Facebook Scandals Test U.S. Watchdog With Privacy Power at Stake

(Bloomberg) -- Facebook Inc.’s repeated privacy scandals have infuriated users, lawmakers and data-security advocates who are clamoring for a forceful government response. That job mainly falls to Joe Simons, who is under pressure to satisfy doubters or risk sidelining his agency as the nation’s chief privacy watchdog.

The chairman of the Federal Trade Commission talked tough when he took over the agency last year, vowing to increase scrutiny of America’s technology giants after years of a mostly hands-off approach. More than eight months later, his critics are getting impatient.

Facebook Scandals Test U.S. Watchdog With Privacy Power at Stake

"They need to demonstrate they’re willing to use the tools they have aggressively," said Justin Brookman, the director of consumer privacy and technology policy for Consumer Reports Inc. "Everyone wants to see the hammer brought down."

To some Facebook critics, that means more than just a large fine for allegedly violating a 2011 consent agreement with the FTC over an earlier privacy breach. The FTC is investigating whether the social-media giant failed to honor its commitments when political consulting firm Cambridge Analytica gained access to information about millions of users.

While a conclusion could still be months away, the agency is expected to hit Facebook with a record fine, said a person familiar with the case who asked not to be named because the investigation is confidential. That likelihood seems to indicate officials have determined there was a violation of the settlement. Facebook says it hasn’t violated the decree.

The Cambridge Analytica case was already the agency’s most high-profile investigation when Simons took over in May last year. Facebook’s mishaps have since increased, with disclosure of a security breach affecting 50 million accounts and news that some of the world’s biggest technology companies were given more access to users’ data than had been disclosed.

Privacy Law

Some privacy experts, including Brookman at Consumer Reports, are lobbying for passage of the nation’s first privacy law, which could upend how Facebook does business. Others want to break the company into three components: the main social-network business; the Instagram photo-sharing app, which Facebook acquired in 2012; and WhatsApp, the direct-messaging service it bought in 2014.

A break-up is the best way to generate competition to offer stronger privacy protections, says Barry Lynn, the executive director of the left-leaning Open Markets Institute in Washington, which advocates for aggressive antitrust enforcement.

Open Markets’ deputy director, Sarah Miller, said she and other members of a coalition called Freedom From Facebook discussed that approach with Simons over the summer. It would require an expensive and risky court fight that some privacy experts say the FTC is unlikely to undertake.

’Passive Lapdog’

Some argue that the FTC is so overly cautious that it should lose its privacy-protection role. Jeff Chester, the executive director of the Center for Digital Democracy, which advocates for online privacy, is among them. "This is why the industry wants the FTC to be the regulator of choice for privacy," Chester said. The industry "knows that it’s nothing more than a passive lapdog."

For his part, Simons, a Washington antitrust lawyer and former partner at Paul, Weiss, Rifkind, Wharton & Garrison LLP, is pushing Congress for more power to punish privacy violations, and not give away his authority to a new agency. Simons, 60, has declined to comment on the Facebook investigation beyond telling lawmakers in November that the FTC will take action "as fast as possible." He wouldn’t comment for this article.

Lacks Spine

Some lawmakers also think the FTC lacks spine. Democratic Senator Richard Blumenthal of Connecticut, who is planning to offer bipartisan privacy legislation this year, accuses the agency of failing to use the power it already has.

Facebook Scandals Test U.S. Watchdog With Privacy Power at Stake

"Time and again, the FTC has shied away from pursuing clear consumer abuses by big technology companies," Blumenthal said in a statement. "The FTC must demonstrate that it is willing to step up to hold Big Tech accountable.”

Tougher in Europe

Europe has been tougher on U.S tech companies for antitrust and privacy infringements, with France’s regulator on Monday fining Google 50 million euros ($56.8 million) for violating new European Union data-protection rules. Google, in a statement, said it is studying the decision, which can be appealed, to determine its next steps.

Since Simons took over, the commission has held hearings on competition and consumer-protection issues, but hasn’t brought any major enforcement actions. The Facebook investigation is fact-intensive and its length so far isn’t unusual, said a former FTC official, who declined to be identified discussing a confidential matter.

Record Fine

The agency can’t impose fines on first-time offenders, only on companies that, like Facebook, have previously agreed to settle charges with the agency. In 2012, it fined Google $23 million for misrepresenting to Safari internet-browser users that it wouldn’t place advertising trackers known as cookies on their computers.

That was a record for the agency, but a minuscule amount for Google, which reported net income of $10.7 billion that year. The fine for Facebook, which earned $15.9 billion in 2017, will exceed the Google penalty, according to the person familiar with the case.

The first enforcement action stemming from Cambridge Analytica came not from the federal government, but from the attorney general for the District of Columbia, Karl Racine. Racine said in a Dec. 19 lawsuit that Facebook violated the city’s consumer-protection law by misleading users about the security of their data and failing to properly monitor apps’ use of data. Other states have opened similar investigations.

Deceptive Practices

The commission’s 2011 consent decree addressed a litany of deceptive practices. Facebook, for example, allowed profile information -- photos, education, place of employment -- that a user chose to restrict to "Only Friends" or "Friends of Friends" to be accessible to apps that the person’s friends used. Facebook also promised users that it wouldn’t share personal information about them with advertisers when in fact the company identified to advertisers the users who clicked on their ads or to whom ads were targeted.

Facebook was required to implement a privacy program, obtain express consent from users before making changes that override privacy preferences, and undergo regular privacy audits. Under that decree, the FTC can fine Facebook about $40,000 per violation. Now the question is how far Simons takes that authority.

Click here for more on Facebook’s legal threats, including FTC, privacy, antitrust

Some privacy experts say the Cambridge Analytica mishap may not have violated the order. The incident stems from a personality-quiz app offered to Facebook users by a Cambridge University researcher. About 270,000 people downloaded the app, allowing the researcher to access data about both those individuals and their friends. The information was subsequently sold to Cambridge Analytica, which worked on Donald Trump’s 2016 presidential campaign.

Facebook’s settings at the time allowed third-party apps to access the data of a user’s friends. Because Facebook disclosed that to users, it’s unlikely to be a violation, according to Matthew Schettenhelm, a Bloomberg Intelligence analyst in Washington. That’s one of the arguments Facebook is using to defeat a class-action lawsuit users have filed.

Another Avenue

Another potential avenue of investigation for the FTC is whether Facebook violated the order when it allowed more than 150 companies, including Amazon.com Inc., Netflix Inc. and Spotify Technology SA, access to more users’ personal data than Facebook had disclosed, as reported by the New York Times in December.

Facebook disclosed that it shares details about users with "service providers," which plausibly includes many of those companies, according to Schettenhelm. The Times, however, reported that Netflix and Spotify were able to read users’ private messages and weren’t considered by Facebook to be "service providers." Facebook probably needed users’ consent before sharing their private messages with those companies, Schettenhelm said. The company says it hasn’t violated the decree with those partnerships, either, and has disputed some details of the Times report.

It’s up to Simons to decide how aggressive to be. He risks drawing fire from Capitol Hill and privacy advocates with a weak settlement, but doing anything too radical could lead to a costly court battle with Facebook, a move that carries its own risks. When the agency brought an enforcement action against medical-testing firm LabMD, a federal appeals court in June clipped the agency’s power by ruling that the FTC’s order to establish a privacy program was too vague and therefore unenforceable.

"They have a choice," said Open Markets’ Lynn about the FTC. "Are they actually standing up for the American people? Are they standing up for democracy?"

©2019 Bloomberg L.P.