Facebook has agreed to pay a record $5 billion (U.S.) fine and follow new privacy requirements for 20 years to settle American regulators charges after violating a 2012 Federal Trade Commission order by deceiving users about their ability to control the privacy of their personal information.

The settlement, announced by the FTC this morning and still requires court approval, stems from the scandal involving the collection and processing of data from Facebook users by Cambridge Analytica for placing political ads.

In a separate decision also announced today the FTC said it has laid administrative charges against the now-bankrupt Cambridge Analytica, and it proposed settlements with app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix which would restrict how they conduct any business in the future, and requiring them to delete or destroy any personal information they collected.

Kogan created a personality quiz for Facebook users. Unknown to them, data on those who participated and their Facebook friends were used by Cambridge Analytica for targeted ads during the 2016 Brexit referendum and the U.S. federal election. The FTC alleges that Cambridge Analytica, Nix, and Kogan deceived consumers by falsely claiming they did not collect any personally identifiable information from Facebook users who were asked to answer survey questions and share some of their Facebook profile data.

On top of this, the U.S. Securities and Exchange Commission said Facebook has agreed to pay $100 million to settle charges relating to the Cambridge Analytica mess. The SEC alleged that Facebook discovered the misuse of its users’ information by the British firm in 2015, but did not correct its existing disclosure for more than two years.  Instead, Facebook continued to tell investors that “our users’ data may be improperly accessed, used or disclosed.”

The proposed FTC Facebook settlement order announced today also imposes what the regulator says are “unprecedented new restrictions” on Facebook’s business operations — including WhatsApp and Instagram — and creates multiple channels of compliance. The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight.

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons in a statement. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”

In a post Facebook CEO Mark Zuckerberg said that “We have a responsibility to protect people’s privacy. We already work hard to live up to this responsibility, but now we’re going to set a completely new standard for our industry.”

The proposed settlement was not unanimously approved by the FTC commissioners. “The proposed settlement does little to change the business model or practices that led to the recidivism,” wrote Commissioner Rohit Chopra in his dissenting statement, according to the Associated Press. He noted that the settlement imposes “no meaningful changes” to the company’s structure or business model. “Nor does it include any restrictions on the company’s mass surveillance or advertising tactics.”

Earlier this year Canada’s federal privacy commissioner concluded after an investigation into how users here were affected by the scandal that Facebook committed serious violations of Canadian privacy laws. He recommended the company make changes to the way it operates. However, those suggestions have been rejected.

Meanwhile there is still a joint investigation by the privacy commissioners of Canada and British Columbia. into a Canadian firm called Aggregate IQ and its role in the incident. A whistleblower who revealed the Cambridge Analytica scandal has said Aggregate IQ is the Canadian entity for SCL Elections, the parent company of Cambridge Analytica.

Following a yearlong investigation by the FTC, the Department of Justice will file a complaint on behalf of the Commission alleging that Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order. These tactics allowed the company to share users’ personal information with third-party apps that were downloaded by the user’s Facebook “friends.” The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing.

In addition, the FTC alleges that Facebook took inadequate steps to deal with apps that it knew were violating its platform policies.

Greater board accountability

The proposed new Facebook privacy compliance system would create greater accountability for privacy at the board of directors level. It establishes an independent privacy committee of Facebook’s board of directors, removing control by CEO Mark Zuckerberg over decisions affecting user privacy. Members of the privacy committee must be independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors.

Facebook will be required to designate compliance officers who will be responsible for Facebook’s privacy program. These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee—not by Facebook’s CEO or Facebook employees. Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties.

The order also strengthens external oversight of Facebook. The order enhances the independent third-party assessor’s ability to evaluate the effectiveness of Facebook’s privacy program and identify any gaps. The assessor’s biennial assessments of Facebook’s privacy program must be based on the assessor’s independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management. The order prohibits the company from making any misrepresentations to the assessor, who can be approved or removed by the FTC. Importantly, the independent assessor will be required to report directly to the new privacy board committee on a quarterly basis. The order also authorizes the FTC to use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook’s compliance with the order.

New compliance officers

Facebook will be required to designate compliance officers who will be responsible for Facebook’s privacy program. These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee—not by Facebook’s CEO or Facebook employees.  Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties.

The order also strengthens external oversight of Facebook, the FTC says. The independent third-party assessor’s ability to evaluate the effectiveness of Facebook’s privacy program and identify any gaps would be enhanced. The assessor’s biennial assessments of Facebook’s privacy program must be based on the assessor’s independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management. The order prohibits the company from making any misrepresentations to the assessor, who can be approved or removed by the FTC. Importantly, the independent assessor will be required to report directly to the new privacy board committee on a quarterly basis. The order also authorizes the FTC to use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook’s compliance with the order.

As part of Facebook’s order-mandated privacy program Facebook must conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy. The designated compliance officers must generate a quarterly privacy review report, which they must share with the CEO and the independent assessor, as well as with the FTC upon request by the agency.

The order also requires Facebook to document incidents when data of 500 or more users has been compromised and its efforts to address such an incident, and deliver this documentation to the Commission and the assessor within 30 days of the company’s discovery of the incident.

In addition

  • Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
  • Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
  • Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
  • Facebook must establish, implement, and maintain a comprehensive data security program;
  • Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
  • Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.

How it started

According to the FTC, the scandal began in 2014 when Kogan created a Facebook application called the GSRapp—sometimes referred to as the “thisisyourdigitallife” app. It asked its users to answer personality and other questions, and collected information such as the “likes” of public Facebook pages by the app’s users and by the “friends” in their social network. The FTC alleges, Kogan and Cambridge Analytica used that to train an algorithm that then generated personality scores for the app users and their Facebook friends. Those scores were matched with U.S. voter records and then used  for voter profiling and targeted advertising.

In April 2014, Facebook had announced it would no longer allow app developers to access data from an app user’s Facebook friends. However, there was a one-year data collection exemption for existing apps on the Facebook platform. The FTC alleges that the GSRapp was able to take advantage of this because Kogan repurposed an app he already had on Facebook to create GSRapp.

Ultimately, the FTC says, the GSRapp collected Facebook profile data from 250,000 to 270,000 people in the U.S. who filed out the survey, as well as 50 million to 65 million of their Facebook friends, including at least 30 million identifiable U.S. consumers.



Related Download
Cybersecurity Conversations with your Board Sponsor: CanadianCIO
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA
Download Now