District of Columbia Attorney General Karl Racine yesterday filed a civil lawsuit against Facebook, claiming the social media giant’s failure to properly safeguard its users’ data constitutes a violation of the district’s Consumer Protection Procedures Act (CCPA).
The lawsuit seeks payment from Facebook in the form of financial restitution and civil penalties, and also asks the Court to permanently enjoin Facebook from any further CCPA infractions.
Racine bases his legal complaint largely upon this year’s Cambridge Analytica scandal when it was revealed that one of Facebook’s app partners sold data it had collected on Facebook users and their friends to a third-party political consulting firm, without users’ informed consent. The firm then leveraged that information in violation of Facebook’s policies to target voters and influence the 2016 U.S. presidential election.
“Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used,” said Racine in a press release. “Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission. Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.”
“We’re reviewing the complaint and look forward to continuing our discussions with attorneys general in D.C. and elsewhere,” said a Facebook spokesperson in a statement provided to SC Media.
The lawsuit was filed just one day after Facebook’s data privacy practices once again courted controversy, after an exposé revealed the company as recently as 2017 had granted more than 150 partners access to personally identifying user data, including private messages and friends’ contact information, without explicit consent from the user.
Published this week by the New York Times, the report suggests such business dealings may have violated the terms of a 2011 consent agreement between Facebook and the Federal Trade Commission. However, Steve Satterfield, Facebook’s director of privacy and public policy, denied this when questioned by the news outlet.
The exposé also states that roughly a dozen of these deals raise legitimate privacy concerns, including arrangements to let partners Sony, Microsoft, Amazon obtain users’ names or email addresses through their Facebook friends.
In another example, Spotify, Netflix and Royal Bank of Canada were all reportedly granted access to users’ private messages. Such access hypothetically gave them the power to read, write and delete users’ private messages, although the article does not accuse the companies of doing so. (Indeed, Spotify and Netflix told the Times they were unaware they had this ability, while Royal Bank of Canada denied having such unfettered access.)
The Times gleaned details about these business arrangements from more than 270 pages of internal documents generated by a system that Facebook reportedly custom-built to track and manage its data-sharing partnerships. Additionally, the report’s authors interviewed former employees of Facebook and its partners.
In response to the report, Facebook issued a blog post on Wednesday, asserting that partners were typically given special access to data in order to enable key functionality that otherwise would not have been possible.
For instance, Facebook allowed access to user messages in some cases so people “could message their friends about what they were listening to on Spotify or watching on Netflix, share folders on Dropbox, or get receipts from money transfers through the Royal Bank of Canada app,” explained Ime Archibong, VP of product partnerships, and blog post author. “These experiences were publicly discussed. And they were clear to users and only available when people logged into these services with Facebook,” Archibong continued.
Archibong noted that such messaging services were “experimental and have now been shut down for nearly three years.” However, even after partners shuttered certain Facebook-linked features, their access to the data used to enable that feature nevertheless remained unchanged, the Times reported.
Jim Varner, president and CEO of SecurityFirst, said this latest chapter in the continuing saga of Facebook and its controversial data management and user privacy policies (see Cambridge Analytica and recent data breach/exposure news) demonstrates how companies must do a better job communicating what kinds of data they’re collecting and seeking out explicit consent.
“The first step for organizations to adequately protect private data is accepting the responsibility for doing so, which is a key component missing from so many organizations’ internal philosophies, and something [that] new privacy regulations, like GDPR and California’s Consumer Privacy Act, are pushing,” said Verner. “It should not be the customers’ responsibility to understand a long, legal verbiage-filled privacy agreement or to navigate complex settings to manage their own privacy. The trust model has to go from the user giving a blanket authorization, to having a clear choice to understand what data has been collected and who is authorized to access…it provided by organizations.”
Nine months after a whistleblower revealed Facebook had allowed outsiders to improperly access personal information about millions of its users, the social media giant faced its first major rebuke from regulators in the United States — a lawsuit filed by the attorney general of the District of Columbia.
The lawsuit from Karl Racine on Wednesday targeted Facebook mainly for its entanglement with Cambridge Analytica, a political consultancy that harvested names, “likes” and other data from the social site without users’ permission. The incident, which affected more than 87 million users beginning in 2014, came to light this March, sparking investigations around the world.