The New York Times reports that Facebook failed to properly monitor how hardware manufacturers were handling personal data from hundreds of millions of its users. This follows a report in June that Facebook was not disclosing to users that their data was being shared with hardware manufacturers in the first place.
On Monday, the Times published a letter that Facebook had sent to Oregon Sen. Ron Wyden disclosing that the company had failed to properly monitor how hardware manufacturers were accessing personal data from hundreds of millions of its users. In 2010, Facebook began providing personal user data to hardware manufacturers so that the platform’s features would be better integrated on phones and other devices. PricewaterhouseCoopers conducted an audit examining seven of the data-sharing agreements in 2013 and found that there was “limited evidence retained to demonstrate that Facebook monitored or assessed the service provider’s compliance with Facebook’s Data Use Policies.”
Wyden, who requested the information on the audit during an intelligence hearing in September, told the Times, “Facebook claimed that its data-sharing partnerships with smartphone manufacturers were on the up and up. But Facebook’s own, handpicked auditors said the company wasn’t monitoring what smartphone manufacturers did with Americans’ personal information, or making sure these manufacturers were following Facebook’s own policies.”
According to a consent decree that the Federal Trade Commission drafted in 2011, Facebook is required to undergo audits from government-approved third parties, which is why PricewaterhouseCoopers examined the data-sharing agreements in 2013. The audit particularly focused on Facebook’s partnerships with Microsoft and Research in Motion, which manufactures BlackBerry devices. In both cases, auditors found that Facebook was not comprehensively monitoring how those manufacturers were handling user data.
The Times first revealed in June that Facebook was potentially violating the consent decree through its dealings with hardware manufacturers. Facebook is required to get explicit permission from users in order to share their data. However, Facebook reportedly never informed users about its data-sharing agreements with the hardware manufacturers, and most users had not given explicit permission for the company to use their data in such a way. The Times further reported that hardware manufacturers were even able to access personal data from users’ friends, some of whom had expressly prohibited any such sharing.
At the time, Facebook vigorously disputed the Times’ reporting. “We built a set of device-integrated APIs that allowed companies to recreate Facebook-like experiences for their individual devices or operating systems,” Facebook VP of product partnerships Ime Archibong wrote in a June blog post. “Given that these APIs enabled other companies to recreate the Facebook experience, we controlled them tightly from the get-go.” The audit, though, puts into question just how tightly Facebook was controlling the data it granted to these third-party device makers.
Facebook eventually reached data-sharing agreements with dozens of device makers, but it is in the process of ending most of them in reaction to revelations that the political-consulting firm Cambridge Analytica improperly accessed data from up to 87 million users. The FTC is also currently investigating Facebook’s compliance with the consent decree, and the company could face financial penalties if any violations are discovered.
“We take the F.T.C. consent order incredibly seriously and have for years submitted to extensive assessments of our systems,” a Facebook spokeswoman told the Times. “We remain strongly committed to the consent order and to protecting people’s information.”