FTC-mandated audit cleared Facebook's privacy policies in 2017

And it happened after it knew about the Cambridge Analytica breach.

When Facebook struck a deal with the Federal Trade Commission in 2011 following an investigation into its privacy practices, it was required to undergo an external audit every two years. That's why it was a mystery how the fact that Cambridge Analytica harvested millions of users' information remained hidden until recently. Turns out it was because the latest audit conducted in 2017 failed to detect that something was going on behind the scenes. The Electronic Privacy Information Center found a (heavily redacted) copy of the audit after submitting a Freedom of Information Act request. It reads:

"In our opinion, Facebook's privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information and that the controls have so operated throughout the Reporting Period, in all material respects for the two years ended February 11, 2017, based upon the Facebook Privacy Program set forth in Management's Assertion.

As described above, Facebook has identified reasonably foreseeable, material risks, both internal and external, that could result in Facebook's unauthorized collection, use, or disclosure of covered information, and assessed the sufficiency of any safeguards in place to control these risks as required by Part IV of the [consent decree]. PwC performed test procedures to assess the effectiveness of the Facebook privacy controls implemented to meet or exceed the protections required by Part IV of the [consent decree]."

The audit covered the period from February 12th, 2015 to February 11th, 2017. Facebook first discovered that the "thisisyourdigitallife" app's developer sold the millions of users' info it harvested -- a violation of the website's terms -- to Cambridge Analytica in late 2015. The app collected users' info in 2014 when Facebook still allowed the practice, but the social network changed its rules to prohibit third-party applications from harvesting data within the same year.

EPIC chief Marc Rotenberg told Wired: "After Cambridge Analytica, PricewaterhouseCoopers, on behalf of Facebook, reported to the FTC that privacy compliances at Facebook were fine and there were no problems... That's extraordinary! That's, 'How could that have happened?' stuff."

As Wired noted, this raises a lot of questions about the thoroughness of the audits and whether Facebook's agreement with the FTC in 2011 is even effective. Since the external auditor didn't catch wind of the issue, it might not have asked the right questions to coax it out of Facebook, which obviously didn't volunteer the info. Senator Richard Blumenthal now wants the FTC to consider evidence that Facebook violated their 2011 consent decree and is pushing for stronger oversight.

When asked why Facebook didn't disclose the Cambridge Analytica issue to the external company that did the audit, the company pointed us to an exchange between US Representative Bob Latte and Mark Zuckerberg during the House hearing, wherein the Facebook chief responded:

"[O]ur view is that this -- what a developer did -- that they represented to us that they were going to use the data in a certain way, and then, in their own systems, went out and sold it -- we do not believe is a violation of the consent decree."

Facebook Deputy Chief Privacy Officer Rob Sherman also said in a statement: "We remain strongly committed to protecting people's information. We appreciate the opportunity to answer questions the FTC may have."