March 19, 2018

Wyden Questions Facebook on Misuse of Users’ Private Information

Washington, D.C. – Sen. Ron Wyden, D-Ore., asked Facebook to detail the extent of misuse of its users’ private information, in a letter to CEO Mark Zuckerberg sent today. His letter follows reporting by the New York Times and Facebook’s own admission that about 50 million users’ data was downloaded and subsequently used by Cambridge Analytica, a political advertising firm, without the affirmative knowledge or consent of those users.

“The troubling reporting on the ease with which Cambridge Analytica was able to exploit Facebook’s default privacy settings for profit and political gain throws into question not only the prudence and desirability of Facebook’s business practices and the dangers of monetizing consumers’ private information, but also raises serious concerns about the role Facebook played in facilitating and permitting the covert collection and misuse of consumer information,” Wyden wrote.  “With little oversight—and no meaningful intervention from Facebook—Cambridge Analytica was able to use Facebook- developed and marketed tools to weaponize detailed psychological profiles against tens of millions of Americans.”

Read the full letter here.

Wyden asked Facebook to respond to the following questions by April 13:

  1. How many incidents during the past ten years is Facebook aware of in which third parties collected or processed user data in violation of Facebook’s Platform Policies? Please describe each incident, the number of users whose information was collected and misused, and what steps Facebook took to remedy the violation.
  2. With regard to the data downloaded by Spectre and his company, has Facebook made any attempt to identify the 50 million users impacted and inform those users that their information was collected and misused? If not, why not?
  3. Has Facebook ever notified individual Facebook users about inappropriate collection, retention, or subsequent use of their data by third parties? If not, why not?
  4. According to Facebook’s Platform Policy, the company reserves the right to audit apps in order to ensure they are “safe” and do not violate the company’s terms of service. In each of the past ten years, how many apps has Facebook audited? Please describe the scope and findings of each audit.
  5. Facebook has now suspended Strategic Communication Laboratories/Cambridge Analytica from its platform. However, Facebook has apparently known since 2015 that Cambridge Analytica had obtained and used data that had been obtained from Facebook in violation of your company’s policies. Why did you not suspend the company from your platform in 2015?
  6. Is Facebook aware of any instances in which Cambridge Analytica or its clients utilized the Facebook user data obtained by Spectre and his company to deliver targeted advertisements to Facebook users? For example, has this data been used to create and target Facebook Custom Audiences?
    1. If Facebook is not aware of any instances, has your company examined historical advertising data to look for such patterns? If not, why not?
    2. In 2011, Facebook entered into a consent agreement with the Federal Trade Commission (FTC). Under the terms of that agreement, Facebook is required to maintain “a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of covered information.”
      1. Please describe how, three years after Facebook entered into the consent order with the FTC, Spectre and his company were able to download sufficiently detailed data on 50 million Facebook users without their affirmative knowledge or consent.
      2. The 2011 consent agreement also requires Facebook to obtain biennial privacy assessments and reports from an independent third-party professional with experience in the field of privacy and data protection. Facebook is required to provide the initial report to the FTC, to retain each subsequent report, and to provide a copy of them to the FTC, if requested.
        1. To date, has the FTC requested any of the assessments or reports? If so, which assessments or reports were requested by the FTC and when were they requested?
        2. Please provide me with a copy of every privacy assessment and report prepared by or for Facebook as required by the 2011 consent agreement.