Governance & Risk Management , Privacy

Regulator to Facebook: Move Fast But Stop Breaking Things

FTC Reportedly Eyes Holding Mark Zuckberberg Personally Accountable for Privacy
Regulator to Facebook: Move Fast But Stop Breaking Things
Facebook CEO Mark Zuckerberg

"Move fast and break things," Facebook CEO Mark Zuckerberg once said was his company's internal motto. "Unless you are breaking stuff, you are not moving fast enough."

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

But regulators have been increasingly signaling to Facebook that when it comes to privacy, data security as well as election integrity, quite enough has been broken, thank you very much.

The Federal Trade Commission continues to negotiate a fine over Facebook's privacy and data security failures, which could reportedly reach $5 billion (see: Report: Facebook Faces Multibillion Dollar US Privacy Fine).

The probe was sparked last year after it came to light that Cambridge Analytica, a British analytics firm, had obtained 87 million Facebook user profiles. The news came seven years after Facebook had reached a privacy agreement with the FTC.

Last July, Facebook told investors that a Department of Justice probe into its practices, triggered by the Cambridge Analytica scandal, had been broadened to include investigations by the FBI, FTC and Securities and Exchange Commission.

Individuals with knowledge of the FTC's confidential discussions with Facebook, speaking anonymously, have also been suggesting to media outlets that the commission wants to hold Zuckerberg personally accountable for the social network's privacy and data security practices.

None of these sources have been able to clarify whether this accountability would be applied retroactively to Zuckerberg's previous statements about privacy, toward future Facebook practices, or both. That may, in fact, still be part of the negotiations, which reportedly have been underway for more than a year.

"The days of pretending this is an innocent platform are over, and citing Mark in a large-scale enforcement action would drive that home in spades," Roger McNamee, an early investor in Facebook who's now one of Zuckerberg's top critics, told the Washington Post, which first reported that the CEO might be held personally accountable.

Subsequently, NBC News also reported that regulators are weighing whether and how Zuckerberg should be personally held to account.

Facebook didn't immediately respond to a request for comment.

But on Friday, Facebook told Ars Technica that the Washington Post and NBC News reports continued previous speculation. An April 2 story in Politico that said the regulator could seek top-level management changes as well as restrict the social network's ability to collect user data.

"These story lines have been recycled for some time," Facebook told the publication.

Commenting on the FTC's investigation, Facebook has also told news outlets in recent days: "We hope to reach an appropriate and fair resolution."

Fine Might Reach $5 Billion

Here's what regulators might think appropriate and fair: The Wall Street Journal has reported that the FTC is seeking a Facebook fine of up to $5 billion. At the same time, the social network is also being investigated for other data-handling practices, including agreements it reached with multiple other organizations to share users' personal details (see: Prosecutors Probe Facebook's Data Deals).

The FTC has issued outsized fines in the past, hitting Volkswagen in 2017 with a $14 billion settlement over deceptive advertising practices involving its vehicles' diesel emissions, of which $11.5 billion was earmarked for affected consumers.

The commission also settled with identity theft monitoring firm LifeLock in 2015 for more than $100 million over its violation of a 2010 agreement with the FTC. That agreement stipulated that the company would avoid deceptive advertising practices as well as maintain a robust information security program. Affected customers received some of that settlement agreement.

From a privacy standpoint, in 2012 the FTC forced Google to pay $22.5 million to settle charges that it had been "misrepresenting the extent to which consumers can exercise control over the collection of their information."

UK Fines Facebook

Facebook, meanwhile, has also been facing privacy scrutiny abroad. Last October, Britain's Information Commissioner's Office slammed Facebook with the maximum possible fine for the failures that led to the Cambridge Analytica scandal. The £500,000 ($650,000) fine came after the ICO found that Facebook violated the country's rules on processing personal data and also "failed to take appropriate technical and organizational measures against unauthorized or unlawful processing of personal data," each of which represented a "serious contravention" of the country's data protection principles.

The violations happened before the EU's General Data Protection Regulation came into effect in May 2018, which would have enabled the ICO to impose a fine of up to €20 million ($22.5 million) or 4 percent of Facebook's annual global revenue, whichever is greater.

The ICO also has the power to revoke an organization's right to process Europeans' personal data.

Online Safety Push

In February, the U.K. government signaled that it plans to take stronger action against technology firms that amass personal information but fail to properly safeguard the data or users.

Following an investigation into disinformation and fake news in the wake of the Cambridge Analytica scandal and nation-state election interference campaigns targeting western democracies, a British parliamentary committee has recommended creating an independent regulator to ensure that technology firms behave ethically and much more transparently (see: Facebook Smackdown: UK Seeks 'Digital Gangster' Regulation).

Continuing that push, earlier this month the British government released a white paper describing how it plans to enforce a new "duty of care" that would require organizations to "take more responsibility for the safety of their users and tackle harm caused by content or activity on their services."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.