Facebook’s problem: it doesn’t know where all the data went
Probe finds some developers who took data are now out of business or won’t co-operate
Facebook Inc.’s internal probe into potential misuse of user data is hitting fundamental roadblocks: The company can’t track where much of the data went after it left the platform or figure out where it is now.
Three months after CEO Mark Zuckerberg pledged to investigate all apps that had access to large amounts of Facebook data, the company is still combing its system to locate the developers behind those products and find out how they used the information between 2007 and 2015, when the company officially cut data access for all apps. Mr. Zuckerberg has said the process will cost millions of dollars.
One problem is that many of the app developers that scooped up unusually large chunks of data are out of business, according to developers and former Facebook employees. In some cases, the company says, developers contacted by Facebook aren’t responding to requests for further information.
Facebook is now trying to forensically piece together what happened to large chunks of data, and then determine whether it was used in a way that needs to be disclosed to users and regulators. In cases where the company spots red flags, Facebook said it would dispatch auditors to analyze the servers of those developers and interrogate them about their business practices.
Ime Archibong, Facebook’s vice president of product partnerships, said most developers have been “responsive” but noted that the process requires a fair bit of detective work on their end. “They have to go back and think about how these applications were built back in the day,” Mr. Archibong said.
Facebook said in May it has suspended 200 apps for potentially violating its rules. Mr. Archibong declined to provide a detailed update on the status of the investigation or identify the 200 apps that were suspended thus far.
Facebook’s app investigation is a response to broader criticism over revelations earlier this year that data-analytics firm Cambridge Analytica improperly accessed and retained user data obtained from Aleksandr Kogan, a psychology professor at the University of Cambridge. The data, which was gathered by Mr. Kogan and his associates through a personality-quiz app, was used by the Trump campaign in 2016. Facebook eventually notified around 87 million users that their data may have been improperly shared with Cambridge Analytica, though many questions remain about that incident as well.
Facebook was blocked from accessing Cambridge Analytica servers by the U.K. government and doesn’t yet know what data the now-defunct company may have stored.
The results of Facebook’s internal probe could have farreaching ramifications as lawmakers worldwide continue to hold hearings and contemplate tougher regulation of socialmedia platforms like Facebook.
U.S. Sen. John Thune (R., S.D.), the chairman of the Senate Commerce Committee, said at a hearing this month that Facebook
“remains under the microscope” and that lawmakers continue to examine potential measures to protect user privacy.
Some developers say they have little incentive to respond to Facebook’s requests to co-operate with the probe, either because they are out of business, have moved on to other projects or are uneasy about allowing another company to look at their servers and the way their apps are constructed. Such intellectual property is “the lifeblood” of a developer’s business, said Morgan Reed, president of ACT | The App Association, a trade group that represents more than 5,000 app makers and connected-device companies.
In addition, Facebook doesn’t have legal authority to force developers to co-operate.
“They can’t really compel these developers to hand over information,” said Ian Bogost, a professor at Georgia Institute of Technology. “This is not a federal inquiry about a crime or something. It’s a private company. What are the consequences?”
Mr. Bogost is also a game developer, and built a game for the Facebook platform called Cow Clicker. He said Facebook hasn’t contacted him about conducting
a full-scale audit of Cow Clicker, which drew about 180,000 users.
Facebook recently sent him an automated message saying he would have to agree to an appreview process by Aug. 1 to retain access to Facebook’s platform and certain slices of user data, including a user’s friend list, a link to their profile, their gender and age range. Mr. Bogost said he would “probably” go through the review process.
It is difficult for Facebook to track down all the user data gobbled up by developers, owing largely to the way the platform was designed, according to developers, former Facebook employees and academics.
Facebook created its developer platform in 2007, giving outsiders the ability to build businesses by leveraging the Facebook data of users and their friends. Facebook tightened access in 2014 and gave pre-existing apps a one-year grace period to comply with the new rules.
Facebook engineers working on the platform didn’t always document their changes, according to one former employee. At times, apps would stop working because of some unannounced tweak by a Facebook employee and developers would have to complain to get it fixed, developers said.
Over the years, Facebook at times tried to build systems that would allow the company to track down user info gleaned from the developer platform— but those efforts failed in part for technical reasons, former employees said.
The internal investigation is a sign of what Mr. Archibong, echoing other Facebook executives, described as a massive cultural shift within Facebook to focus more on “enforcement as a key component” of its system.
Previously, executives have said, the emphasis was on growth and connecting more users to one another around the world.
Facebook has said its probe will start with apps that had user bases of around 100,000 people or more, or apps that pulled extensive data about a smaller group of people.
Mr. Archibong said potential examples of wrongdoing would be storing personally identifiable information about users and sharing or selling that information, as the company says Mr. Kogan did. Mr. Kogan said at a Senate hearing this month that he was “very regretful” that people were angry to learn about how their data was used but that he didn’t do anything different than other developers.
Mr. Archibong said the vast majority—“99.99999999 per cent”— of Facebook developers are good actors and that the firm doesn’t want to unnecessarily alienate them. Many of the developers involved in the probe “are going to be the same developers that we’re going to be working with five years from now on the newest and latest and greatest stuff and I want them to be excited about our platform,” he added.
Facebook said it has “large teams of internal and external experts” working on the investigations. Mr. Archibong said Facebook still expects the investigation to take “months and months” but added that the timing was “somewhat amorphous.”