Facebook CEO Mark Zuckerberg’s trial by fire has already begun in Washington, DC, this week as he prepares to testify before two committees of Congress about the company’s failure to prevent the profiles of at least 87 million users from falling into the hands of political data firm Cambridge Analytica.
Zuckerberg was already meeting in private with members of Congress Monday, according to aides who spoke to Reuters on condition of anonymity. The text of the remarks he prepared for a Wednesday session before the House Committee on Energy and Commerce was also released by the committee on Monday.
In his planned opening speech to the committee, Zuckerberg not only takes responsibility for lapses in data privacy protections, but also for the fake news and hate speech spread through the platform, and for “foreign interference in elections.’’
“We didn’t take a broad enough view of our responsibility, and that was a big mistake,” Zuckerberg’s statement says. “It was my mistake, and I’m sorry. I started Facebook, I run it, and I’m responsible for what happens here.”
In his testimony, Zuckerberg plans to repeat explanations he has already given publicly for the way Cambridge Analytica managed to get hold of personal information on millions of Americans, as well as on Facebook members from other countries. An academic researcher with authorized access to the data shared it with the political consulting firm, in violation of Facebook policies, he maintains. Zuckerberg also details corrective measures, both those previously announced in the aftermath of news reports about the massive transfer of private data, as well as newer revisions to Facebook’s platform and policies.
These include restrictions on the amount of data released to third-party apps that users sign up for through Facebook; a pre-approval process for apps that want to ask users for personal information, along with contracts for them to adhere to; and barriers to prevent apps from reaching into the data of a user’s friends without their consent. That reach-through mechanism, under earlier Facebook policies, had allowed researcher Aleksandr Kogan to tap into millions of profiles by offering a personality quiz to about 300,000 people, who may not have been aware that they were exposing the data of their friends. Kogan provided the data to Cambridge Analytica, which develops psychological profiles of individuals to predict which groups are likely to be receptive to certain ads or political messages. Arguably, its work in the 2016 presidential election swayed voter opinion.
In a blogpost on Monday, Facebook announced that it is recruiting academic experts to direct an independent election research commission that would assign researchers to study the effects of social media on elections and democracy.
Zuckerberg is expected to face tough questioning at the committee meetings in Congress, where lawmakers are considering whether social media companies need to be reined in by new privacy regulations. Facebook is also under investigation by the Federal Trade Commission, which is evaluating the company’s compliance with a consent decree, finalized in 2012, which settled FTC claims that Facebook’s privacy practices were deceptive. Facebook was bound by that order to provide users with clear information about their privacy settings, to prevent sharing of their data beyond what they agreed to permit, and also to proactively look for threats to data privacy and find ways to remedy them.
One legal expert who worked on that FTC enforcement case, David Vladeck, says Facebook could face substantial, if not astronomical, civil penalties if it is found to be in violation of the consent decree. During the FTC investigation of Facebook that ended with the consent decree, Vladeck, a Georgetown Law professor, was director of the FTC’s Bureau of Consumer Protection.
Vladeck says Facebook should have recognized years ago that an ordinary user would not expect, when they signed up for an app, that they were opening the door for a third party to reap all their friends’ data. “That was an obvious vector for privacy threats,” he said at a panel discussion held by the non-profit think tank New America on Friday. “The consent decree was designed exactly to avoid this Cambridge Analytica problem.”
Theoretically, Vladeck says, Facebook could be assessed $40,000 per violation. That would add up to billions or trillions of dollars if multiplied by some or all of the 87 million users whose data was mishandled.
In a timeline published by Facebook, Zuckerberg said that in 2014, the company had tightened up restrictions to some extent on third-party access to the data of users and their friends. When it learned in 2015 that Kogan had shared his data trove with Cambridge Analytica, Zuckerberg said, Facebook banned Kogan’s app from the site and demanded that he and Cambridge Analytica certify that they had deleted the data.
But Facebook didn’t reveal the data loss publicly at that time. Nor is it clear, Vladeck says, that Facebook revealed it to the FTC in one of the periodic audits it was required to provide to the agency since 2012 to demonstrate its compliance with the consent decree. Those audits are not made public, he says.
