“I think the more unauthorized sharing that comes out, the more the FTC is going to be inclined to impose a significant civil penalty on Facebook,” said David Vladeck, a top official at the agency when it punished Facebook in 2011.
On Capitol Hill, Sen. Richard Blumenthal (D-Conn.) said the new reports showed that Facebook “has failed to come clean with the American people about the extent, the scope and the scale of data sharing. The secret agreements raise serious credibility issues about recent testimony.”
Later Monday, Sen. Mark R. Warner (Va.), the top Democrat on the Senate Intelligence Committee, raised another concern: whether Facebook ever had allowed Huawei and ZTE, two Chinese-based telecom firms, to access Facebook data.
Some in the U.S. government long have argued that China could use Huawei and ZTE to spy on Americans — charges the telecom firms deny. For now, though, Warner has questioned Facebook about any potential relationships, a spokeswoman said. Facebook so far has declined to detail the full list of roughly 60 firms that benefited from access to some of users’ data.
An arrangement with Apple, for example, allowed Facebook users to download profile photos for their friends and use them in their iPhone contact lists. Apple contends it did not store the data for itself.
An older BlackBerry device, meanwhile, appeared to access many categories of data, including messages, while tapping data about friends and others one step removed on the network, the Times found. In response, Usher Lieberman, a spokesman for BlackBerry, told the Times that the company “has always been in the business of protecting, not monetizing, customer data.”
Facebook declined Monday to detail a full list of device-makers with which it had brokered such arrangements. But the company said it phased out its system in April. It acknowledged that device-makers may have kept data on their servers. And Facebook said in a blog post that it is “not aware of any abuse by these companies.”
In the United States, the tech giant’s treatment of its users’ sensitive information triggered new questions as to whether Facebook violated a settlement it brokered with the FTC in 2011 over a different privacy issue. At the center of that consent decree is a requirement that Facebook be more transparent about the data it collects about its users.
The agency is already investigating whether Facebook ran afoul of that accord in another matter — allowing a political consultancy, Cambridge Analytica, to access 87 million users’ personal data, including the pages they had “liked” on the site. The potential for additional infractions may only compound Facebook’s legal woes.
“This company from what I’ve seen has disregarded a consent decree and behaved in a way that is inimical to consumers’ interest,” Vladeck said. “You shouldn’t be able to lie to people.”
Vladeck said additional penalties could include a court-ordered monitor of Facebook’s business practices, injunctions against particular ways of using of consumers’ data or heightened monitoring by the FTC.
In Congress, meanwhile, some Democratic lawmakers on Monday also rebuked Facebook CEO Mark Zuckerberg. In April, multiple committees on Capitol Hill peppered him with questions about Facebook’s dealings with Cambridge Analytica. The lawmakers said the new reports only heightened the need for additional scrutiny — in Congress and at the FTC — focused on Facebook’s business practices.
“Facebook and other data collectors, including these device manufacturers, should be prepared to come before Congress so that we can get a better grasp of the entire data collection ecosystem,” Rep. Frank Pallone Jr. (N.J.), the top Democrat on the House Energy and Commerce Committee, said in a statement.
Sen. Amy Klobuchar (D-Minn.) later said in a statement that the incident demonstrated the need to pass comprehensive online-privacy legislation, which she offered earlier this year. “I’m extremely concerned that we are just now learning that even more personal user data was provided without consent,” she said.
Legally, Facebook’s fate may rest on a few key phrases.
Under the 2011 decree with the FTC, Facebook is required to obtain permission before sharing a user’s private information with a third party in a way that exceeds that user’s existing privacy settings. The agreement defines “third party” to include a host of other individual entities, potentially including advertisers or appmakers. But it exempts “service provider[s]” who help Facebook carry out basic functions of its site.
To that end, Facebook contends that companies such as Samsung or BlackBerry in these cases are suppliers, not third parties. In a blog post, a company executive also said Monday that “friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends.”
“These contracts and partnerships are entirely consistent with Facebook’s FTC consent decree,” Ime Archibong, Facebook’s vice president of product partnerships, in a statement.
Vladeck said regulators could see it differently. “Facebook has not really explained how it obtained consent for the sharing of this data,” he said in an interview. “It may be they see [device-makers] as first parties, but they’re plainly not under the consent decree.”
The FTC declined to comment. One of the commission’s Democratic members, Rohit Chopra, declined to discuss Facebook but said more generally in a statement: “FTC orders are not suggestions. If a company violates them, there can and should be serious consequences.”
In New York, meanwhile, state Attorney General Barbara Underwood also pledged to investigate the matter, adding to the state’s existing probe of Facebook’s relationship with Cambridge Analytica. “Consumers have the right to know how their personal information is being used, and the companies we trust with our information have a critical responsibility to protect it,” Underwood said in a statement.