Back in 2011, the Federal Trade Commission struck a deal with Facebook to have its privacy practices audited once every two years by an external company. The system has now been called into question, after its 2017 audit failed to detect behind the scenes activity surrounding the Cambridge Analytica scandal.
Delving deeper, the Electronic Privacy Information Center (EPIC) uncovered a heavily redacted copy of the audit through a Freedom of Information Act request. “After Cambridge Analytica, PricewaterhouseCoopers (PwC), on behalf of Facebook, reported to the FTC that privacy compliances at Facebook were fine and there were no problems,” explained EPIC’s president Marc Rotenberg. “That’s extraordinary! That’s, ‘How could that have happened?’ stuff.”
The document explicitly stated that PwC believed that the social media platform was compliant with all of its responsibilities, prompting concerns surrounding the effectiveness of the FTC’s measures, as well as the thoroughness of external audits.
“In our opinion, Facebook's privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the Reporting Period, in all material respects for the two years ended February 11, 2017, based upon the Facebook Privacy Program set forth in Management's Assertion,” reads PwC’s conclusion.
“As described above, Facebook has identified reasonably foreseeable, material risks, both internal and external, that could result in Facebook's unauthorized collection, use, or disclosure of covered information, and assessed the sufficiency of any safeguards in place to control these risks as required by Part IV of the [consent decree]. PwC performed test procedures to assess the effectiveness of the Facebook privacy controls implemented to meet or exceed the protections required by Part IV of the [consent decree].”
Facebook itself has declined to address the situation, defaulting to Mark Zuckerberg’s response during his hearing with Congress in which the CEO described the act as a “breach of trust” but not “a violation of the consent decree” which required the company to notify the FTC.
KitGuru Says: This is yet another blow to Facebook’s rapport with its community, which it is desperately trying to clamber back. Even if notifying the FTC was less of a legal requirement, it was still the company’s responsibility to its 87 million+ affected users.