It’s official—Facebook is under federal investigation. Tom Pahl, the acting director of the Federal Trade Commission’s consumer protection division, wrote in a statement Monday morning that the agency is investigating Facebook’s privacy practices a week after news broke that the Trump campaign’s political-data firm, Cambridge Analytica, inappropriately obtained data on more than 50 million Facebook users and then allegedly lied about deleting it.
Facebook could be in violation of an agreement it made with federal regulators in 2011 that required the social network to obtain affirmative consent from users before accessing or sharing data about them beyond what they’ve explicitly agreed to. Yet it wasn’t until 2014 that the company changed its data-sharing policy that allowed developers to access not only the data of a user who downloaded or agreed to use their app, but also that of their friends. That’s how psychology researcher Aleksandr Kogan, who made a Facebook quiz called “thisisyourdigitallife” for Cambridge Analytica, was able to obtain data on tens of millions of Facebook users though only 270,000 people downloaded the app. Sandy Parakilas, a whistleblower who managed Facebook’s app-security team from 2011 to 2012, told the Guardian last week that he suspects hundreds of millions of users could have been affected by Facebook’s porous data-sharing policies from that time.
Under the 2011 rule, Facebook could face fines up to $40,000 per violation, which could total damages in the trillions of dollars. Though Facebook’s fine is unlikely to be that high, it could be in the ballpark “of many millions of dollars,” said Jessica Rich, who oversaw the FTC’s privacy program and headed the investigation into Facebook that led to the 2011 consent decree, in an interview with the Washington Post. Depending on what happens with the investigation, Facebook may also face new restrictions from the agency, which would likely go into effect long before Congress would able to finalize any kind of legislation.
“The FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook. Toda, the FTC is confirming that it has an open non-public investigation into these practices,” Pahl wrote in Monday’s statement.
Meanwhile, members of Congress on both sides of the aisle are calling on Facebook CEO Mark Zuckerberg to testify and explain exactly why his company shared so much data on its users without their permission—and didn’t keep tabs on where it ended up. In a series of interviews on Wednesday, Zuckerberg said that he would be open to some form of regulation but didn’t give a definitive yes on whether he would voluntarily testify in front of Congress. Instead, he said he’d be happy to testify if he is “the most informed person at Facebook in the best position” to do it. But as the company’s leader, and as someone who both was aware of the FTC’s regulations and of Facebook’s incongruent privacy practices, it’s hard to imagine who would be a better fit for the hot seat.