Security Experts:

Is Facebook Out of Control? Investigations and Complaints Are Rising

Complaints Rise About Facebook

Last week's report in The New York Times (NYT), titled 'Delay, Deny and Deflect: How Facebook's Leaders Fought Through Crisis', has again focused attention on Facebook. "Ms. Sandberg [Facebook COO]," writes the NYT, "has overseen an aggressive lobbying campaign to combat Facebook's critics, shift public anger toward rival companies and ward off damaging regulation."

Sheryl Sandberg responded the next day, denying two of the accusations. Firstly, she denied that Facebook had been aware of any Russian misinformation campaigns before the 2016 presidential election; and secondly, she denied any personal knowledge of an alleged campaign run by Facebook's PR firm Definers -- which had sought to discredit, for example, George Soros. Definers no longer works for Facebook.

But Facebook has problems that go beyond The New York Times. Multiple national parliaments have invited Facebook CEO Mark Zuckerberg to appear before "an 'international grand committee' in London on 27 November." Zuckerberg declined, saying he could not travel to London. The 'grand committee' comprises representatives of the parliaments of the UK, Canada, Australia, Brazil, Argentina, Singapore, and Latvia. 

Since Zuckerberg cannot travel to London, the invitation was re-iterated on November 16 with, "Would you be amenable to giving evidence via video link instead?"

Two major security issues over the last 12 months have been or are being investigated by authorities on both sides of the Atlantic: the Cambridge Analytica scandal and the more recent 'View-As' breach. On top of this, private groups have launched their own actions. Freedom from Facebook has raised a complaint with the FTC, while the NOYB (none of your business) organization has raised a more general GDPR complaint in Europe.

Faced with the possibility of massive 'privacy' fines, Facebook shares have suffered their longest ever decline. From a low point of less the $20 in October 2013, shares rose steadily to a high point of $218 in July 2018. Since then they have steadily declined to less than $140 (at the time of writing this). The trajectory is currently still downwards. Meantime, YouTube has replaced Facebook as the second most visited service (both behind Google, according to Alexa and SimilarWeb).

NOYB

Initiated by Austrian privacy activist Max Schrems (who effectively caused the ultimate downfall of the EU/U.S. Safe Harbor agreement), and supported by Paul Nemitz and Jan Philipp Albrecht (the European Parliament rapporteur for GDPR), NOYB was launched on November 28, 2017. Its avowed purpose is to give support "to consumers to enforce their [privacy] rights by giving legal advice and drawing media attention up to bringing cases to court."

On the day that GDPR came into force, NOYB filed GDPR complaints against Google, Instagram, WhatsApp and Facebook. WhatsApp and Instagram are both owned by Facebook. The maximum possible fine ultimately against the Facebook group would be €3.9 billion (approximately $4.45 billion). Maximum fines are very unlikely, but sizable fines are possible in extreme cases.

The NOYB complaint against Facebook is not based on any particular breach, but in the way it handles users' data. It states, "According to the Austrian Data Protection Act 2018 [GDPR], a violation of the right to data protection (especially a violation of Articles 5, 6, 7 and 9 of the GDPR and Article 8 of the CFR) is hereby alleged by the data subject."

Freedom From Facebook

Freedom From Facebook (FFF) is avowedly anti-Facebook. The NYT report suggests that Definers had sought to link Soros funding, Freedom From Facebook and anti-Semitism to divert attention away from Facebook itself.

FFF filed a complaint (PDF) with the FTC on November 15 -- the day after the NYT report was published. It cites the recent 'view-as' breach of 50 million (potentially 90 million) user accounts. "Once inside Facebook's security wall, the attackers stood in users' shoes -- with complete and total control over their profiles, accounts, and social media interactions," it states. "Facebook, Inc. is a serial privacy violator that cannot be trusted."

FFF makes three specific claims against Facebook: breach of the 2011 Consent Decree finalized in 2012; breach of Section 5 of the FTC Act (prohibiting 'unfair' or 'deceptive' practices); and a call for an investigation into Facebook's monopoly power and 'ungovernability' under Section 6(b) of the FTC Act. For the first two, FFF is calling for maximum possible fines. It states, "The penalty, outlined in the consent decree, is $41,484 per user per day. This violation [the View As breach] affected 50 million users for nearly 430 days, calling for trillions of dollars in potential fines."

In the final claim it suggests that the scale of Facebook's operation, and the reliance on advertising revenue, make the organization 'ungovernable'. "It cannot meaningfully moderate content or protect users from harassment and abuse. It is unable to keep its own promises or accurately determine whether it is adhering to commitments it has made to users, business partners, and regulators. It has become so complex and deeply intertwined with other platforms, apps, and services that no executive or engineer can responsible [sic] anticipate or evaluate the real-world consequences of policy changes or product revisions."

Here it specifically asks the FTC to consider 'breaking up' Facebook, "separating its advertising and social networking businesses or its discrete platforms."

(While compiling this report, Instagram announced that its 'Download Your Data' tool may have exposed users' passwords.)

GDPR investigations

The European data protection regulators have been or are investigating Facebook in relation to the Cambridge Analytica issue and the View-As breach. Fortuitously, this event pre-dates the commencement of GDPR. Nevertheless, the UK's ICO held Facebook culpable under the earlier UK Data Protection Act 1998 (based on the EU's Data Protection Directive). The important point here is the ICO fined Facebook the maximum possible £500,000, and stated in its enforcement action notice (PDF), "Moreover, the Commissioner considers that the amount of £500,000 is not excessive: indeed, but for the statutory limitation on the amount of the monetary penalty, it would have been reasonable and proportionate to impose a higher penalty." The implication is that had GDPR been in force, Facebook would have faced a much higher financial penalty.

The View-As breach occurred after GDPR came into effect. So far, the UK's ICO has merely stated, "We will be making enquiries with Facebook and our overseas counterparts to establish the scale of the breach and if any UK citizens have been affected." Facebook has already stated that European users are involved.

The Irish regulator (Facebook's European headquarters is in Ireland) is also taking an interest, tweeting on 28 September, "The DPC is concerned that this breach was discovered on Tuesday & affects millions of users. At present Facebook is unable to clarify the nature of the breach & risk to users. We are pressing Facebook to urgently clarify these matters."

It is far too early to gauge any likely outcome from European investigations into the View-As breach. If found culpable under GDPR, the earlier Cambridge Analytica event and any apparent lack of cooperation from Facebook would be taken into consideration.

However, it is also worth noting that there has been some question over whether individual European regulators could afford to take on Facebook. The UK's ICO is Europe's best-resourced office. Although it fined Facebook £500,000 (which the ICO does not receive), it reportedly spent more than £1 million on the investigation.

But it's not just the breaches. Vera Jourova, the EU commissioner in charge of consumer protection, is concerned over what she considers to be Facebook's misleading terms and conditions. "I will not hide the fact that I am becoming rather impatient because we have been in dialogue with Facebook almost two years," she told reporters. "Progress is not enough for me, I want to see results."

Facebook has been given until the end of the year. After that, the national authorities "will look into sanctions after the new year in case they do not see sufficient progress."

U.S. investigations

Although FFF asked the FTC to examine whether Facebook was in contravention of the consent decree, the FTC had already announced in March 2018 that it would do this in relation to the Cambridge Analytica affair. 

In July 2018, the Washington Post announced that the FTC, FBI and SEC "have joined the Department of Justice in its inquiries about the two companies and the sharing of personal information of 71 million Americans."

In August, the US Department of Housing and Urban Development (HUD) filed a complaint accusing Facebook of violating the Fair Housing Act. The complaint alleges that "Facebook unlawfully discriminates by enabling advertisers to restrict which Facebook users receiving housing-related ads based on race, color, religion, sex, familial status, national origin and disability. Facebook's ad targeting tools then invite advertisers to express unlawful preferences by suggesting discriminatory options, and Facebook effectuates the delivery of housing-related ads to certain users and not others based on those users' actual or imputed protected traits." 

On November 16, 2018, U.S. Senators Amy Klobuchar (D-MN), Mark Warner (D-VA), Chris Coons (D-DE), and Richard Blumenthal (D-CT) published the text of a letter sent to Mark Zuckerberg asking questions about the hiring of Definers. "According to recent reports," says the letter, "your company hired contractors to retaliate and spread intentionally inflammatory information about people who have criticized Facebook, which, if not properly disclosed, may have campaign finance and other potential legal implications."

They finished the letter with, "Some of us have requested that the Deputy Attorney General expand the scope of the Department of Justice's existing investigations to include the latest reports that Facebook hired contractors to retaliate and spread negative information about people who criticized the company. If the Department's investigation is expanded to include this recent report, will you commit to co-operating with any investigation into this matter?"

A wave of investigations

Facebook is facing a wave of official and civil investigations and law suits. Just as worrying, perhaps, is that it is losing its appeal to the young. Three years ago, Pew Research reported that 71% of American teens were using Facebook. Today, according to Hootsuite, YouTube, Instagram and Snapchat are more popular -- and globally, only 7% of Facebook users are aged between 13 and 17.

Despite this, Facebook remains phenomenally successful. Sixty-eight percent of Americans use it. Business also loves Facebook -- there are 80 million small- and medium-sized business pages. It could, in tech terms, be compared to Lehman Brothers in financial terms: too big to fail. Lehman Brothers did fail; and the result was catastrophic.

The big question is whether Facebook is so big it is out of control. Can it -- or even should it -- be controlled by government decree and split up? David Ginsburg, VP of Marketing at Cavirin, thinks not.

"In any new industry or market," he told SecurityWeek, "there is a 'wild west' phase where almost anything goes, both the good and the bad. Look at manufacturing, oil, transportation, or even the early days of the phone system. The industry eventually self-regulates, the government steps in, or in most cases, both. We are now seeing this with social network and the internet, and the two are interrelated. Though Facebook has become the poster child of excess, Google, Twitter, Apple, and others are not without culpability. So, is Facebook out of control? A bit. Will correction occur? Yes. Will the social platforms be split up like the monopolies? No."

Related: Would Facebook and Cambridge Analytica be in Breach of GDPR? 

Related: Facebook Admits Privacy Settings 'Bug' Affecting 14 Million Users 

Related: Facebook App Exposed Data of 120 Million Users 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.