Facebook failed to police how its partners handled user data

FILE -- Sheryl Sandberg, left, Facebook’s chief operating officer, and Jack Dorsey, the chief executive of Twitter, during a Senate Intelligence Committee hearing on Capitol Hill in Washington, Sept. 5, 2018. For years, Facebook struck deals that gave device makers access to troves of user data. A disclosure to Congress details the company’s lax oversight of those partnerships. (Tom Brenner/The New York Times) less FILE -- Sheryl Sandberg, left, Facebook’s chief operating officer, and Jack Dorsey, the chief executive of Twitter, during a Senate Intelligence Committee hearing on Capitol Hill in Washington, Sept. 5, 2018. ... more Photo: Tom Brenner / New York Times Photo: Tom Brenner / New York Times Image 1 of / 1 Caption Close Facebook failed to police how its partners handled user data 1 / 1 Back to Gallery

Facebook failed to closely monitor device-makers after granting them access to the personal data of hundreds of millions of people, according to a previously unreported disclosure to Congress last month.

Facebook’s loose oversight of the partnerships was detected by the company’s government-approved privacy monitor in 2013. But it was never revealed to Facebook users, most of whom had not explicitly given the company permission to share their information. Details of those oversight practices were revealed in a letter Facebook sent last month to Sen. Ron Wyden, D-Ore., a privacy advocate and frequent critic of the Menlo Park company.

In the letter, a copy of which Wyden provided to the New York Times, Facebook wrote that by early 2013 it had entered into data-sharing agreements with seven device-makers to provide what it called the “Facebook experience” — custom-built software, typically, that gave those manufacturers’ customers access to Facebook on their phones. Those partnerships, some of which date to at least 2010, fall under a consent decree with the Federal Trade Commission drafted in 2011 and intended to oversee the company’s privacy practices.

Facebook ultimately entered into dozens of similar data-sharing partnerships, most of which the company began winding down this spring after revelations that it had allowed Cambridge Analytica, a political data firm, to acquire the personal information of tens of millions of people. The firm used some of that information in efforts to aid President Trump’s 2016 campaign.

When a team from auditing firm PricewaterhouseCoopers conducted the initial assessment in 2013, it tested Facebook’s partnerships with Microsoft and Research in Motion, maker of the BlackBerry handset. In both cases, it found only “limited evidence” that Facebook had monitored or checked its partners’ compliance with its data use policies. That finding was redacted from a public version of the report released by the FTC in June.

MBA BY THE BAY: See how an MBA could change your life with SFGATE's interactive directory of Bay Area programs.

“Facebook claimed that its data-sharing partnerships with smartphone manufacturers were on the up and up,” Wyden said. “But Facebook’s own, hand-picked auditors said the company wasn’t monitoring what smartphone manufacturers did with Americans’ personal information, or making sure these manufacturers were following Facebook’s own policies.” He added, “It’s not good enough to just take the word of Facebook — or any major corporation — that they’re safeguarding our personal information.”

In a statement, a Facebook spokeswoman said, “We take the FTC consent order incredibly seriously and have for years submitted to extensive assessments of our systems.” She added, “We remain strongly committed to the consent order and to protecting people’s information.”

Facebook, like other companies under FTC consent decree, largely dictates the scope of each assessment. In two subsequent assessments, Facebook’s October letter suggests, the company was graded on a seemingly less stringent policy with data partners. On those two, Facebook had to show that its partners had agreed to its data use policies.

A Wyden aide who reviewed the unredacted assessments said they contained no evidence that Facebook had ever addressed the original problem. The Facebook spokeswoman did not directly address the 2013 test failure, or the company’s apparent decision to change the test in question.

Because the United States has no general consumer privacy law, FTC consent decrees have emerged as the federal government’s chief means of regulating privacy practices at Facebook, Google and other companies that amass huge amounts of personal data about people who use their products. In letters and congressional testimony, FTC officials have pointed to the decrees as evidence of consumer privacy protection.

A spokesman for PricewaterhouseCoopers acknowledged in a statement that Facebook defines the privacy procedures, known as “controls,” that are tested during the assessments.

“Changes to controls may occur as platforms evolve, such that a control tested in one period may not be identical in a subsequent period,” the spokesman said.

Facebook’s letter disclosing the assessors’ findings came in response to questions Wyden raised during a hearing in September. It was held just weeks after the Times reported that Facebook had struck data-sharing deals with dozens of phone and tablet manufacturers.

While the assessment reports were publicly released by the FTC in June, they included significant redactions, which Facebook and PricewaterhouseCoopers said were necessary to protect trade secrets.

Wyden, whose staff had viewed the full assessments, said at the hearing that he found parts of the unredacted reports “very troubling” and pressed Sheryl Sandberg, Facebook chief operating officer, to release them.

The Electronic Privacy Information Center, a Washington consumer rights group that helped obtain the 2011 consent decree, is suing the agency for release of the full assessments, arguing that the public cannot otherwise judge how effectively the FTC is policing privacy violations.

“What is clear is that the FTC has failed to enforce the consent order,” said Marc Rotenberg, president of the privacy rights group. “And this has come at enormous cost to American consumers.”

The FTC declined to comment.

Nicholas Confessore, Michael LaForgia and Gabriel J.X. Dance are New York Times writers.