In July 2019, Facebook settled with the Federal Trade Commission over a litany of the tech giant's privacy violations. The agreement, the Justice Department's civil division approved at the end of April, is most memorable for levying a $5 billion fine against Facebook. But it also laid out requirements for a slew of changes to Facebook's internal privacy mechanisms and corporate culture. Six months into implementing these improvements, Facebook's chief privacy officer of product Michel Protti and chief privacy officer of policy Erin Egan spoke with WIRED about the effort, which they say is driving concrete changes.
The current shift to privacy, though, comes after more than a decade of scrutiny over Facebook's serious privacy lapses and data sharing issues. Privacy advocates and policy analysts have also expressed skepticism about the FTC's mandates from the start, since it doesn't include broad limits on the entities Facebook can share data with or the types of data the company can collect. And a significant portion of the FTC agreement leaves the methods for privacy improvement up to Facebook itself, a dubious arrangement given the company's track record.
As part of the agreement, Facebook is sharing quarterly and annual updates with the FTC on its progress; the company is submitting its first quarterly report at the end of this week. These compliance reports are signed by CEO Mark Zuckerberg, and the FTC agreement includes a condition that "any false certification will subject [Facebook] to individual civil and criminal penalties." Facebook will also submit to reviews by an independent assessor, the first of which begins next week. None of these reports and findings will be made public. The FTC declined to comment for this story.
Both Protti and Egan argue that the company is making substantive changes. Every new employee now goes through training to reinforce that privacy is everyone's responsibility across every department. The company has also started doing annual privacy risk assessments across 30 of its "key" business units to identify gaps and potential problems and rectify them—a process that Protti and Egan says has already led to improvements. And the company's board of directors now also has a privacy committee meant to oversee and verify improvements as an accountability mechanism.
"From our perspective, we’ve made important progress, but we still have a tremendous amount of work to do," Protti says. "We’re in the early phases of a multi-year and ongoing effort to evolve our culture, our operations, and our technical systems to honor people’s privacy."
Protti says that the company has overhauled its privacy review process for products and services that share user data in new ways. One specific point in the FTC agreement is that Facebook can no longer use customer phone numbers collected for two-factor authentication for targeted advertising and to recommend friends, a controversial practice that Facebook admitted to only after a 2018 investigative piece by Gizmodo. Protti says Facebook wants not only to meet its regulatory obligations, but to also go beyond that with more robust technical validations, documentation, and implementation checks. He stressed the importance of collaboration between teams to ensure that a product or feature's privacy protections are not only functioning as designed, but that the design itself is sound.
Additionally, Protti says that the privacy reviews include examinations of topics like transparency, user controls, and data retention policies where applicable. Despite years of near-constant privacy controversy and that record FTC fine, Protti and Egan both maintain that Facebook already built all of its software with privacy in mind from the start, but that the company is now committing to this maxim more deeply.
"This privacy review process since it’s gotten rolling has caused us to delay some product launches, which isn’t a bad thing necessarily," Protti says, "because at the end of the day the most important thing is getting this right for the ultimate user."
In one recent example, Protti says that Facebook delayed the launch of its Accounts Center service, which offers features across the company's apps. A series of privacy reviews showed that user controls and transparency mechanisms weren't clear enough abouton what information would be used based on which features were enabled or disabled.
"Our internal experts sent the product team back to revise their plan," Protti says. "And the end result was a redesigned control hub and overall a much better and clearer product. It took a little bit longer to launch, but we’re happier and prouder of what we’ve built as a result."
Both Protti and Egan say that the biggest challenges in Facebook's privacy revamp is communicating the depth of the company's commitment and making sure all users understand how their data is used, as well as the tools and controls that are available to them.
"Something I wake up every day thinking about [is] how we can continue to help people understand that our business model is privacy protective," Egan says. "It’s never been more important and more challenging to help the world understand that people’s privacy and the personalized experiences that we create for people don’t have to be at odds with each other. Some companies I think are framing this as a choice—personalized advertising or privacy. And that’s just not true. You can have both."
But privacy advocates and researchers who have been studying tech giants like Facebook for years have found a mountain of evidence to the contrary.
"The fundamental truth is that surveillance capitalist monopolies cannot be reformed," says Evan Greer, deputy director of the digital rights and privacy-focused group Fight for the Future. "The FTC agreement tinkers around the edges, but largely allows Facebook to police itself, which it has consistently shown it is incapable of doing. There is no single silver bullet solution that will 'fix' Facebook, but the FTC agreement barely scratches the surface. What we really need is for Congress to pass strong federal data privacy legislation."
Policy analysts point out that without being able to see any of the reports Facebook submits to the FTC, the public will have to trust that the regulator has adequate insight into what's going on at the company through the certified reports and independent assessor and that the FTC is actually holding Facebook accountable. Broadly, the FTC established similar mechanisms for oversight in its 2011 agreement with Facebook, including periodic independent audits, but the measures were largely unsatisfactory. The Electronic Privacy Information Center mounted a challenge to the Facebook-FTC agreement in 2019, but it was dismissed.
"I understand that such reports may contain sensitive company data, but just like with privacy impact assessment documents, they can be modified to be releasable," says Lukasz Olejnik, an independent privacy researcher and consultant. "There is no reason for these reports from Facebook not to be published in some form."
Zuckerberg laid out a cogent and robust roadmap for Facebook's privacy journey in 2011 after the company's first agreement with the FTC, including hiring Egan to join the team.
"We're making a clear and formal long-term commitment to do the things we've always tried to do and planned to keep doing — giving you tools to control who can see your information and then making sure only those people you intend can see it," Zuckerberg wrote. "I look forward to working with the Commission as we implement this agreement. It is my hope that this agreement makes it clear that Facebook is the leader when it comes to offering people control over the information they share online."
Two years later, a pair of University of Cambridge researchers published a study on how someone could use freely available Facebook "like" data to make determinations about users' personalities and preferences. That research became the foundation of the Cambridge Analytica scandal.