Mark Zuckerberg, Facebook CEO, at Senate hearingIn the joint Senate hearing, Facebook CEO Mark Zuckerberg rejected the idea that his company violated the Federal Trade Commission (FTC) settlement from 2011, when the agency found that Facebook deceived consumers with its privacy policies. He also said that he didn’t think it was necessary to disclose the Cambridge Analytica data leak in 2015 to either the millions of impacted Facebook users nor to the FTC.
FTC’s 2011 Settlement With Facebook
After many complaints from users and civil rights groups about Facebook’s misleading privacy policies and the fact that the company seemed to keep converting users’ own settings from private to public, the FTC started an investigation against the company in 2010. A year later, the agency concluded that Facebook had “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”
FTC’s list of complaints against Facebook also included the following:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.
The settlement with the FTC bars Facebook from making anymore deceptive privacy claims such as the ones above and requires the company to get consumers’ approval before changing how it shares their data.
Zuckerberg said in the hearing that when the company learned about Cambridge Analytica and Professor Aleksandr Kogan’s actions to harvest user data, it demanded that both delete any Facebook data they had. Then Facebook relied on Cambridge Analytica and Kogan’s verbal assurances that they deleted the data to consider this a “closed case.”
Senator Bill Nelson from Florida then asked Zuckerberg if he believes the company had an ethical obligation to notify the 87 million users whose data was harvested or the FTC that this happened. Zuckerberg reiterated that the company considered this to be a closed case.
It’s not yet clear if Facebook violated the full agreement with the FTC, which is why the FTC is also investigating the company right now. However, the fact that Facebook didn’t consider it necessary to report a leak or breach affecting tens of millions of Americans, is why the European Union adopted regulations to make it mandatory for companies to report such incidents within three days of discovering them.
When asked whether or not he would agree with similar legislation in the U.S., Zuckerberg answered affirmatively.