Leaked document indicates Facebook has little insight into how user data is handled

The report casts doubt on the company's ability to comply with privacy regulations.

Facebook is reportedly unable to account for much of the personal user data under its ownership, including what it is being used for and where it’s located, according to an internal report leaked to Motherboard.

Privacy engineers on Facebook’s Ad and Business Product team wrote the report last year, intending it to be read by the company’s leadership. It detailed how Facebook could address a growing number of data usage regulations, including new privacy laws in India, South Africa and elsewhere. The report’s authors described a platform often in the dark about the personal data of its estimated 1.9 billion users.

The engineers warned that Facebook would have difficulty making promises to countries on how it would treat the data of its citizens. “We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose,’" wrote the report’s authors. "And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation.”

Facebook’s main obstacle to tracking down user data appears to be the company’s lack of “closed-form” systems, the report states. In other words, the company’s data systems have “open borders” that mix together first-party user data, third-party user data and sensitive data. To describe how difficult it is to track down specific Facebook’s data, the report’s authors came up with the metaphor of pouring a bottle of ink into a lake… and then trying to get it back in the bottle:

“This bottle of ink is a mixture of all kinds of user data (3PD, 1PD, SCD, Europe, etc.) You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere. How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?”

More succinctly, a former Facebook employee who spoke anonymously to Motherboard said the question of where data goes inside the company is "broadly speaking, a complete shitshow."

The authors state that Facebook previously had "the 'luxury' of addressing [new privacy regulations] one at a time," like the EU’s GDPR and the California Consumer Privacy Act. But subsequent years brought more data protection legislation from all over the world, including India, Thailand, South Africa and South Korea. The document casts doubt on if Facebook has been able to comply with such legislation, and if it's equipped to weather the "tsunami" of new laws that make similar restrictions. (A Facebook spokesperson denied to Motherboard that the company is not currently complying with privacy regulations.)

“Considering this document does not describe our extensive processes and controls to comply with privacy regulations, it's simply inaccurate to conclude that it demonstrates non-compliance," the spokesperson told Motherboard. New privacy regulations across the globe introduce different requirements and this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations,”