Facebook could face record fines, say ex-FTC officials
Facebook’s disclosure last week that its search tools were used to collect data on most of its 2.2 billion users could potentially trigger record fines and create new legal vulnerability for not having prevented risks to user data, said three former federal officials.
The three former officials, all of whom were at the Federal Trade Commission during the privacy investigation that led to a 2011 consent decree with Facebook, said the company’s latest mishap may violate the decree’s provisions requiring the implementation of a privacy program.
The language was written to require Facebook to identify emerging threats to user privacy as its business practices changed over the 20-year term of the consent decree, said David Vladeck, who was head of the FTC’s bureau of consumer protection when the decree was drafted and signed by Facebook. That meant the company was required to limit its sharing of user data and prevent outsiders from improperly gaining access, he said.
“Is it possible that this episode is also a violation of the consent decree? I would say yes,” said Vladeck, now a Georgetown University law professor.
He predicted that Facebook may face fines of $1 billion US or more for this and a previously reported mishap in which a political consultancy, Cambridge Analytica, improperly gained access to information on up to 87 million Facebook users, of whom 71 million are Americans.
“The agency will want to send a signal ... that the agency takes its consent decrees seriously,” Vladeck said.
Facebook disclosed the latest mishap in a blog post saying that it was disabling two search tools because they had been so widely abused. “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” the post said.
Company officials later explained that “malicious actors” were collecting fragments of personal information on the so-called “dark web” — typically phone numbers and email addresses posted after large-scale data breaches — then using the Facebook search tools to match this information with users of the social media platform.
In this way, criminals could expand their fragmentary information to include the full names of people, along with whatever information was public as part of their profiles, such as their profile photos, hometowns and educational and work experience. Users could block such access by changing their privacy settings to prevent searches based on phone numbers and email addresses. But research has consistently shown that most people stick with default privacy settings and have little understanding of what kinds of data can be collected by outsiders.
The collecting of user information was not a data breach in the traditional sense because Facebook’s systems were not improperly penetrated, and data that users designated as private — such as family pictures or personal notes — were not accessed, according to the company.
But the abuse of Facebook’s search tools enabled the discovery of personal data that otherwise would have remained private. Gaining access to such data is important for criminals looking to steal identities or commit other types of fraud.
Security researchers had warned about such risks for years. One Britain-based researcher, Reza Moaiandin, warned about the problem in an April 2015 blog post titled, “Facebook: Please fix this security loophole before it’s too late.”
In the post, Moaiandin published evidence of exchanges with Facebook in which company representatives appeared to downplay the problem even after he raised it directly with them.
Such prior warnings about the ease of scraping Facebook information could complicate its dealings with the FTC, given that the consent decree focuses on whether a data privacy problem is “reasonably foreseeable” and preventable, said Vladeck and the other two ex-FTC officials.
“Whether or not this violates the order will turn on the reasonableness of Facebook’s actions,” said Jessica Rich, who led the FTC’s probe into Facebook before the 2011 consent decree and now is vice-president for advocacy at Consumer Reports.