Data Loss , Fraud Management & Cybercrime , Geo Focus: The United Kingdom
Facebook Probed by FTC Over Failures that Enabled Cambridge Analytica Scandal(jeremy_kirk) • January 21, 2019 The U.S. Federal Trade Commission's building in Washington, D.C. (Photo: Faungg via Flickr/CC)The U.S. Federal Trade Commission is close to concluding its investigation into Facebook over the Cambridge Analytica scandal and could levy a record-setting fine, the Washington Post reports.
See Also: Live Webinar | Sunset of Windows Server 2008: Migrate with Docker
It's unclear when any announcement might occur, however, as the FTC is not open due to the government's partial shutdown.
On Monday, a Sydney-based Facebook official told Information Security Media Group that the company has no comment on the report.
The FTC's Facebook probe began in March 2018. But it's not the first time the social network has faced scrutiny from the regulator. Since 2011, in fact, Facebook has been bound by an agreement with the FTC stemming from previous privacy missteps, including sharing data without consent.
Cambridge Analytica, which is now defunct, was a U.K.-based political-consulting firm that briefly worked for President Donald Trump's campaign. It obtained as many as 87 million Facebook profiles from a Cambridge University lecturer in violation of Facebook's policies and without those users' consent (see: Facebook: 87M Accounts May Have Been Sent To Cambridge Analytica).
The blowback over the Cambridge Analytica scandal was both fierce and global.
The U.K. was one of the first enforcers out of the gate. In October 2018, the U.K.'s Information Commissioner's Office levied its maximum possible fine of £500,000 ($645,000) against Facebook. Information Commissioner Elizabeth Denham said a higher fine would have been appropriate if the law had allowed for it, as the EU's General Data Protection now does (see: Facebook Slammed With Maximum UK Privacy Fine).
Improper Sharing?
Facebook's settlement with the FTC in November 2011 put it under a strict monitoring regime, including the provision that for the next 20 years, the social network must submit to third-party audits every two years.
One of the FTC's main aims was to ensure that Facebook obtains consent from users before sharing their data. At the time of the settlement, the FTC alleged that Facebook had misleading privacy controls, making it appear that users could isolate data sharing to "Friends Only."
But third-party apps could still collect data not only from direct users of those apps but also of those friends' friends. The practice should have ended in 2011, and that apparent failure is now one of the triggers for the agency's probe into the Cambridge Analytica debacle.
Around 2014, a Cambridge University researcher named Aleksandr Kogan created a Facebook app called This Is Your Digital Life, a kind of personality quiz. Only about 270,000 individuals directly used it. But when they did, the app grabbed the personal data of their friends, ultimately accessing details for 87 million Facebook users worldwide.
Kogan sold the data to Cambridge Analytica, which specialized in social media influence campaigns. The insight from that personal data would have helped to craft more effective messaging campaigns using Facebook's powerful advertising systems, which allow targeting based on location, age, email addresses and phone numbers, among other characteristics.
When Facebook learned of the Cambridge Analytica situation in early 2015, the company said it tightened the restrictions on what data apps could obtain. But the Wall Street Journal last June reported that despite those restrictions, Facebook still allowed certain partners to obtain personal data and bypass users' privacy settings (see: Facebook to Congress: We Shared More Data Than We Said).
Facebook said in response to the report that it would wind down those partnerships with companies including Spotify, Nissan, Netflix and Microsoft. It also admitted that it failed to deactivate certain APIs that allowed access to data when it retired a feature called "Instant Personalization" in 2014, which integrated Facebook features into other desktop applications.
Ongoing Probes
The Washington Post reports that FTC officials are considering a fine that exceeds the $22.5 million fine that Google agreed to in 2012. In that case, the FTC alleged that Google violated a 2011 agreement by misrepresenting to consumers how they could control their data.
The FTC alleged that Google circumvented a feature in Apple's Safari browser that blocked third-party cookies by default despite telling users they would be opted out of web tracking. Safari accepted temporary cookies, and Google placed a DoubleClick one within the browser's storage. Google then used that cookie to interact with other cookies used by DoubleClick network.
The U.S. lacks a federal data privacy law, although the FTC does have a consumer protection mandate. Accordingly, the agency can and does act on privacy matters if it suspects that companies may have deceived consumers. If the FTC concludes that an organization has violated consumer protection rules, it lacks the ability to fine the organization outright. Instead, it can negotiate a settlement with the organization, which may include the provision that any further violations will carry specific sanctions, including a fine.
Some U.S. states also have ongoing investigations related to Cambridge Analytica. In December 2018, the District of Columbia filed the first lawsuit at a regional level. Starting around March 2018, New York, Massachusetts, New Jersey, Connecticut and Pennsylvania also launched their own investigations (see: Facebook Sued in U.S. Over Cambridge Analytica).
The D.C. lawsuit alleges that Facebook's confusing and misleading privacy controls gave users false assurances that their data would not be shared. The district alleges Facebook violated the district's Consumer Protection Procedures Act, which gives consumers the right to truthful information about consumer goods and services.
Meanwhile in Europe, Ireland's data protection authority is investigating two Facebook data breaches.
In September 2018, Facebook said that a bug in a photo API exposed upwards of 6.8 million private photos to more than 800 app developers over a 12-day period (see: Ireland's Privacy Watchdog Probes Facebook Data Breaches). Less than a month later, Facebook said hackers exploited three separate bugs to access as many as 50 million accounts. The bugs, which were present for more than a year, mistakenly generated access tokens for private accounts (see: Facebook Breach: Attackers Exploited Privacy Feature).