Facebook may have broken FTC deal in Cambridge Analytica incident

It comes as the whistleblower accuses Facebook of punishing him.

Facebook may face more legal trouble than you might think in the wake of Cambridge Analytica's large-scale data harvesting. Former US officials David Vladeck and Jessica Rich have told the Washington Post that Facebook's data sharing may violate the FTC consent decree requiring that it both ask for permission before sharing data and report any authorized access. The "Thisisyourdigitallife" app at the heart of the affair asked for permission from those who directly used it, but not the millions of Facebook friends whose data was taken in the process.

Facebook, for its part, said that it "reject[s] any suggestion" that it violated the consent decree. It maintained that it "respected" users' privacy settings.

If the FTC did find violations, Facebook could be on the hook for some very hefty fines -- albeit fines that aren't likely to be as hefty as possible. The decree asks for fines as large as $40,000 per person, but that would amount to roughly $2 trillion. Regulators like the FTC historically push for fines they know companies can pay, which would suggest fines that are 'just' in the billion-dollar range. Given that there are already multiple American and European investigations underway, any financial penalty would be just one piece of a larger puzzle.

The possibility of FTC action comes right as there are complaints about Facebook's response to Christopher Wylie, the whistleblower who blew open the data sharing scandal. His attorney, Tamsin Allen, has stated that Facebook took a two-faced approach to Wylie's revelations. It "privately welcomed" Wylie's help, Allen said, but publicly suspended his account and criticized him. That was indicative of a company focused more on "damage limitation" than sincerely addressing the problem at hand, according to the attorney. We've asked Facebook for its response, but the accusations certainly don't help its case.

Cambridge Analytica has tried to distance itself from the incident, claiming that Wylie was a contractor rather than a founder and that it was a partner, Global Science Research, that had harvested users' data. The company said it purged the data when it had learned that GSR sold data to outside parties.