• by Wendy Davis  @wendyndavis, March 20, 2018

News that Cambridge Analytica obtained data about 50 million Facebook users has reportedly prompted the Federal Trade Commission to investigate whether the social networking service violated a 2012 consent decree.

The FTC investigation comes as a growing chorus of lawmakers are criticizing Facebook over the data harvesting. Several days ago, The New York Times and The Observer of London reported that Cambridge Analytica gleaned ad-targeting data from 50 million Facebook users.

Cambridge Analytica reportedly harvested the data collected by the personality-quiz app thisisyourdigitallife, created by Global Science Research's Aleksandr Kogan. That app was downloaded by 270,000 users, but Kogan was able to gather information about many of those users' Facebook contacts, depending on their privacy settings.

Facebook knew about the data leakage in 2015, but didn't ban Cambridge Analytica from the platform until Friday. On Tuesday, Bloomberg reported that the FTC had opened an investigation into the data transfers. If the FTC finds that Facebook violated the decree, the company could be fined $40,000 per violation.

An FTC spokesperson says the agency is "aware of the issues," but unable to comment on whether it is investigating. FTC investigations are not public. 

In April of 2015, Facebook stopped allowing developers to access data about users' friends. But in 2014, when Kogan's app began gathering data, Facebook allowed developers to glean data about downloaders' friends, subject to their privacy settings. 

A Facebook spokesperson said Tuesday that the company "respected the privacy settings that people had in place."

"Facebook rejects any suggestion that it violated the consent decree," the spokesperson said.

Some privacy experts say it's not clear that Facebook's role in the data transfers amounts to a violation of its 2012 consent decree with the FTC. That settlement -- which grew out of allegations that Facebook was sharing users' information without their consent -- contains a number of conditions that are intended to protect people's privacy.

Among the most significant is that Facebook is prohibited from misrepresenting its privacy practices. The consent decree specifically bars the company from misrepresenting the extent to which it has made users' information available to third parties, as well as the steps people must take to control their privacy.

Whether Facebook violated those terms may hinge on the specific language in the company's policies in 2014, when Kogan reportedly gathered the data, according to privacy expert Justin Brookman, director of privacy and technology policy for Consumers Union and formerly with the FTC.

For instance, he says, it's possible that Facebook "overstated" the platform rules -- which prohibited app developers from re-selling data about users. "If Facebook made it sound like they enforced the platform rules, that could be a misstatement," Brookman says.

Brookman adds that analyzing the issue requires evaluating the precise language in Facebook's former privacy policy, as well as the user interface surrounding the privacy settings.

Chris Hoofnagle, a professor at UC Berkeley School of Law and the School of Information, adds that the agency may have a difficult case.

"The FTC has the burden to show non-compliance," Hoofnagle says in an email to MediaPost. He added that doing so would require the FTC to "develop a narrative of how Cambridge Analytica was improperly supervised as a developer."

He adds that the FTC would have to argue that "developers keeping data past the platform agreement was a foreseeable risk, and that Facebook had unreasonably poor supervision of compliance."

Facebook isn't the first tech company to face questions about whether it broke the terms of a privacy settlement. In 2012, Google agreed to a $22.5 million fine for allegedly violating an FTC consent decree by circumventing Apple's default privacy settings.