Chalk up a sharp political point in support for privacy legislation with actual teeth: In today’s testimony in front of the House Energy & Commerce committee, Facebook CEO Mark Zuckerberg was asked about the outcomes of a string of legal actions against the company — most of which he claimed not be aware of.
One which he at last said he could remember was Facebook’s 2011 FTC consent decree — when the company settled over deceptive privacy practices by agreeing to make product changes opt-in and pledging to gain express consent from users to any changes going forward.
As part of that decree it also agreed to submit to privacy audits every two years for the next 20 years; bar access to content on deactivated accounts; and avoid misrepresenting the privacy or security of user data.
But congresswoman Diana DeGette pressed the Facebook CEO on whether the company paid a financial penalty as a result of the FTC action. A confused looking Zuckerberg finally replied: “I don’t remember if we had a financial penalty.”
“You’re the CEO of the company, you entered into a consent decree and you don’t remember if you had a financial penalty,” she responded, tone set to sarcastic incredulity.
“I remember the consent decree,” said Zuckerberg hastily. “The consent decree is extremely important to how we operate the company.”
“Yes I would think a financial penalty would be too,” interjected DeGette, leaving her point hanging in Zuckerberg’s silence.
“The reason you probably don’t remember it is because the FTC doesn’t have the authority to issue financial penalties for first time violations,” she picked up. “The reason I’m asking these questions, sir, is because we continue to have these abuses and these data breaches but at the same time it doesn’t seem like future activities are prevented. So I think one of the things that we need to look at in the future… is putting really robust penalties in place — in case of improper actions.”
A little later in the session, congressman Mike Doyle also raised the 20-year FTC consent decree, listing several of the practices it had deemed “unfair and deceptive” — namely: Facebook making users private information public “without sufficient notice or consent”; claiming to certify the security and integrity of certain apps “when in fact it did not”; and enabling developers to access “excessive information about a user and their friends”.
When he asked Zuckerberg whether the list was correct, the Facebook CEO again claimed not to know — saying: “I’m not familiar with all of the things that the FTC said,” before adding hastily: “Although I am very familiar with the FTC consent order itself.”
“But these were part of the consent decree,” interjected Doyle, adding: “I’m just concerned that despite this consent decree Facebook allowed developers access to an unknown number of user profiles on Facebook for years — potentially hundreds of millions, potentially more! And not only allowed but partnered with individuals and app developers such as Aleksandr Kogan who turned around and sold that data on the open market into companies like Cambridge Analytica.”
The congressman went on to ask Zuckerberg why Facebook users should trust the company to follow through on its “promises” to safeguard their information when — as he put it — “you have demonstrated repeatedly that you’re willing to flout both your own internal policies and government oversight when the need suits you”.
Zuckerberg said he “respectfully disagreed” with Doyle’s characterization, saying Facebook has had an app review process for “a number of years”, reviewing “tens of thousands” of apps per year and taking action “against a number of them”.
“Our process was not enough to catch a developer who sold data and had the data on their systems outside our systems,” he finished.
“To my mind the only way we’re going to close this trust gap is through legislation that creates and empowers a sufficiently resourced expert oversight agency with rule-making authority to protect the digital privacy and ensure that companies protect their users’ data,” replied Doyle, capping out his four minutes.
Since fresh revelations about the Cambridge Analytica scandal broke last month the FTC has opened a new investigation into Facebook’s practices. And now at least the company could face a financial penalty if it’s deemed to have violated the earlier consent decree.
The FTC can apply a fine of $40,000 per privacy violation — so with up to 87 million Facebook users’ data leaked to Cambridge Analytica there is at least a chance Facebook will end up with a sanction that Zuckerberg is able to remember in future.