Two years after Facebook learned that a university researcher had given political consultancy Cambridge Analytica personal information on millions of Facebook users, a government-mandated outside audit of Facebook’s privacy practices found nothing wrong.
The April 2017 audit, by PricewaterhouseCoopers (PwC), had been required as part of a 2011 consent decree between Facebook and the Federal Trade Commission.
“In our opinion, Facebook’s privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the Reporting Period, in all material respects for the two years ended February 11, 2017, based upon the Facebook Privacy Program set forth in Management’s Assertion,” PwC concluded, in a report submitted to the FTC.
“As described above, Facebook has identified reasonably foreseeable, material risks, both internal and external, that could result in Facebook’s unauthorized collection, use, or disclosure of covered information, and assessed the sufficiency of any safeguards in place to control these risks as required by Part IV of the [consent decree],” the PwC report states. “PwC performed test procedures to assess the. effectiveness of the Facebook privacy controls implemented to meet or. exceed the protections required by Part IV of the [consent decree].”
The contents of the audits, required every two years by the consent decree, have been the subject of much speculation since the Guardian and the New York Times reported in March that Cambridge still had the Facebook data, after telling Facebook it would delete it. Facebook has since said that Cambridge obtained personal information of 87 million Facebook users. PwC’s all-clear conclusion raises questions about the thoroughness of the audits, and the effectiveness of the FTC’s 2011 consent decree.
Facebook declined to comment, but pointed to CEO Mark Zuckerberg’s recent testimony in Congress, where Zuckerberg said Facebook considered the disclosure of personal information a “breach of trust,” but did not think it required notifying the FTC under the consent decree.1 PwC declined to comment. The FTC did not immediately respond to a request for comment from WIRED. The FTC has said that it is investigating whether Facebook violated its consent decree in light of the Cambridge data breach.
The Electronic Privacy Information Center came across a redacted version of the 2017 audit through a request under the Freedom of Information Act, after the FTC told EPIC the report was online. “After Cambridge Analytica, PricewaterhouseCoopers, on behalf of Facebook, reported to the FTC that privacy compliances at Facebook were fine and there were no problems,” EPIC president and executive director Marc Rotenberg said in an interview. “That’s extraordinary! That’s, ‘How could that have happened?’ stuff.”
EPIC’s complaints about Facebook’s unfair and deceptive privacy practices led to the 2011 consent decree and the organization plans to seek a more complete picture of the Facebook audit.
PwC’s description of the tests it performed of Facebook’s privacy practices, and the results, spanning 30 pages of the 54-page report, is redacted in the public version of the report. Rotenberg questioned the redactions, which the FTC said were made in part because of concerns about proprietary or trade secret information. “Why is the FTC not more forthcoming with the public? We don’t believe that the agency should be permitted to hide behind trade secrets. The public need to know is simply too great,” he says.
In 2014, Aleksandr Kogan, an academic at Cambridge University, obtained psychological profiles on roughly 300,000 Facebook users through an quiz app called thisisyourdigitallife. At the time, Facebook’s policies allowed third-party apps to collect data on a user’s friends, which permitted Kogan to collect data on as many as 87 million Facebook users.
Kogan was permitted to collect that information as a researcher, but broke Facebook’s rules by sharing it with Cambridge Analytica. Facebook changed its policies in 2014 to prohibit third-party app developers from accessing data on a user’s friends unless those friends had also authorized the app. “This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it,” Facebook CEO Mark Zuckerberg wrote on his Facebook page in March. “We need to fix that.”
1 UPDATED, April 19, 5:35PM: This story has been updated after Facebook declined to comment.