Facebook Failed to Monitor How Device Makers Accessed User Data

There was “limited evidence” Facebook made sure its partners didn’t misuse data, according to government-approved report

Last Updated: November 13, 2018 @ 10:33 AM

Facebook let device makers access personal data on hundreds of millions of users and failed to closely track how that information was used, according to a disclosure the company recently made to Congress.

The social network’s lax monitoring of several hardware partners was first detected by a government-approved privacy watchdog in 2013, according to a letter Facebook shared with Senator Ron Wyden last month. Wyden, a Democrat from Oregon and a longtime critic of the company, shared the letter with TheWrap on Tuesday. The potential data mismanagement was never reported to Facebook users.

In the letter, Facebook said it offered the “Facebook experience” — access to large amounts of data from its users — to seven device makers at the time. Facebook went on to strike similar deals with dozens of other device makers, including several Chinese major device makers, Apple and Samsung, the company said in June. These partnerships fell under a 2011 agreement Facebook had with the FTC to monitor how the company shared its user data with other firms.

PricewaterhouseCoopers, commissioned by the FTC to assess Facebook’s performance in 2013, found only “limited evidence” the company was making sure its hardware partners weren’t misusing user data, according to the letter. “Lack of comprehensive monitoring makes it more difficult to detect inappropriately implemented privacy settings within these third-party developed applications,” PwC said at the time, according to the letter. This note was later removed from the PWC report released by the FTC this past June. Facebook said in the letter the “limited evidence” remark was an “exception” to PwC’s overall positive assessment of Facebook’s privacy controls.

A Facebook spokesperson told TheWrap the company “subsequently” addressed the issues raised by the FTC, but did not share a specific date. The spokesperson said: “We take the FTC consent order incredibly seriously and have for years submitted to extensive assessments of our systems,” before adding, “We remain strongly committed to the consent order and to protecting people’s information.”

“Facebook claimed that its data-sharing partnerships with smartphone manufacturers were on the up and up. But Facebook’s own, handpicked auditors said the company wasn’t monitoring what smartphone manufacturers did with Americans’ personal information, or making sure these manufacturers were following Facebook’s own policies,” Sen. Wyden said in a statement to TheWrap.

He added: “It’s not good enough to just take the word of Facebook – or any major corporation – that they’re safeguarding our personal information. Congress needs to pass legislation that creates real transparency and consequences if companies misuse our data.”

The letter was shared with Sen. Wyden after he questioned Facebook executives during a Senate meeting in June. Facebook ultimately curtailed access device makers have to user data earlier this year, after details of the Cambridge Analytica data leak emerged, where up to 87 million users had their profile information unknowingly accessed by the political data firm. Government officials have since put Facebook and chief executive Mark Zuckerberg in the hot seat over the company’s handling of user data.

“It’s not enough to give people control of their information, we have to make sure developers they’ve given it to are protecting it too,” Zuckerberg told Congress in April. “Across the board, we have a responsibility to not just build tools, but to make sure those tools are used for good.”

This story was first reported by The New York Times on Tuesday.