Facebook has not been unused to controversy, especially over the last year. In our most recent blog in relation to the first Annual Report of the new DPC, we pointed out the substantial number of data breaches reported by multinationals. Facebook was one of those multinationals, and the Facebook Token breach became subject to a statutory inquiry by the office of the DPC in Sept. last year. Now, in the US, federal prosecutors are conducting an investigation into data deals Facebook struck with some of the world’s largest technology companies. (NY Times, March 13, 2019 https://www.nytimes.com/2019/03/13/technology/facebook-data-deals-investigation.html)
Grand Jury Investigation.
A grand Jury in NY has subpoenaed records from at least two prominent makers of smart phones and other devices. Partnerships with Facebook gave these makers very broad access to the personal information of possibly hundreds of millions of Facebook users. This had been going on for years, and operated to allow the makers, along with companies such as Microsoft , Apple, Sony and Amazon, to see users’ friends contact information and other information, most often without any consent. These agreements were previously reported in The New York Times. (Link to original article here.) Most of the partnerships have now been phased out. However, while it was in operation, the partnerships effectively gave these partnership companies a blanket exemption from the usual privacy rules.
Hundreds of pages of Facebook documents were obtained by The New York Times. These records, generated as far back as 2017 by the company’s internal system for tracking partnerships, provided the most complete picture yet of the social network’s data-sharing practices. The exchange was intended to benefit everyone. Facebook got more users boosting its advertising revenue, and partner companies acquired features that made their products more attractive. For example,the records show that Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, and gave Netflix and Spotify the ability to read Facebook users’ private messages. Facebook users connected with friends across different devices and websites, reaping benefits for Facebook who had engineered extraordinary power over the personal data of more than 2.2 billon users. Prior to the GDPR, even in Europe, this power was exercised with a shameless lack of transparency and a dearth of substantive oversight.
The latest grand jury inquiry comes amidst the backdrop of the Cambridge Analytica scandal where the political consulting company had improperly obtained the Facebook data of 87 million users and used the data to build tools that helped Trump’s campaign in 2016. This is part of an ongoing investigation by the Justice Department’s securities fraud unit. All along, Facebook’s position was that they had been misled by Cambridge Analytica, and had believed that the data were only being used for academic purposes. “In the furore that followed, Facebook’s leaders said that the kind of access exploited by Cambridge in 2014 was cut off by the next year, when Facebook prohibited developers from collecting information from users’ friends. But the company officials did not disclose that Facebook had exempted the makers of cell phones, tablets and other hardware from such restrictions” (NY Times, June 3, 2018.) https://www.nytimes.com/interactive/2018/06/03/technology/facebook-device-partners-users-friends-data.html?module=inline Neverthless, some of the fine print on a quiz app that collected the data, which Facebook deleted way back in 2005, was evidence that the company knew about the potential for the data to be used commercially.
Facebook’s Wheeling and Dealing.
The pervasive nature of some of the deals that Facebook initiated become clearer when, for example, the evidence shows that one deal empowered Microsoft’s Bing search engine to map out the friends of virtually all Facebook users without their explicit consent, and allowed Amazon to obtain users’ names and contact information through their friends. Apple was able to conceal from Facebook users any indicators that the company’s devices were even asking for data. (NY Times, March 13, 2019). See link at top of blog). This demonstrates the covert level involved. An investigation that is still in progress gives an insight into the business and corporate psyche of the business model that Facebook is proud to espouse. Facebook entered a data sharing consent agreement with the Federal Trade Commission in 2011. In this consent agreement, Facebook were barred from sharing user data without explicit consent.However, agreements which Facebook concluded, benefited more than 150 companies — most of them tech businesses, including online retailers and entertainment sites, but also automakers and media organizations. Their applications sought the data of hundreds of millions of people a month. The deals, the oldest of which date to 2010, were all active in 2017. Some were still in effect in late 2018 (NY Times, Dec. 18, 2018).
Facebook’s spin on it was that the companies they entered into agreements with were, ‘extensions of itself’ and not subject to the specific data sharing rules. After all, one can’t really share a secret with oneself! The service providers were just partners that allowed users to interact with their Facebook friends. Facebook dismissed the notion that they stood to gain substantially from the arrangements, despite admitting that they had not really policed the activities of their partners. Data privacy experts are rightly sceptical that a regulator, as thorough as the Federal Trade Commission, would view these businesses as being ‘alike’. With its experience, the FTC is hardly going to consider businesses as varied as device makers, retailers and search companies as being alike, to such an extent as to be exempt from the regulation. It seems this was Facebook’s opinion. But former chief technologist at the Federal Trade Commission, Ashkan Soltani, saw it as nothing more than a ruse, stating, “The only common theme is that they are partnerships that would benefit the company (Facebook) in terms of development or growth into an area that they otherwise could not get access to”.
In summary, Facebook has trouble on quite a few fronts: the original Cambridge Analytica investigation has now involved Facebook being investigated by both the FBI and the securities fraud unit of the Justice Department; the Federal Trade Commission is close to finalising its investigation into possible violation of the consent agreement ( multi-billion $ fines are anticipated) ; the Justice Department and the Securities and Exchange Commission are investigating Facebook and the U.S Attorney’s Office for the Eastern District of New York is heading a criminal investigation. (Remember, at the moment we are not talking about Europe and GDPR!!) The signs are ominous and expect to hear more from us, and others, on Facebook’s problems in the near future.
On March 19, Rep David Cicilline (D-RI), head of the House of Representatives Judiciary Committee called for the FTC to investigate Facebook on the grounds of anti-monopoly law. https://www.theverge.com/2019/3/19/18272605/facebook-ftc-investigation-congress-republican-david-cicilline
Patrick Rowland, GDPRXpert.ie
We are GDPR and Data Protection Consultants, with bases in Carlow/ Kilkenny and Mayo, offering a nationwide service.
For more details visit www.gdprxpert.ie