The Washington PostDemocracy Dies in Darkness

U.S. government issues stunning rebuke, historic $5 billion fine against Facebook for repeated privacy violations

The settlement ends a 16-month probe that began after revelations of the tech giant’s entanglement with Cambridge Analytica.

Members of the FTC, including chairman Joe Simons, announced a $5 billion fine to Facebook following a government probe into its privacy practices. (Video: Reuters)

The U.S. government on Wednesday issued an unprecedented rebuke of Facebook after a year of massive privacy mishaps, charging that the company deceived its users and “undermined” choices they made to protect their data as part of a settlement that requires the tech giant to pay $5 billion and submit to significant federal oversight of its business practices.

Sixteen months after opening its investigation, the Federal Trade Commission alleged that Facebook had repeatedly misled its 2.2 billion users. The agency argued that the social-networking company was not upfront about the ways app developers, advertisers and others gained access to users’ personal data — from the content they “liked” to the phone numbers they stored — in a breach of Facebook’s previous promise to improve its privacy protections online.

Read the Facebook order from the FTC here

As a result, the settlement between the FTC and Facebook includes the largest fine in U.S. history for a privacy violation, and it grants federal regulators unparalleled access to the social-networking giant’s business decisions for the next two decades — allowing regulators to scrutinize the actions of Facebook’s leaders, including chief executive Mark Zuckerberg, and its efforts to launch new products and services.

Facebook, however, did not have to admit guilt for its misdeeds.

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” FTC Chairman Joe Simons said in a statement.

Facebook will have to pay a record-breaking fine for violating users’ privacy. But the FTC wanted more.

But even within the FTC, serious concerns emerged Wednesday that the punishments do not alter the way Facebook collects and monetizes its users’ data in the first place. The fears prompted the agency’s two Democratic members, Rohit Chopra and Rebecca Kelly Slaughter, to vote against approving the settlement earlier this month.

In their first public comment on the settlement, the two Democrats said in their dissenting statements that the fine should have been higher, and the remedies much tougher, if the FTC hoped to truly change Facebook. They also expressed alarm that the agency may have given Zuckerberg, his fellow executives and Facebook a complete pass on any other privacy mishaps that may have occurred in the past, a rare move they said would hamstring the government in holding Facebook accountable again.

While calling the settlement “historic,” Slaughter said she believes that the FTC should have sued Facebook and named Zuckerberg in a lawsuit. “The Commission would better serve the public interest and be more likely to effectively change Facebook by fighting for the right outcome in a public court of law,” she wrote.

The government’s sanctions, which were first reported by The Washington Post earlier this year, still amount to a major, formal rebuke for Zuckerberg in the eyes of his users, workers and investors. Zuckerberg and his fellow executives maintained for more than a year that Facebook never violated the consent decree it struck with the FTC in 2011.

Appearing before lawmakers in April 2018, Zuckerberg offered an apology. “I started Facebook, I run it, and I’m responsible for what happens here,” he said.

Facebook CEO Mark Zuckerberg has been talking about privacy and the protection of personal information for more than 14 years. Here are some highlights. (Video: Melissa Macaya/The Washington Post)

On Wednesday, Facebook’s top lawyer, general counsel Colin Stretch, said the settlement would “mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.” He also announced Facebook had settled another investigation by the Securities and Exchange Commission, which requires the company to pay $100 million after failing to disclose information about its privacy violations to investors.

“We have heard that words and apologies are not enough and that we need to show action,” Stretch said. “By resolving both the SEC and the FTC investigations, we hope to close this chapter and turn our focus and resources toward the future.”

Facebook has told federal investigators it’s open to heightened oversight of its privacy practices

The FTC investigation into Facebook began 16 months ago, nine days after initial reports emerged about the company’s entanglement with Cambridge Analytica, a political consultancy with ties to the upper echelon of the Trump presidential election campaign. With the aid of a quiz app that collected data on users as well as their friends, Cambridge Analytica improperly gained access to 87 million Facebook users’ names, “likes” and other personal details. But the government’s investigation expanded to focus on a host of additional privacy mishaps, including Facebook’s once-secret data-sharing relationships with devicemakers and other third-party apps where users may not have understood what happened to their personal information.

In investigating those practices, U.S. regulators determined that Facebook’s conduct had violated an agreement it reached with the FTC in 2011 to improve its privacy protections. Despite promising the government it would be more transparent, Facebook still “deceived its users” about the ability of apps to access information about them through their friends, the government alleged in its complaint Wednesday. Users had little notice about the practice and limited tools to stop it, and third-party apps continued to access friends’ data even well after Facebook ended the practice in 2014, according to the FTC. Nor did Facebook police those apps to ensure they were handling data properly in the first place, the FTC said in the complaint.

Facebook CEO Mark Zuckerberg said to be under close scrutiny in federal privacy probe

The new settlement requires Facebook to establish a special independent committee within its board of directors to oversee privacy. Compliance officers, approved by the board, must keep watch over the tech giant’s approach to data. And those officials, along with Zuckerberg, must attest quarterly to the FTC that they are complying with the settlement or face civil or criminal penalties, agency officials said.

Meanwhile, a third-party organization will be tasked with reviewing Facebook’s data-collection practices and those of its other services, Instagram and WhatsApp, over the next 20 years. Facebook itself must do more to keep watch over third-party apps while reporting even small security incidents to the FTC.

The layers of reporting requirements are meant to inform the FTC as it tries to keep watch over Facebook. Future violations could carry fines and other penalties for the company, as well as Zuckerberg, according to agency leaders. Their goal: Ensuring the FTC’s new oversight is tougher than the previous settlement, during which Facebook’s watchdogs registered not a single violation with the FTC.

The FTC on Wednesday documented additional alleged abuses at Facebook. The agency alleged the company deceived users by failing to disclose that phone numbers uploaded to enhance their security would be used for advertising purposes, for example, and it charged Facebook misrepresented to millions of users that some facial-recognition features were on by default.

Facebook deceived users about the way it used phone numbers, facial recognition, FTC to allege in complaint

As part of the settlement, Facebook no longer can use phone numbers this way, and it must obtain explicit permission before deploying facial recognition in new forms. The agreement also seeks to remedy other highly publicized abuses at Facebook, including a March 2019 incident in which hundreds of millions of users’ passwords had been stored in plain text. Now, Facebook must encrypt them and scan its databases to ensure that they are, the FTC said.

The FTC on Wednesday also announced actions against Alexander Nix, the former chief of Cambridge Analytica, and Aleksandr Kogan, a developer who made the quiz app for the political firm. Both are now under order with the agency, which the FTC said would “restrict how they conduct business in the future,” given that they “used false and deceptive tactics to harvest personal information from millions of Facebook users.”

Many of the penalties announced Wednesday proved to be much more lenient on Facebook than commission staff initially considered in the earlier days of the probe. At one point, the FTC had considered a fine into the tens of billions of dollars, for example, and it considered placing Zuckerberg personally under order, The Post previously reported.

But the FTC abandoned many of these ideas in the face of Facebook opposition, which could have resulted in a protracted court battle that the government wasn’t guaranteed to win. The agency’s three Republicans — Simons, along with commissioners Noah Phillips and Christine Wilson — defended their decision to settle with Facebook in a joint statement Wednesday. Anticipating critics, they said it would have been “highly unlikely the Commission could have obtained this magnitude of injunctive relief if we had proceeded with litigation.”

In response, the agency’s Democrats argued the FTC had erred in not trying to extract more from Facebook, a company whose profit model Chopra described as “propelled by surveillance and manipulation.” And they expressed fear that the settlement might let Facebook and its leaders “off the hook,” as Chopra put it, for potentially other violations of users’ privacy that occurred before the settlement and may not have been fully investigated.

“I believe that the Commissioners cut off the inquiry too early,” Chopra warned, “leaving too many stones unturned, in favor of this proposed settlement.”