Last week, Motherboard revealed that Facebook’s systems are designed in such a way that the company can struggle to track users’ data within its own systems, according to a leaked internal document.
After Motherboard published the document, several U.S. and European lawmakers called for stronger oversight of the tech giant to make sure it complies with existing regulations, such as the EU’s General Data Protection Regulation (GDPR), and California’s Consumer Privacy Act, and even more government regulations to protect users’ privacy.
Democratic Sen. Ed Markey, who is a member of the Subcommittee on Consumer Protection, Product Safety, and Data Security, told Motherboard in a statement that “leaked document after leaked document show that Big Tech continues to play fast and loose with users’ personal information.”
“I’m concerned that these revelations are much more than simply a breach of consumer trust but an open door for specific threats of harmful data uses,” he added in the emailed statement.
The document was written in 2021 by Facebook privacy engineers, who warn that they “can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do,” and that “there are tens-of-thousands of uncontrolled data ingestion points into Ads systems today.”
The engineers used an eloquent metaphor to explain the challenges the company is facing.
“We’ve built systems with open borders. The result of these open systems and open culture is well described with an analogy: Imagine you hold a bottle of ink in your hand. This bottle of ink is a mixture of all kinds of user data ([Third party data], [First party data], [Sensitive categories data], Europe, etc.) You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere,” the document read. “How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?”
Markey isn't the only lawmaker concerned by the news.
“Facebook has lost control of what they are doing with your data. This is reckless and threatens the privacy and security of Americans. We need a national privacy standard,” Sen. Martha Blackburn, a Tennessee Republican who’s a ranking member of the same subcommittee, wrote on Twitter.
The subcommittee is part of the United States Senate Committee on Commerce, Science, and Transportation, and its mission is to protect American consumers’ privacy. Last year, it convened a hearing on keeping Facebook accountable following a series of leaks by whistleblower Frances Haugen.
“The idea that Facebook doesn’t understand where its data goes or who is using it is disappointing and alarming, but frankly entirely unsurprising. For years, I have been calling on Facebook to better safeguard user data and respect user privacy. Their wanton disregard for the privacy and security of their users’ data underscores the urgent need for regulation to force technology companies to improve their behavior,” Democratic Sen. Mark Warner said in a statement sent via email. “My legislation, the DASHBOARD Act, would require companies like Facebook to closely track and disclose all the commercial uses of data it collects. This would also apply to affiliates or third parties with whom that data is shared. I’m going to keep working to garner support for these necessary measures, and pushing to get them passed by Congress and signed into law.”
In response to the lawmakers' criticism, a Meta spokesperson said, “These allegations are baseless and completely misrepresent how we manage data.”
“We’ve built one of the most comprehensive privacy programs to oversee data use across all of our operations," Meta added. "The document was never intended to capture all of the processes we have in place to comply with privacy regulations around the world or to fully represent how our data practices and controls work. With regulations and privacy expectations evolving, we constantly assess risks and explore ways to meet our obligations more efficiently, which is what this document shows.”
Democratic Rep. Kathy Castor, who grilled Mark Zuckerberg during a hearing in 2018, said Motherboard's story “is another glaring example that Facebook does not adequately protect its users’ personal information. Again and again Facebook has shown that it is willing to cut corners, deceive, and break the law when it comes to our privacy, all to pad their bottom line.”
“Congress and consumer protection agencies, like the Federal Trade Commission, need to do more to protect Americans’ privacy and cybersecurity,” she said in an emailed statement.
The FTC declined to comment.
Across the ocean, in Europe, where the European Parliament is close to adopting yet another set of laws that aim to regulate tech companies, the Digital Services Act (DSA), and Digital Markets Act, several Parliament members harshly criticized Facebook.
Alexandra Geese, a Parliament member who is a co-negotiator of the DSA, said in an email that the leaked document shows that “even Facebook/Meta's own experts admit in the internal document that they have no idea what happens to personal data once it’s in Facebook's systems. This is a confession of massive violations of EU data protection laws. The company is apparently structurally incapable of complying with our laws at all. The inaction of the Irish Data Protection Authority is a scandal.”
“With the Digital Services Act (DSA), we are introducing strict rules to limit unfettered data use and profiling for advertising purposes - Facebook will certainly also have problems complying with the new EU DSA/DMA laws. It is therefore good that we will see much stronger enforcement here, independent control through access to platform data and juicier penalties than in data protection laws. The DSA will also give the EU Commission the power to take further action against a service in the event of repeated violations.”
Sophie in ‘t Veld, a European Parliament Member who has worked on tech and privacy issues, said in a phone call that the data protection authorities of European countries “have to investigate this now, immediately, because if this is true, basically, they're not remotely compliant with GDPR, not remotely. So I would expect action.”
Facebook’s parent company, Meta, is based in Ireland, so the leading agency that has the power to investigate the company and its privacy practices is the Irish Data Protection Commission (DPC). Deputy Commissioner Graham Doyle told Motherboard in an online chat that he would comment on the document “probably early next week.”
In ‘t Veld said that with DSA and the other existing laws, “it's only going to get worse” for Facebook.
“And if they already are not GDPR-compliant, then it gets more difficult,” she said.
Paul Tang is a European Parliament Member who is one of the coordinators of the Tracking-Free Ads Coalition, a group made up of EU lawmakers and supported by civil society organizations and companies. In a tweet, Tang accused Facebook of not complying with several European regulations, including GDPR, ePrivacy, the Digital Services Act, and the Digital Markets Act.
“It is astonishing that years after the EU privacy rulebook got into force, this report reveals Facebook never made any attempt to abide by it. Tracking and targeting of users isn't just killing privacy, it is killing independent journalism as well. The Digital Markets Act and Digital Markets Act will put an end to this. The European Commission enforcement needs to ensure Zuckerberg has no other option than to abide,” Tang told Motherboard in an emailed statement.
Martin Schirdewan said in an email that “Facebook repeatedly proves with their ignorance toward data protection, that they are a money machine without conscience. Clearly Facebook forgot to program empathy for user in their motherboard.”
“The solution is to politically rein in on the unscrupulous business model of Big Tech. The protection of personal data must be secured through a ban on personalized advertising and profiling. The business practices of digital companies rip off users and violate their freedom and personal rights,” Schirdewan added. “The DSA will ban personalized advertisement for minors and the use of sensitive data, which is a success for the protection of users, but not enough to change the unscrupulous behaviour of Facebook and Co.”