Facebook failed to monitor partners’ handling of user data

Facebook failed to properly monitor device makers to which it granted access to the personal data of millions of its users, according to a previously unreported disclosure the social network made to Congress last month.

The social network’s lax oversight was identified in 2013 by a privacy monitor approved by the government, but it was never revealed to Facebook users, most of whom hadn’t given the company permission to share their information with third parties, the company said in a letter to Sen. Ron Wyden. The Oregon Democrat is a noted privacy advocate and frequent Facebook critic.

The letter (below) referred to the agreements Facebook had in place to provide several device makers with special access to large amounts of data about the social media giant’s users. The agreements, some of which dated back to at least 2010, were made with companies such as Huawei, Lenovo, Oppo and TCL, Facebook said in June.

Facebook ultimately entered into data-sharing agreements with dozens of tech companies, admitting in July it continued sharing information with 61 hardware and software makers after it said it had discontinued the practice in May 2015. The data-sharing agreements were intended to integrate the “Facebook experience” with mobile devices, something a Facebook representative at the time called a “standard industry practice.”

Facebook has been under scrutiny since the revelation in March that consultancy Cambridge Analytica had misused Facebook user data in the run-up to the 2016 US presidential election. Since then, Facebook CEO Mark Zuckerberg has testified in front of Congress and the European Parliament to answer questions about Facebook’s handling of user data.

The company has also been in the hot seat for not doing enough to prevent abuse from Russian trolls that posted misinformation and divisive content on the platform. The Russian activity was part of a program to meddle in the US presidential election and sow discord among voters.

Facebook’s data-sharing agreements fall under the purview of a consent decree issued by the Federal Trade Commission intended to monitor how Facebook tracks and shares data about its users.

The consent decree was borne out of a 2011 FTC complaint that accused Facebook of breaking its promise to keep its users’ data private. Facebook had assured users that third-party applications only had access to data required for them to function. But in fact, applications had access to almost all of a user’s personal information.

Under the settlement, Facebook agreed to get consent from users before sharing their data with third parties. It also required Facebook to establish a “comprehensive privacy program” and to have a third-party conduct audits every two years for the next 20 years to certify its program is effective.

During an FTC-mandated assessment of Facebook’s partnerships with Microsoft and Research in Motion in 2013, a team from PricewaterhouseCoopers found only “limited evidence” the social network had reviewed its partners’ compliance with its data use policies, Facebook’s letter to Wyden said.

“We take the FTC consent order incredibly seriously and have for years submitted to extensive assessments of our systems,” a Facebook spokesperson said in a statement. “PwC’s assessment process included an assessment of controls related to Facebook’s device integration partners. We remain strongly committed to the consent order and to protecting people’s information.”

In June, US officials raised concerns about Facebook giving Chinese telecommunications giant Huawei special access to user data, a company perennially in the crosshairs of the US government. Huawei is the world’s second-largest smartphone maker by volume, but it has struggled to make a dent in the US, partly because of security concerns expressed by the government, including the FBI, CIA, NSA, Federal Communications Commission and House Intelligence Committee.


Leave a Reply