Audit Cleared Facebook’s Privacy Practices Despite Cambridge Analytica Leak - WSJ

An auditor reviewing Facebook Inc.’s privacy practices gave the social-media company a clean bill of health in a report to federal authorities last year—well after Facebook discovered that political consulting firm Cambridge Analytica improperly obtained millions of users’ personal data.

“In our opinion, Facebook’s privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information,” the auditing firm, PricewaterhouseCoopers, said in the report to the Federal Trade Commission dated April 12, 2017. A heavily redacted version of the report is posted on the FTC’s website.

The audit, which covers a two-year period ended in February 2017, was required as part of a settlement that Facebook reached with the FTC in 2011 to ensure the company was clearly informing users about the way their data was being used. But PwC’s conclusions raise questions about the vigor of its vetting process at a time of mounting questions about Facebook’s ability to protect user privacy.

During the time covered by the audit, Facebook discovered that an outside researcher broke its data-use rules by sharing user records with other companies, including data-analytics firm Cambridge Analytica, which worked with the Trump campaign in 2016. Facebook learned about ​the incident in late 2015 through media reports, but didn’t ​notify affected users or publicly address the issue until this spring.

Included in the April 2017 audit was Facebook’s assessment of its own work. It said its privacy program “contains controls and procedures appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of the covered information.”

It isn’t clear whether Facebook informed PwC or whether it was required to tell the firm about the incident with Cambridge Analytica.

“We remain strongly committed to protecting people’s information. We appreciate the opportunity to answer questions the FTC may have,” Rob Sherman, Facebook’s deputy chief privacy officer, said in a written statement.

PwC didn’t immediately return a request for comment. The FTC declined to comment. The agency has previously said it is investigating whether Facebook violated its consent decree. Facebook has said it didn’t.

Since its disclosure last month, Facebook has struggled to calm a firestorm of criticism from users, advertisers, politicians and officials in the U.S. and Europe about its data-collection practices as well as its loose oversight of user information downloaded by scores of outside developers.

Data from about 87 million users could have been improperly shared with Cambridge Analytica, Facebook said earlier this month. The company also has said “most people on Facebook” could have had information scraped by marketers who used a now-defunct feature that distributed profile data connected to users’ email addresses and phone numbers.

In back-to-back congressional hearings last week, Chief Executive Mark Zuckerberg was repeatedly asked about how Facebook scoops up user data and about the controls it puts in place to secure users’ records. Several lawmakers across the political spectrum expressed support for new regulation of Facebook and other internet platforms.

The FTC in 2011 charged Facebook with deceiving consumers by telling them they could keep their data private, but then repeatedly allowing the data to be shared and made public. A consent decree reached by the two sides in November 2011, and approved in 2012, requires Facebook to give consumers clear and prominent notice and obtain their express consent before sharing their information beyond their privacy settings, among other measures.

Whether Facebook violated its FTC settlement is now a matter of intense debate. If the FTC finds that Facebook violated the decree, the company could face millions of dollars in fines as well as harm to its reputation with users. Last month, 37 state attorneys general sent Facebook a letter demanding explanations for its practices.

Marc Rotenberg, president of the Electronic Privacy Information Center, said the FTC released the latest reports after the group requested it. EPIC was one of the groups that complained about Facebook originally to the FTC, leading to the 2011 settlement.

"Not clear why a company that has asked us to give up so much privacy should be allowed to maintain so much secrecy,” Mr. Rotenberg said.

https://www.wsj.com/amp/articles/audit-cleared-facebooks-privacy-practices-despite-cambridge-analytica-leak-1524190550