The Washington PostDemocracy Dies in Darkness

Facebook CEO Mark Zuckerberg said to be under close scrutiny in federal privacy probe

Facebook chief executive Mark Zuckerberg appears on Capitol Hill on April 11 to deliver testimony before lawmakers. (Andrew Hamik/AP)

Federal regulators investigating Facebook for mishandling its users’ personal information have set their sights on the company’s chief executive, Mark Zuckerberg, exploring his past statements on privacy and weighing whether to seek new, heightened oversight of his leadership.

The discussions about how to hold Zuckerberg accountable for Facebook’s data lapses have come in the context of wide-ranging talks between the Federal Trade Commission and Facebook that could settle the government’s probe of more than a year, according to two people familiar with the discussions. Both spoke on the condition of anonymity because the FTC’s inquiry is confidential under law.

Such a move could create new legal, political and public-relations headaches for one of Silicon Valley’s best-known — and most image-conscious — corporate leaders. Zuckerberg is Facebook’s co-founder, chief executive, board chairman and most powerful stock owner, and a sanction from the federal government would be seen as a rare rebuke to him and the tech giant’s “move fast and break things” ethos.

In recent weeks, Zuckerberg has promised to reorient Facebook into a “privacy-focused communications platform” as the company looks to change its “reputation” and focus instead on secure, intimate communications between users along with content that “won’t stick around forever.”

But just this week, Facebook revealed another privacy mishap, admitting it mishandled millions of users’ passwords for Instagram, the company’s photo-sharing app. Facebook tucked news of the development into an old blog post Thursday as Washington scrambled over the release of the U.S. government’s findings from its probe of Russia and the 2016 election. To privacy advocates and congressional critics, Facebook’s move amounted to the latest sign that the company and its leaders have failed to learn from past mistakes — and should face heightened oversight.

“The days of pretending this is an innocent platform are over, and citing Mark in a large-scale enforcement action would drive that home in spades,” said Roger McNamee, an early investor in the company and one of Zuckerberg’s foremost critics.

Facebook said it may have uploaded email contacts of 1.5 million new users since May 2016, in another privacy-related issue faced by the social media company. (Video: Reuters)

In past investigations of Facebook, the U.S. government opted to spare Zuckerberg from the most onerous scrutiny. Documents obtained from the FTC under federal open-records laws reflect that the agency considered, then backed down from putting Zuckerberg directly under order during its last settlement with Facebook in 2011. Had it done so, Zuckerberg could have faced fines for future privacy violations.

Asked about the negotiations, Facebook said in a statement it “hope[s] to reach an appropriate and fair resolution." The FTC declined to comment.

The FTC began investigating Facebook in March 2018 following reports that Cambridge Analytica, a political consultancy, improperly accessed data on roughly 87 million of the social networking site’s users. The federal probe has focused on whether Facebook violated an agreement, brokered with the FTC in 2011, that required the company to improve its privacy practices. Since then, Facebook has acknowledged a series of additional privacy lapses, including its Instagram admission Thursday.

Appearing before Congress last year, Zuckerberg sought to take personal responsibility for a range of his company’s recent missteps, such as Facebook’s entanglement with Cambridge Analytica. “I started Facebook, I run it, and I’m responsible for what happens here,” he told lawmakers. But the Facebook chief still maintained that the company did not commit a “violation of the consent decree” it had struck with the FTC.

Settling that federal inquiry could force Facebook to make significant concessions, including paying a fine ranging into the billions of dollars, The Washington Post previously has reported. It could result in new obligations targeting Zuckerberg, too. One idea that has been raised could require him or other executives to certify the company’s privacy practices periodically to the board of directors, two people familiar with the matter said, along with heightened oversight by the FTC.

Facebook CEO Mark Zuckerberg on March 6 said the company would encrypt conversations on more of its messaging services and make them compatible. (Video: Reuters)

It is unclear if the FTC and Facebook are still contemplating such a requirement, or if they’ve struck an agreement on these or other outstanding matters. But Facebook has fought fiercely to shield Zuckerberg as part of the negotiations, one of the sources familiar with the probe said. Either Facebook or the FTC could choose to walk away from talks, resulting in the matter heading to court.

The idea of holding Zuckerberg accountable — and even subjecting him to penalties for Facebook’s alleged mishandling of users’ data — has gained political traction in Washington. Sen. Richard Blumenthal (D-Conn.) said in a statement that the top executive “wasn’t just aware of Facebook’s invasion of consumer privacy, he signed off on it and publicly downplayed legitimate concerns.”

“Holding Mark Zuckerberg and other top Facebook executives personally at fault and liable for further wrongdoing would send a powerful message to business leaders across the country: You will pay a hefty price for skirting the law and deceiving consumers," Blumenthal added.

Some of the FTC’s own decision-makers also have aired their support for penalties against executives when their companies are under investigation. In a May 2018 memo, Democratic Commissioner Rohit Chopra said the agency “should hold individual executives accountable for order violations in which they participated, even if these individuals were not named in the original orders.” He didn’t mention Facebook by name, and he did not respond to requests for comment.

Zuckerberg still could escape largely unaffected as a result of negotiations with the FTC. If he does, it would not be the first time. More than eight years ago, when the FTC cobbled together its initial settlement with Facebook, agency staff weighed whether to target Zuckerberg personally. An unreleased and undated early draft of the FTC’s consent order against Facebook, obtained by The Post through a Freedom of Information Act request, explicitly named Zuckerberg as a respondent — meaning he would have faced heightened federal oversight and the risk of fines and other penalties in the event of future privacy missteps.

In the end, however, the FTC dropped mention of him from a version of the order shared around April 2011, according to email records obtained from the agency under open-records laws. The agency also considered, then removed, a provision from its early settlement that would have required Facebook to pay an unspecified sum to the government, the records show. The form of punishment, called disgorgement, requires a company to return ill-gotten monetary gains. The draft consent decree included only “xxx” instead of an exact amount, and the language was ultimately removed by the time the FTC announced its agreement with Facebook in November 2011.

This time, FTC veterans have encouraged the agency to take direct aim at Zuckerberg, even putting him personally under order and subjecting him to further federal oversight. David Vladeck, who served as the director of the Bureau of Consumer Protection at the FTC in 2011, criticized the company this week because it “did not take that first consent decree seriously.”

"I would hope any future order names Zuckerberg," he said, adding that doing so "ratchets pressure up on the company to make the CEO responsible."

The FTC’s 2011 consent decree with Facebook requires the company to be more upfront with consumers about the data it collects and obtain their permission before it overrides their existing privacy settings. Facebook also is barred from misrepresenting what it does with users’ data, while submitting to 20 years of privacy checkups.

Talks between Facebook and the FTC have intensified in recent weeks, as the agency’s investigation passed its first anniversary. Top Facebook officials, including general counsel Colin Stretch, met with individual Democratic and Republican commissioners in March, according to two additional people familiar with the agency’s work who spoke on the condition of anonymity because they were not authorized to discuss a private probe.

While the FTC probes Facebook, a number of states’ attorneys general have embarked on their own investigation. Karl A. Racine, the attorney general of the District of Columbia, has filed a privacy lawsuit against the company.

Other agencies, including the Securities and Exchange Commission, have investigated Facebook’s relationship with Cambridge Analytica. And a federal grand jury in March sent subpoenas to two tech companies with which Facebook struck data-sharing agreements, the New York Times reported, noting that the target of such a criminal probe remains unclear.