Facebook could face record fine, say former FTC officials for violation of consent decree...


Facebook could face record fine, say former FTC officials

By Craig Timberg and Tony Romm April 8 at 9:00 AM

Facebook’s disclosure this week that its search tools were used to collect data on most of its 2.2 billion users could potentially trigger record fines and create new legal vulnerability for not having prevented risks to user data, three former federal officials said.

The three former officials, all of whom were at the Federal Trade Commission during the privacy investigation that led to a 2011 consent decree with Facebook, said the company’s latest mishap may violate the decree’s provisions requiring the implementation of a privacy program.

The language was written to require Facebook to identify and address emerging threats to user privacy as its business practices changed over the 20-year term of the consent decree, said David Vladeck, who was head of the FTC’s bureau of consumer protection when the decree was drafted and signed by Facebook. That meant the company was required to limit its sharing of user data and prevent outsiders from improperly gaining access, he said.

“Is it possible that this episode is also a violation of the consent decree? I would say yes,” said Vladeck, now a Georgetown University law professor.

He predicted Facebook may face fines of $1 billion or more for this and a previously reported mishap in which a political consultancy, Cambridge Analytica, improperly gained access to information on as many as 87 million Facebook users, of whom 71 million are Americans.

“The agency will want to send a signal … that the agency takes its consent decrees seriously,” Vladeck said.

The stakes for Facebook are particularly high given the rising political scrutiny of the company in Washington, where Zuckerberg is expected to testify before congressional committees this week.

Facebook declined to comment Friday on the possibility that the collecting of user data by malicious actors could have violated the FTC consent decree. Company officials have repeatedly denied the sharing of user data with Cambridge Analytica violated the decree.

“We’ve worked hard to make sure that we comply” with the consent decree, CEO Mark Zuckerberg said in a call with reporters on Wednesday. “I think the reality here is that we need to take a broader view of our responsibility, rather than just the legal responsibility.”

The FTC last month announced it was investigating the Cambridge Analytica incident, but it declined to comment on Wednesday’s revelation about unauthorized scraping of user data.

Facebook disclosed the latest mishap in a blog post saying it was disabling two search tools because they had been so widely abused.

“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” the post said.

Company officials later explained that “malicious actors” were collecting fragments of personal information on the “Dark Web” — typically phone numbers and email addresses posted after large-scale data breaches — then using the Facebook search tools to match this information with users of the social media platform.

In this way, criminals could expand their fragmentary information to include the full names of people, along with whatever information was public as part of their profiles, such as their profile photos, home towns and educational and work experience. Users could block such access by changing their privacy settings to prevent searches based on phone numbers and email addresses. But research has consistently shown that most people stick with default privacy settings and have little understanding of what kinds of data can be collected by outsiders.

The collecting of user information was not a data breach in the traditional sense because Facebook’s systems were not improperly penetrated, and data that users designated as private — such as family pictures or personal notes — were not accessed, according to the company.

But the abuse of Facebook’s search tools enabled the discovery of personal information that otherwise would have remained private. Gaining access to such data is important for criminals looking to steal identities or commit other types of fraud.

Security researchers had warned about such risks for years. One Britain-based researcher, Reza Moaiandin, warned about the problem in an April 2015 blog post titled, “Facebook: Please fix this security loophole before it’s too late.”

In the post, Moaiandin published evidence of exchanges with Facebook in which company representatives appeared to downplay the problem even after he raised it directly with them.

Wired reported Thursday that another researcher, Brandon Copley, the CEO of Giftnix, raised the same issue with Facebook in 2013 and was told that the company did not consider it a security problem.

Such prior warnings about the ease of scraping Facebook information could complicate its dealings with the FTC, given that the consent decree focuses on whether a data privacy problem is “reasonably foreseeable” and preventable, said Vladeck and the other two former FTC officials.

“Whether or not this violates the order will turn on the reasonableness of Facebook’s actions,” said Jessica Rich, who led the FTC’s investigation into Facebook before the 2011 consent decree and now is vice president for advocacy at Consumer Reports. “Did Facebook know about this at some point and fail to address it?”

Told of the previous warnings by researchers, Rich said, “These would be loud facts for them and may show complete lack of commitment [to making sure] that this data wasn’t vulnerable.”

Violations of the FTC consent decree also carry the possibility of fines that could top $40,000 per “violation.” With more than 200 million Americans using Facebook, the fines could — at least in theory — reach into the trillions of dollars if the FTC found violations. (Facebook last year earned profit of $15.9 billion on $40.7 billion in revenue.) The former FTC officials said the actual fines would be far smaller but could easily top the previous record of the $168 million civil penalty by the FTC against the DISH Network for violating telemarketing rules.

After the FTC announced in 2011 that it would punish Facebook for mishandling its users’ data, it heralded the consent decree as the best way to advance “the privacy interests of the nearly one billion Facebook users around the world.” Officials wrote at the time, “We intend to monitor closely Facebook’s compliance with the order and will not hesitate to seek civil penalties for any violations.”

More than six years later, Facebook serves twice as many users. In the eyes of the FTC’s experts and veterans, the credibility of the agency and its enforcement powers are at stake as it decides what to do about Facebook’s latest privacy problem.

“The entire settlement was heralded as being a breakthrough. The commission portrayed it as a major step in the advancement of its privacy policy,” said William Kovacic, who served as an FTC commissioner during the investigation of Facebook but left before its settlement had been announced.

Kovacic, who is the director of the Competition Law Center at George Washington University, said it was the “commission saying, ‘You watch. We’re on it. This shows we’re serious. We’re credible.’ ... If you don’t back that up, I think your program suffers badly.”

A former Justice Department official, Gene Kimmelman, agreed that Facebook faces the possibility of heavy fines but said the focus should be on preventing future privacy problems, with Facebook spending money on fixing its internal policies and systems rather than paying a massive penalty to the federal government.

“Rather than fight about how big a fine they can justify, I hope the FTC will focus on how Facebook must be required to resource a forward-looking solution that prevents this from ever happening again,” said Kimmelman, now president of Public Knowledge, an advocacy group. “It would be a shame to quibble over the precise level of a fine rather than just invest in fixing the problem for good.”

Elizabeth Dwoskin contributed to this report from San Francisco.

https://www.washingtonpost.com/news/the-switch/wp/2018/04/08/facebook-could-face-record-fine-say-former-ftc-officials/?utm_term=.1a319eb82207


Comments

Post a Comment

Popular posts from this blog

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke...
Read more

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that th...
Read more

New ATM's: withdraw money with veins in your finger

New cash machines: withdraw money with veins in your finger Cash machine technology that reads the pattern of finger veins is already available in Japan and Poland   By Telegraph Reporters 6:59PM BST 15 May 2014 Cash machines could soon be installed with devices that identify customers by reading the veins in their fingers. The technology is already being rolled out in Poland, where 1,730 cash machines will this year be installed with readers, negating the need for a debit card and Pin. Developed by Hitachi, the Japanese electronics firm, the machines read the patterns of the veins just below the surface of the skin on your finger using infra-red sensors. The light is partially absorbed by haemoglobin in the veins to capture a unique finger vein pattern profile, which is matched to a profile. The technology is used by Japanese banks and also in Turkey, offering “groundbreaking levels of accuracy and speed of authentication”, Hitachi said, which in t...
Read more