Facebook FTC investigation confirmed: Huge fines possible

The FTC has opened an investigation into Facebook, the latest chapter of the ongoing privacy saga in which the social network has been roundly criticized for failing to sufficiently protect its users. News of the non-public investigation was confirmed today by Tom Paul, Acting Director of the Federal Trade Commission's Bureau of Consumer Protection.

For those observing the ongoing Facebook saga, the news that the FTC is getting involved might come as little surprise. Facebook's headache began with revelations that earlier versions of its third-party app API had allowed unexpectedly huge amounts of personal data on the social networks' users to be extracted. Because of the permissions at the time, even though only a few hundred thousand people took part in one research test, the data of all their friends – amounting to around five million people – was exposed.

That data was then passed to Cambridge Analytica, the British research firm that has been connected both with the Trump campaign during the 2016 US elections, and with the Brexit campaign in the UK. The company has been accused of using that data – among other methods – to manipulate voter sentiment with targeted adverts and promotions.

Facebook was in the midst of dealing with that outcry, including promises from CEO Mark Zuckerberg to perform a full audit of anybody who might have extracted personal data using the old, since-tightened APIs. Then, late last week, reports surfaced that some of Facebook's apps for Android were uploading far more data to the company's servers than users might reasonably expect. In addition to continuous uploading of contacts, if given permission the apps – including Facebook Messenger – would also regularly upload call and text message logs.

Again, Facebook had an argument for that, pointing to the fact that its apps did indeed request permission before the uploading took place. Nonetheless there has been widespread criticism that it failed to sufficiently detail exactly what would happen, nor give users the immediate granular control over exactly which data was being stored on the company's servers. With the European Union set to begin enforcing the General Data Protection Regulation (GDPR) on May 25, 2018, complete with new, tougher policies about data protection and privacy, neither revelation has come at a good time for the site.

Now the FTC is weighing in. "The FTC is firmly and fully committed to using all of its tools to protect the privacy of consumers," acting director Tom Paul wrote of the decision to open an investigation. "Foremost among these tools is enforcement action against companies that fail to honor their privacy promises, including to comply with Privacy Shield, or that engage in unfair acts that cause substantial injury to consumers in violation of the FTC Act. Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements."

According to Paul, it's the recent spate of media reports focusing on just what Facebook has been doing that has prompted this new investigation. "Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook," the acting director says. "Today, the FTC is confirming that it has an open non-public investigation into these practices."

It's not Facebook's first run in with the FTC, of course, which makes the situation all the more perilous for the company. Back in 2011 the site settled an investigation with the agency over privacy concerns, with allegations that Facebook had been sharing data from users that had opted-out of such sharing. As part of that settlement, Facebook committed to twenty years of privacy audits.

It also required that Facebook give users a notification – and receive explicit permission – before sharing their private data beyond what privacy settings they had configured. Talk of this latest investigation began last week, after sources claimed the FTC was taking an interest in the Cambridge Analytica issue. At the time the FTC declined to comment, though violating the 2011 decree could see a penalty of $40,000 per violation. Facebook's stock price dived today in the aftermath of the FTC's announcement.