Facebook Failed to Police How Its Partners Handled User Data – The New York Times

Link articolo originale

Archivio di tutti i clip:
clips.quintarelli.it
(Notebook di Evernote).

Facebook Failed to Police How Its Partners Handled User DataFacebook Failed to Police How Its Partners Handled User Data

Image

Sheryl Sandberg, Facebook’s chief operating officer, testified before the Senate Intelligence Committee in September. Ron Wyden, a committee member, has pressed the company on its data privacy protections.CreditCreditTom Brenner for The New York Times

Facebook failed to closely monitor device makers after granting them access to the personal data of hundreds of millions of people, according to a previously unreported disclosure to Congress last month.
Facebook’s loose oversight of the partnerships was detected by the company’s government-approved privacy monitor in 2013. But it was never revealed to Facebook users, most of whom had not explicitly given the company permission to share their information. Details of those oversight practices were revealed in a letter Facebook sent last month to Senator Ron Wyden, the Oregon Democrat, a privacy advocate and frequent critic of the social media giant.
In the letter, a copy of which Mr. Wyden provided to The New York Times, Facebook wrote that by early 2013 it had entered into data-sharing agreements with seven device makers to provide what it called the “Facebook experience” — custom-built software, typically, that gave those manufacturers’ customers access to Facebook on their phones. Those partnerships, some of which date to at least 2010, fall under a consent decree with the Federal Trade Commission drafted in 2011 and intended to oversee the company’s privacy practices.
[Read more about Facebook’s data-sharing partnerships with device makers.]
Facebook ultimately entered into dozens of similar data-sharing partnerships, most of which the company began winding down this spring after revelations that it had allowed Cambridge Analytica, a political data firm, to acquire the personal information of tens of millions of people. The firm used some of that information in efforts to aid President Trump’s 2016 campaign.

When a team from PricewaterhouseCoopers conducted the initial F.T.C.-mandated assessment in 2013, it tested Facebook’s partnerships with Microsoft and Research in Motion, maker of the BlackBerry handset. In both cases, PricewaterhouseCoopers found only “limited evidence” that Facebook had monitored or checked its partners’ compliance with its data use policies. That finding was redacted from a public version of PricewaterhouseCoopers’s report released by the F.T.C. in June.
“Facebook claimed that its data-sharing partnerships with smartphone manufacturers were on the up and up,” Mr. Wyden said. “But Facebook’s own, handpicked auditors said the company wasn’t monitoring what smartphone manufacturers did with Americans’ personal information, or making sure these manufacturers were following Facebook’s own policies.” He added, “It’s not good enough to just take the word of Facebook — or any major corporation — that they’re safeguarding our personal information.”
In a statement, a Facebook spokeswoman said, “We take the F.T.C. consent order incredibly seriously and have for years submitted to extensive assessments of our systems.” She added, “We remain strongly committed to the consent order and to protecting people’s information.”
Facebook, like other companies under F.T.C. consent decree, largely dictates the scope of each assessment. In two subsequent assessments, Facebook’s October letter suggests, the company was graded on a seemingly less stringent policy with data partners. On those two, Facebook had to show that its partners had agreed to its data use policies.
A Wyden aide who reviewed the unredacted assessments said they contained no evidence that Facebook had ever addressed the original problem. The Facebook spokeswoman did not directly address the 2013 test failure, or the company’s apparent decision to change the test in question.

Because the United States has no general consumer privacy law, F.T.C. consent decrees have emerged as the federal government’s chief means of regulating privacy practices at Facebook, Google and other companies that amass huge amounts of personal data about people who use their products. In letters and congressional testimony, F.T.C. officials have pointed to the decrees as evidence of robust consumer privacy protection in the United States.
A spokesman for PricewaterhouseCoopers acknowledged in a statement that Facebook defines the privacy procedures, known as “controls,” that are tested during the assessments.
“Changes to controls may occur as platforms evolve, such that a control tested in one period may not be identical in a subsequent period,” the spokesman said.
Facebook’s letter disclosing the assessors’ findings came in response to questions Mr. Wyden raised during an intelligence hearing in September. The hearing was held just weeks after The Times reported that Facebook had struck data-sharing deals with dozens of phone and tablet manufacturers, including Microsoft, BlackBerry and Amazon.

Read Facebook’s Letter
The October letter to Senator Ron Wyden details Facebook’s oversight of its partnerships with device makers.

2 pages, 0.66 MB

While the assessment reports were publicly released by the F.T.C. in June, they included significant redactions, which Facebook and PricewaterhouseCoopers said were necessary to protect trade secrets.
Mr. Wyden, whose staff had viewed the full assessments, said at the hearing that he found parts of the unredacted reports “very troubling” and pressed Sheryl Sandberg, Facebook’s chief operating officer, to release them in their entirety.

The Electronic Privacy Information Center, a Washington-based consumer rights group that helped obtain the 2011 consent decree, is currently suing the agency for release of the full assessments, arguing that the public cannot otherwise judge how effectively the F.T.C. is policing privacy violations.
“What is clear is that the F.T.C. has failed to enforce the consent order,” said Marc Rotenberg, the president of the privacy rights group. “And this has come at enormous cost to American consumers.”
The F.T.C. declined to comment.
Facebook’s compliance with the consent decree is the subject of a new F.T.C. investigation opened in the wake of the Cambridge Analytica scandal.
In the letter last month, Facebook’s vice president for United States public policy, Kevin Martin, noted that the assessors’ findings had not caused Facebook to fail PricewaterhouseCoopers’s overall evaluation: The assessors concluded that Facebook was operating “with sufficient effectiveness to provide reasonable assurance” that it was protecting its users’ privacy.
It remains unclear whether Facebook has ever scrutinized how its partner companies handled personal data. A spokeswoman declined to provide any examples of the company’s doing so.
A BlackBerry official, who declined to discuss details of the companies’ data-sharing agreement, said BlackBerry did not think that Facebook had ever audited its data use, but noted that BlackBerry’s business model relies on protecting users’ personal information.

If you like this post, please consider sharing it.

Leave a Comment

Your email address will not be published. Required fields are marked *