News that Cambridge Analytica obtained data about 50
million Facebook users has reportedly prompted the Federal Trade Commission to investigate whether the social networking service violated a 2012 consent decree.
The FTC investigation comes as
a growing chorus of lawmakers are criticizing Facebook over the data harvesting. Several days ago, The New York Times and The Observer of London reported that Cambridge Analytica gleaned ad-targeting data
from 50 million Facebook users.
Cambridge Analytica reportedly harvested the data collected by the personality-quiz app thisisyourdigitallife, created by Global Science Research's Aleksandr
Kogan. That app was downloaded by 270,000 users, but Kogan was able to gather information about many of those users' Facebook contacts, depending on their privacy settings.
Facebook knew about the data leakage in 2015, but didn't ban Cambridge Analytica from the platform until Friday. On Tuesday,
Bloomberg reported that the FTC had opened an investigation into the data
transfers. If the FTC finds that Facebook violated the decree, the company could be fined $40,000 per violation.
An FTC spokesperson says the agency is "aware of the issues," but unable to
comment on whether it is investigating. FTC investigations are not public.
In April of 2015, Facebook stopped allowing developers to access data about users' friends. But in
2014, when Kogan's app began gathering data, Facebook allowed developers to glean data about downloaders' friends, subject to their privacy settings.
A Facebook spokesperson said
Tuesday that the company "respected the privacy settings that people had in place."
"Facebook rejects any suggestion that it violated the consent decree," the spokesperson said.
Some
privacy experts say it's not clear that Facebook's role in the data transfers amounts to a violation of its 2012 consent decree with the FTC. That settlement -- which grew out of allegations that Facebook was sharing users' information without
their consent -- contains a number of conditions that are intended to protect people's privacy.
Among the most significant is that Facebook is prohibited from misrepresenting its privacy
practices. The consent decree specifically bars the company from misrepresenting the extent to which it has made users' information available to third parties, as well as the steps people must take to
control their privacy.
Whether Facebook violated those terms may hinge on the specific language in the company's policies in 2014, when Kogan reportedly gathered the data, according to privacy
expert Justin Brookman, director of privacy and technology policy for Consumers Union and formerly with the FTC.
For instance, he says, it's possible that Facebook "overstated" the platform
rules -- which prohibited app developers from re-selling data about users. "If Facebook made it sound like they enforced the platform rules, that could be a misstatement," Brookman says.
Brookman adds that analyzing the issue requires evaluating the precise language in Facebook's former privacy policy, as well as the user interface surrounding the privacy settings.
Chris
Hoofnagle, a professor at UC Berkeley School of Law and the School of Information, adds that the agency may have a difficult case.
"The FTC has the burden to show non-compliance," Hoofnagle
says in an email to MediaPost. He added that doing so would require the FTC to "develop a narrative of how Cambridge Analytica was improperly supervised as a developer."
He adds that the FTC
would have to argue that "developers keeping data past the platform agreement was a foreseeable risk, and that Facebook had unreasonably poor supervision of compliance."
Facebook isn't the
first tech company to face questions about whether it broke the terms of a privacy settlement. In 2012, Google agreed to a $22.5 million fine for allegedly violating an FTC consent decree by circumventing Apple's
default privacy settings.