That federal regulators said its data practices were A-OK during the same period it was doing its shady business.
That company is, of course, Facebook, and that "shady business" is the now-infamous Cambridge Analytica scandal. Based on a 2011 agreement, Facebook is subject to an audit of its privacy practices to square with the Federal Trade Commission (FTC) every two years. On behalf of the FTC, PricewaterhouseCoopers (PwC) audited Facebook's practices between February 12, 2015 and February 11, 2017 — exactly the time when Facebook learned of Cambridge Analytica's abuse of data.
Documentation of the audit, heavily redacted but available now on the FTC's web site, shows that PwC was satisfied with what Facebook was doing to protect user data. The report reads: "...The privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the Reporting Period." It's not clear whether Facebook told regulators about the Cambridge Analytica abuses.
"We remain strongly committed to protecting people’s information, ”Facebook’s deputy chief privacy officer, Rob Sherman, said in a statement reported by multiple outlets. "We appreciate the opportunity to answer questions the FTC may have."
So why was Facebook's privacy standard OK then but now we're all upset about it? Well, as it turns out, these audits tend to be pretty broad and, in the end, don't do much to protect consumers.
"The agency [FTC] regularly touts its important and extensive work as the chief consumer privacy 'cop on the beat.' But this chest-thumping can backfire — consumers may more readily share personal information via online platforms based on a belief that the FTC is guarding against misuse," Megan Gray, a fellow at Stanford Law School’s Center for Internet and Society, wrote in a whitepaper published this week.
During an audit, evaluators don't peer into companies' servers — they're mostly based on interviews with employees and executives. “That is completely useless. It’s not just toothless, it’s worse than toothless,” Nate Cardozo, an attorney with the Electronic Frontier Foundation, an organization that defends citizens' digital rights, told Gizmodo. “It’s asking the fox to guard the henhouse. If the FTC had chosen an auditor and required Facebook to open its servers to any question the auditor had, maybe we wouldn’t have gotten to Cambridge Analytica.”
Change is in the air. Many, including Zuckerberg himself, are calling for Facebook to be regulated. Maybe some of the hammer of reform will fall on the FTC, too.