Facebook knew in 2015 that President Trump's consultancy, Cambridge Analytica, harvested personal data of millions of users, but nonetheless received a positive privacy report from auditing firm Pricewaterhouse Coopers.
"In our opinion, Facebook's privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the Reporting Period, in all material respects for the two years ended February 11, 2017, based upon the Facebook Privacy Program set forth in Management's Assertion," the report states.
Pricewaterhouse Coopers' audit was the result of a consent decree between the Federal Trade Commission and Facebook. In 2011, Facebook agreed to a host of terms, including biennial privacy audits, to settle an investigation into allegations that it had shared users' information without their permission.
A version of the audit was quietly posted online several months ago, but didn't draw attention until Thursday afternoon, when the advocacy group Electronic Privacy Information Center became aware of it.
The report contains many passages that are marked "highly confidential," and have been made unreadable. Marc Rotenberg, EPIC's president and executive director, says he is still pushing for a more complete version of the report.
Last month, it came to light that Cambridge Analytica obtained information about up to 87 million Facebook users from researcher Aleksandr Kogan, who gleaned the data in 2014 through the personalty-quiz app "thisisyourdigitallife." Only 270,000 Facebook users downloaded Kogan's app, but he was able to gather data about many of those users' contacts.
In 2014, when Kogan's app began gathering data, Facebook allowed developers to glean data about downloaders' friends, subject to their privacy settings. A Facebook spokesperson said Tuesday that the company "respected the privacy settings that people had in place."
Facebook learned in 2015 that Cambridge Analytica had obtained the data from Kogan, and asked the consultancy to destroy it. The social networking service says it believed at the time that Cambridge Analytica did so. But Facebook didn't inform users about the data transfers until several weeks ago. The company also didn't ban Cambridge Analytica from its platform until last month.
Many privacy advocates have criticized Facebook over its handling of the situation, and the FTC is currently investigating whether the company violated the consent decree.
EPIC's Rotenberg notes that his organization has long raised concerns about Facebook's privacy practices with the FTC. Several years ago, for example, EPIC asked the FTC to stop Facebook from merging data about its users with WhatsApp. The FTC didn't act on that complaint, but officials in Europe fined Facebook $122 million for misleading officials about the company's ability to automatically combine data about its users with those of the messaging service WhatsApp. EPIC also filed the FTC complaint that resulted in the 2011 consent decree.
Rotenberg calls the conclusions in the Pricewaterhouse Coopers report "extraordinary," adding that the report marks an "absolute failure" of the oversight mechanisms.
He also faults the FTC for failing to take action against Facebook before the news about Cambridge Analytica came out.
"There were any number of claims that could have been pursued by the FTC prior to Cambridge Analytica," Rotenberg tells MediaPost. "With Pricewaterhouse Coopers saying everything looks fine, something is clearly off the rails."
Last week, Zuckerberg addressed the FTC consent decree during a House hearing. He said that the audits required by the agency "have not found material issues with our privacy programs in place at the company."
He added that while he doesn't believe there was a violation of the consent decree, there was "clearly a breach of people's trust."
"The standard that we hold ourselves to is not just following the laws that are in place," Zuckerberg said. "But we also -- we just want to take a broader view of this in protecting people's information."