollar global enterprises.
A spokeswoman for the FTC said in a statement that it’s “able to effectively and efficiently carry out our mission to protect consumers and enforce the consent decrees we reach with companies.”
Yet these companies have immense power over their own oversight. They get to hire the firms that they want to do their regular privacy reviews and, in some cases, set the criteria for that evaluation. The FTC is supposed to approve and monitor the process, but the agency’s own leaders and veterans recognize there are potential conflicts of interest in the arrangement.
“As a country, do we want to do this on the cheap, or do we want to do this the right way? And in a sense, we’ve been trying to do it on the cheap,” said William Kovacic, a former Republican FTC commissioner who is now at George Washington University’s law school.
For its review, Facebook chose PwC, which used to be known as PricewaterhouseCoopers. Its report about Facebook covering the period from 2015 to 2017 — a time during which Cambridge Analytica may have tapped Facebook data to create “psychographic” profiles of voters — found Facebook’s privacy controls “were operating with sufficient effectiveness,” according to copies of its reviews obtained through open-records requests by the Electronic Privacy Information Center, or EPIC, a watchdog group.
The 54-page document is heavily redacted, obscuring exactly what PwC studied in the first place — and how Facebook responded. It isn’t clear whether assessors had any access to Facebook’s powerful algorithms or secret source code. By the firm’s own admission, it was not supposed to monitor Facebook’s compliance with “privacy-related laws, statutes, and regulations,” just Facebook’s strict adherence to the FTC’s settlement. Earlier reports since 2012 show a similarly clean bill of health. Not one of them is signed by a specific author.
A spokeswoman for PwC declined to comment on its work.
For now, EPIC said it would challenge the government in a bid to see an unredacted version of Facebook’s privacy assessment. “[It’s] not clear why a company that has asked us to give up so much privacy should be allowed to maintain so much secrecy,” Marc Rotenberg, the executive director of the organization, said in a statement. EPIC’s original complaint led to the FTC’s 2011 settlement with Facebook.
To consumer protection advocates, the troubles long have transcended Facebook.
For years, researchers have raised objections to the way that the FTC keeps watch over companies it has previously penalized. In 2016, Chris Hoofnagle, a law professor at the University of California at Berkeley, expressed unease with the third-party evaluators studying another tech giant in trouble with the FTC: Google. The company settled with the agency in 2011 for automatically enrolling some users in its now-defunct social network, Buzz.
The first report on Google’s privacy practices, prepared by PwC during 2011 and 2012, numbered only 30 pages, Hoofnagle wrote, a potential deficiency given the company’s sprawling work in everything from search to self-driving cars. And Google’s submission to the FTC contained “not a whiff of noncompliance” — even though during that same period Google faced charges in court and throughout the federal government that it snooped on consumers’ Internet traffic and scanned users’ emails in potential violation of federal wiretapping law.
To be sure, the FTC hasn’t sat idly: At the prodding of privacy groups, for example, it later fined Google more than $22 million for violating its settlement because of the way it had tracked some users’ browsing habits. The agency generally accepts and reviews complaints from consumers and competitors alike.
But experts would still like to see the FTC strengthen its own tools for scrutinizing tech companies’ privacy practices — particularly at a time when the agency is transitioning in the coming weeks to new leadership and a full roster of new commissioners.
To that end, Megan Gray, an FTC aide and fellow at Stanford Law School’s Center for Internet and Society, called on the agency in a new research paper last week to consider changes to the way it brokers and enforces its own settlements with companies like Facebook, Google and Uber. Under her proposals, the FTC would play a more active, direct role in overseeing companies’ privacy checkups. And those firms would have to turn over more information to the FTC so that watchdogs can ensure they’re protecting consumers’ privacy.
In response, an FTC spokeswoman said that Gray is not working on privacy or data security investigations at the agency, including its probe into Facebook. “Her article and any of her other related comments represent her personal opinion and not the views of the FTC,” the spokeswoman added.
Without changes, experts say that the agency is doomed to continue missing major privacy mishaps — at Facebook or the many other tech giants in its purview.
“These assessments are not designed in a way that provides accountability for companies,” said Michelle De Mooy, the director of the privacy and data project at the Center for Democracy and Technology.