FTC and PwC’s 2017 Privacy Audit of Facebook Failed to Catch Cambridge Analytica
One of the limited few consolations for Facebook users when the company chief Mark Zuckerberg breezed through the Senate and House hearings without offering any real answers was the Federal Trade Commission and its audits of the social network. Following the revelations that Facebook had failed to alert affected users or the FTC after it learned of the Cambridge Analytica data breach in 2015, the Commission had confirmed last month that it will be investigating Facebook's data sharing practices.
"The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers,” Tom Pahl, the acting director of the FTC’s Bureau of Consumer Protection, had said in a statement in March. "Today, the FTC is confirming that it has an open non-public investigation into these practices."
Specifically, the agency will review if Facebook failed to comply with a 2012 consent decree that required the company to submit privacy audits to the agency.
But did Facebook really fail or was it the FTC itself?
It now appears that the social networking platform did submit audits and the agency still failed to learn about the massive privacy breaches.
PricewaterHouseCoopers, an auditing firm responsible for reviewing Facebook for the regulators, told the FTC that the social network's privacy practices had nothing wrong. This happened after the company managed to lose data of up to 87 million users to just one researcher.
"In our opinion, Facebook's privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the Reporting Period, in all material respects for the two years ended February 11, 2017, based upon the Facebook Privacy Program set forth in Management's Assertion,” PwC said in its report to the FTC.
This audit report that was submitted to the Commission in early 2017 is only one of several similar reviews that Facebook has to submit to prove to the FTC that it is in compliance with the consent decree. [Google also goes through similar audits or assessments]
However, this positive assessment came when the company was already aware of the Cambridge Analytica data misuse that affected millions of its users' privacy.
While it remains unclear if Facebook informed auditors of the breach or if PwC came to learn about it but chose not to inform the agency, it does show that the federal regulators who are being trusted to oversee consumer privacy rights don't actually have sufficient review processes in place.
How effective these audits could be when Facebook controls the process
According to a recent review [PDF] published by privacy attorney Megan Gray who works for the FTC, the agency's privacy audits will remain toothless and meaningless unless they go through major reforms. While the paper is based on heavily-redacted, publicly-available documents, they reveal some major design failures.
"The agency regularly touts its important and extensive work as the chief consumer privacy ‘cop on the beat.’ But this chest-thumping can backfire - consumers may more readily share personal information via online platforms based on a belief that the FTC is guarding against misuse," Gray wrote.
"Careful review, however, shows the audits are woefully inadequate."
Considering the small size of the agency (which, on a side note, was also one of the primary concerns when the FCC was sending the net neutrality regulation work to the powerless FTC) it apparently lets the companies choose the third party auditors who are paid by those same businesses along with letting them choose the assessment process with FTC having no role. With this system, the company under review becomes in charge of the audit process, not the federal regulators.
Remember this isn't just about Facebook as Google, Uber and others also go through a similarly inadequate audit process. An excerpt from the report:
[...] one security expert opined that the attestation certification is not a seal of approval because the standard allows the company itself to decide what risks to document and what risk-management processes to adopt.
“In sporting metaphor, [the company] gets to design their own high-jump bar, document how tall it is and what it is made of, how they intend to jump over it and then they jump over it. The certification agency simply attests that they have successfully performed a high-jump over a bar of their own design.” (emphasis added). He added: "What would be really interesting would be if the company publishes their security requirements, their standards, their policies and risk assessments, so everyone can see what kind of high-jump they have just performed -- how high, how hard, and landing upon what kind of mat? It would be that which would inform me of how far I would trust a company with sensitive data..."
The FTC's privacy audits are believed to be the strongest - if not the only - enforcement mechanisms that keep the companies in line with the promises they have made. However, by letting these same companies decide how they are being assessed kills the entire purpose.
"That is completely useless," Nate Cardozo of the Electronic Frontier Foundation said. "It’s not just toothless, it’s worse than toothless. It’s asking the fox to guard the henhouse. If the FTC had chosen an auditor and required Facebook to open its servers to any question the auditor had, maybe we wouldn’t have gotten to Cambridge Analytica."