3rd Party Risk Management , 3rd Party Risk Management , Cyberwarfare / Nation-state attacks
DC Attorney General Alleges Violation of Consumer Protection Law(jeremy_kirk) • December 20, 2018 Facebook CEO Mark Zuckerberg at the F8 Developer Conference in San Jose, Calif., on May 1 (Photo: Facebook)Facebook violated consumer protection law by failing to protect personal data that consumers thought they'd locked down using the social networking site's confusing privacy controls, the District of Columbia alleges in a lawsuit filed on Wednesday.
See Also: Five Steps to Masterminding an Effective Security Awareness Program
The lawsuit, initiated by D.C. Attorney General Karl A. Racine, marks the first court action by a state attorney general against Facebook related to Cambridge Analytica, the now-defunct political consultancy that worked for Donald Trump's presidential campaign.
Cambridge Analytica received personal data for 87 million Facebook profiles in violation of the company's policies. Despite knowing of the situation, Facebook did not inform users until two years later, the lawsuit alleges.
A Facebook official reached in Sydney on Thursday says the company did not have an immediate comment on the lawsuit.
The district's lawsuit comes shortly after a bombshell report from The New York Times that Facebook had data-sharing agreements with a range of companies, including Netflix, Spotify, Microsoft, Yahoo, Apple and the Russian search engine Yandex.
The agreements allowed the companies to collect personal data without the direct consent of users, bypassing whatever privacy settings Facebook users had in place, the Times reports. The agreements helped grow Facebook's advertising revenue and boost its number of users.
Facebook's director of privacy and public policy, Steve Satterfield, disputed the Times' characterization of the data sharing, saying in a statement: "Facebook's partners don't get to ignore people's privacy settings, and it's wrong to suggest that they do."
Nonetheless, Satterfield went on to say that Facebook continues to wind down those kinds of integration partnerships.
"We know we've got work to do to regain people's trust. Protecting people's information requires stronger teams, better technology and clearer policies, and that's where we've been focused for most of 2018," he says.
Facebook: Promises Broken
The District of Columbia's lawsuit alleges that Cambridge Analytica is just one of many examples of how Facebook claimed consumers could lock down their data, but nonetheless shared it data anyway without consent.
"Facebook's consumers reasonably expect that Facebook will take appropriate steps to maintain and protect their data," the lawsuit says. "Facebook tells them as much, promising that it requires applications to respect a Facebook consumer's privacy. Facebook has failed to live up to this commitment."
The lawsuit alleges Facebook violated the district's Consumer Protection Procedures Act, which gives consumers the right to truthful information about consumer goods and services.
Five key points within the lawsuit filed by the District of Columbia's attorney general against FacebookBecause the U.S. lacks a federal privacy law, questionable practices that have arisen in the age of aggressive data trading have been dealt with under consumer protection laws that generally forbid deceptive practices. The Federal Trade Commission handles those enforcement actions.
The FTC opened an investigation into Cambridge Analytica in March, but the agency has yet to announce an enforcement action or settlement.
In October, the U.K.'s Information Commissioner's Office fined Facebook £500,000 ($645,000) for violating rules on processing personal data related to Cambridge Analytica. Facebook is appealing the fine, which is the maximum that the ICO can levy (see: Facebook Slammed With Maximum UK Privacy Fine).
On Monday, Ireland's data protection watchdog opened an investigation into two Facebook breaches. One involved the exposure of private photos to app developers, and the other a hacking incident that exposed 50 million accounts (see: Ireland's Privacy Watchdog Probes Facebook Data Breaches and Facebook Breach: Attackers Exploited Privacy Feature.
FTC Investigated Facebook Before
In theory, the Cambridge Analytica scandal and the sharing of personal data without consent with other companies shouldn't have happened because of a previous settlement with the FTC.
In 2011, Facebook reached an agreement with the FTC after the agency filed a complaint that alleged the company deceived consumers through a range of dodgy data-sharing practices. That included allowing third-party apps to have access to far more data than needed to operate.
Also, the FTC alleged that despite if consumers set a privacy control to share data with "Friends Only," third-party apps could still collect their data if a person's friend used a particular app. As of 2011, that practice of apps reaching into friends of friends data should have stopped.
But that continued ability is what amplified the Cambridge Analytica situation. About 270,000 people took the personality quiz, called "thisisyourdigitallife," which was developed by a Cambridge University psychology researcher Aleksandr Kogan. It was deployed for at least two to three months on Facebook in 2014 (see: Facebook and Cambridge Analytica: Data Scandal Intensifies).
But because of Facebook's policies at the time, the app was allowed to collect friends of friends' data, seemingly in violation of the FTC consent decree. The personality quiz scooped up data for 87 million people worldwide. The D.C. lawsuit alleges that Kogan subsequently sold the data to Cambridge Analytica for $800,000, although Kogan has denied that he personally profited.
The lawsuit further says that Facebook's failure to disclose to consumers that their data was improperly harvested is an omission of fact that "tended to mislead consumers and are unfair and deceptive trade practices."
As part of the FTC settlement, Facebook was required to obtain a third-party audit every two years for 20 years. It's unclear why the audits did not highlight the data-sharing practices.
Facebook Disputes Report
The Times report shows that Facebook's data-sharing with third parties was on a much larger and intentional scale, a revelation that is likely to prompt scrutiny from data protection regulators worldwide and more lawsuits.
The Times obtained hundreds of page of internal records from a system that Facebook used to track partnerships. The records show that Facebook continued to share personal data with third parties despite claiming it tightened its controls after it discovered the Cambridge Analytica situation in early 2015.
— Steve Satterfield, Facebook
Microsoft's Bing search engine, for example, had unfettered access to the names of all Facebook users without consent, the Times reports. Netflix, Spotify and the Royal Bank of Canada were allowed full access to users' private messages, apparently to share content using Facebook's Messenger, according to the Times. Facebook addressed this kind of access in a blog post on Thursday, saying the capabilities were made clear to users when they logged into those services using Facebook's Login feature.
Amazon could obtain user names and contact information for friends of friends, and Apple could see contact numbers and calendar entries of people even if the account settings disabled sharing, the Times reports.
Konstantinos Papamiltiadis, Facebook's director of developer platforms and programs, explained in a blog post on Tuesday that the program, known as instant personalization, ran from 2010 through 2014. It was intended to make Facebook features available within other apps when use of Facebook on mobile wasn't as widespread.
Papamiltiadis says that Facebook, however, didn't deactivate the APIs for instant personalization until last year, which was a mistake. Nearly all of the partnerships have now been shut down over the past several months, with the exception of ones with Amazon and Apple. He maintained that users authorized the access to the integration partners because they used their Facebook account to log in to the services.
Satterfield, Facebook's director of public policy, says that partners were "unable to use information for independent purposes." Facebook told the Times that none of the companies have abused the data and that its privacy policy circa 2010 stated that it shared data.
Still, Satterfield repeated what founder Mark Zuckerberg and Chief Operating Officer Sheryl Sandberg have acknowledged throughout this year as Facebook endured a backlash.
"We know we've got work to do to regain people's trust," Satterfield says. "Protecting people's information requires stronger teams, better technology and clearer policies, and that's where we've been focused for most of 2018."