Facebook CEO Touts Progress on Privacy, But Experts Raise Doubts

By Jackson Chen

Facebook CEO Mark Zuckerberg recently touted to Congress the company’s privacy efforts stemming from a record $5 billion Federal Trade Commission settlement last year, including “an industry-leading privacy program.”

“We have more than a thousand engineers working on the privacy program now,” Zuckerberg told the Senate Commerce Committee at an October hearing. “I think that settlement will be quite effective in ensuring that people’s data and privacy are protected.”

But experts told Digital Privacy News that the settlement did not address the root issue of Facebook’s privacy practices and instead raised more questions.

They also called for stronger enforcement to protect user privacy — similar sentiments expressed by two Democratic FTC commissioners in their dissents on the July 2019 settlement.

“That settlement will be quite effective in ensuring that people’s data and privacy are protected.”

Facebook CEO Mark Zuckerberg to U.S. senators in October.

“The question fundamentally in all of this is, are the structures that Facebook is putting into place internally going to meaningfully limit or change Facebook’s business model and operating principles?” posed Alan Butler, interim executive director of the Electronic Privacy Information Center (EPIC) in Washington.

“Do those structures have the kind of authority and influence necessary to force Facebook not to do something that it otherwise wants to do?”

Facebook declined requests for interviews with its privacy committee members and would not comment further on the settlement. The FTC also declined to comment on the progress of its settlement with Facebook.

Historic Settlement

In Zuckerberg’s testimony before the Commerce Committee, he lauded the settlement in response to a question from Sen. Jerry Moran, R-Kan., about stricter enforcement regarding user privacy standards.

The company reached the FTC settlement after claims that Facebook had violated a 2012 order from the agency. It had barred Facebook from deceiving users about how it controlled their privacy on the platform.

Besides the record fine, the agency required Facebook to implement several regulatory measures and to increase transparency on its privacy practices.

For instance, Facebook was required to establish an independent privacy committee, to designate compliance officers who would submit quarterly reports to the FTC, to better allow for third-party assessors to evaluate the platform’s privacy program and to review new or modified Facebook products for privacy protections.

“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC,” agency Chairman Joe Simons said in a statement announcing the settlement.

“The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations.”

Progress So Far

Nearly a year after the FTC disclosed the settlement, Michel Protti, Facebook’s chief privacy officer, said in a post this past April what Facebook had done on its privacy practices.

Protti wrote that Facebook had updated its Privacy Checkup tool, had rolled out its Off-Facebook Activity tool that allowed users to see what data businesses share with the company and had started publishing its privacy efforts in a “Privacy Matters” series.

“The proposed settlement does little to change the business model or practices that led to the recidivism.”

FTC Commissioner Rohit Chopra, D, who dissented on 2019 settlement.

Then, the next month, Facebook appointed three board members — Nancy Killefer, Peggy Alford and Robert Kimmitt — to a formal privacy committee to comply with one of the settlement’s stipulations.

And, five days before the Oct. 28 Senate hearing, Protti wrote another blog — saying that the company had made changes to its public groups, had built several new privacy-minded products and had appointed the privacy committee members.

Effectiveness Questioned

While Facebook said it was following the settlement’s terms, experts raised doubts to Digital Privacy News that the agreement was effective in bringing about meaningful change on how Facebook handled user data.

Even at the settlement’s disclosure, one FTC member, Democrat Rohit Chopra, dissented.

“The proposed settlement does little to change the business model or practices that led to the recidivism,” he wrote. 

“Nor does it include any restrictions on the company’s mass surveillance or advertising tactics.

The settlement “doesn’t provide an enforcement mechanism or a sufficient deterrent to prevent bad behavior.”

Alan Butler, Electronic Privacy Information Center.

“Instead, the order allows Facebook to decide for itself how much information it can harvest from users and what it can do with that information, as long as it creates a paper trail.” 

Chopra was joined by another Democratic commissioner, Rebecca Kelly Slaughter, who also called on the agency to bring litigation against Facebook.

Self-Regulation the Answer?

In the months leading up to the settlement, EPIC tried to intervene in the case, arguing that extremely few new obligations were imposed on Facebook that would change how it collected and used personal data.

However, the federal court that eventually approved last year’s settlement denied EPIC’s intervention, though acknowledging the organization’s questioning of the adequacy of current laws governing tech companies. 

“We don’t know if anything that Facebook is doing internally is going to prevent or change the way they handle personal data,” Butler, the interim executive director, told Digital Privacy News.

“Even if they did, it doesn’t provide an enforcement mechanism or a sufficient deterrent to prevent bad behavior from Facebook.”

For Ari Waldman, the faculty director of the Center for Law, Innovation and Creativity at Northeastern University, the Facebook settlement was “woefully insufficient.

“All the consent decrees and privacy-related things that the FTC enters into with the companies it regulates shifts all monitoring and regulatory burdens onto themselves and creates self-regulation,” Waldman said.

“The process of saying how you have to hire a regulatory officer and how you have to have a privacy program is a performance.”

Ari Waldman, Northeastern University.

He explained that these settlements ended up becoming strictly rules of the road for companies to follow in how they handled user privacy.

Because of the internal nature of the measures, Waldman said he felt that no serious actions would be taken to improve user privacy, as they could disrupt Facebook’s central business plan.

“The process of saying how you have to hire a regulatory officer and how you have to have a privacy program is a performance,” he said, “and it distracts us from creating a regulatory agency that can actually protect people’s privacy.”

Stronger Enforcement

Butler, who also is EPIC’s general counsel, similarly called for far tougher enforcement of the settlement, while also subjecting Facebook to more routine and detailed assessments and auditing similar to the European Union’s General Data Protection Regulation.

However, even with these suggestions, Butler noted that if everything remained internal, self-regulation would not deter or prevent bad behavior from Facebook.

“We don’t yet know how effective any internal changes at Facebook will be in preventing the types of issues we’ve seen come up in the past,” he told Digital Privacy News.

“Our concern is always that if the FTC is not actively involved in overseeing and policing those practices, then we’re not convinced at all that self-regulation is going to work.”

Jackson Chen is a writer in Groton, Conn. 

Sources (all external links):