Foto-Ruhrgebiet - stock.adobe.co

Facebook faces fresh privacy actions from regulators

Facebook faces legal action from Canada after it dismissed regulators’ findings that it failed to protect customer privacy. The firm has set aside $5bn to settle a privacy action in the US and faces a new investigation in Ireland

Facebook faced new pressure this week after Canadian privacy regulators found that “superficial and ineffective” privacy safeguards allowed third-party applications, such as games and quizzes, to access the private data of Facebook users.

The Office of the Privacy Commission of Canada said this week it would take legal action in Canada against Facebook to force the company to correct its privacy practices, following a joint investigation with the Information and Privacy Commissioner of British Columbia.

The action is the latest in a string of regulatory actions against Facebook by the Irish Data Protection Registrar and New York Attorney General as Facebook negotiates settlement with the US Federal Trade Commission (FTC) over alleged privacy breaches.

Facebook disclosed this week that the FTC fine would cost between $3bn and $5bn – the largest fine ever imposed against a technology company. “The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome,” the company said.

The Canadian privacy regulators found that Facebook failed to obtain meaningful consent from users to share their personal data, and that of their friends, with third-party applications they signed up to.

“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” said Daniel Therrien, Canada’s privacy commissioner. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.”

Facebook has refused to implement recommendations to address deficiencies in its privacy policies, the Canadian regulators said in a statement, despite its public acknowledgement of a “major breach of trust” in the Cambridge Analytica scandal.

“The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified – or even acknowledge that it broke the law – is extremely concerning,” said Therrien.

Harvesting private data

The Office of the Privacy Commissioner of Canada, later joined by the Information and Privacy Commissioner of British Columbia, began its investigation in March 2018, after receiving a complaint that the British company Cambridge Analytica had accessed the private data of tens millions of Facebook users without their consent.

The company used an app called This is your Digital Life, also known as TYDL, which encouraged users to complete a personality quiz, to harvest the personal data of 87 million people worldwide.

“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company”
Daniel Therrien, Canada’s privacy commissioner

Cambridge Analytica and its parent company, SCL Elections, used the data to create lists of individuals with particular traits, which it then used to target political messages based on their psychological profile.

The regulators found that Facebook had failed to obtain meaningful consent from people to share their personal data or that of their friends with the TYDL app, that the social network company had inadequate safeguards to protect user information, and that it failed to be accountable for the information under its control.

Internal documents reported by Computer Weekly reveal that Facebook’s own employees had raised serious concerns internally about the privacy of their own personal data when they signed into third-party apps, which were not addressed for four years.

Facebook allowed users to post photographs and comments and to keep them private by selecting an option known as Only Me, but it was not as private as Facebook’s own staff thought.

Connie Yang, a product designer at Facebook, discovered that posts she had shared on Facebook apps were not as private as she had thought. They could be seen by other users of the same app. “Isn’t this directly violating what we tell users is Only Me?” she asked in an internal post.

‘Lack of respect’

The Federal Trade Commission is now under pressure to hold Facebook’s CEO personally liable for the company’s repeated breaches of the privacy of American citizens, the Washington Post revealed this week.

The FTC began investigating Facebook in 2018 to assess whether it had breached the terms of its 2011 agreement to improve the protection of data of its users.

In a letter to the FTC, senator for Oregan, Ron Wyden, referred to an investigation by the UK’s Digital, Culture, Media and Sport Committee, which published internal documents showing Facebook struck special deals to share personal data with other companies.

Further leaked documents have been reported by NBC in the US and Computer Weekly, including details of Facebook’s high-level lobbying of world leaders and politicians in Davos over privacy regulations and its plans to harvest data from Android mobile phone users.

“Given Mr Zuckerberg’s deceptive statements, his personal control over Facebook, and his role in approving key decisions related to the sharing of user data, the FTC can and must hold Mr Zuckerberg personally responsible for these continued violations,” Wyden wrote, according to the Washington Post’s report.

In New York, the US attorney general, Letitia James, announced an investigation into Facebook’s unauthorised collection of 1.5 million users’ email contact databases, which were collected when they signed up to Facebook for the first time.

“It is time Facebook is held accountable for how it handles consumers’ personal information,” said James. “Facebook has repeatedly demonstrated a lack of respect for consumers’ information, while at the same time profiting from mining that data.”

Breaching GDPR

Separately, the Irish Data Protection Commissioner said this week that it had begun a statutory enquiry into Facebook’s compliance with the EU’s General Data Protection Regulation (GDPR), after Facebook notified the regulator that it had discovered hundreds of millions of passwords were stored in plain text on its internal servers.

This comes on top of 15 separate investigations into Facebook for alleged breaches of the GDPR.

In other interventions, a grand jury in New York has subpoenaed records from at least two prominent smartphone manufacturers that have entered into partnerships with Facebook, giving them broad access to the personal information of millions.

The tech giant is being sued in Washington DC, where attorney general Karl Racine has alleged that the company’s “misleading privacy settings” allowed the Cambridge Analytica scandal to happen.

Thousands of pages of confidential documents raise concerns among regulators

Read more on Cloud applications

CIO
Security
Networking
Data Center
Data Management
Close