Leonora Willet (CM ’25)
More than three years ago, whistleblower Christopher Wylie exposed how Cambridge Analytica, a U.K. based consulting firm, accessed Facebook consumers’ data without their consent. As a former employee of the British consulting firm, Wylie witnessed firsthand Facebook’s use of consumer data to target users for disinformation campaigns. The primary means by which Facebook collected user data was through the app “Your Digital Life”. The app generated a personality profile for users after the user completed a personality quiz. In return, the app was able to access some of the user’s Facebook data. Because Facebook’s regulations at the time did not require third party applications to be affirmatively reviewed and approved, the app flourished.
Aleksandr Kogan, who launched the application, sold the data of approximately 70 million United States Facebook consumers to Cambridge Analytica for $800,000. The data Kogan provided targeted digital political ads in the 2016 presidential election. Furthermore, presidential candidates paid Cambridge Analytica to provide digital advertising services during the election. All the while, Facebook was aware of the collection and sale of consumers data to Cambridge Analytica, a clear violation of its own Platform Policy. Facebook eventually terminated the application’s access to Facebook’s platform, but Cambridge Analytica still had full access to the consumers data. Cambridge Analytica only alerted Facebook users in April of 2018 of the consulting firm’s access to their data.
In a government probe, the FTC found Facebook breached FTC regulation multiple times, including the sharing of 87 million users’ information to Cambridge Analytica, a consulting firm. Initially, the FTC set Facebook’s fine at $106 million: on the same day, Facebook drastically increased the amount paid, in order to spare Facebook’s CEO Mark Zuckerberg. Facebook paid the FTC $5 billion, which was “20 times greater than the largest privacy or data security penalty ever imposed worldwide.” But, the $5 billion settlement with Facebook did not hold Mark Zuckerberg responsible. One lawsuit alleged that many Facebook directors agreed to increase the settlement in order to provide Mr. Zuckerberg with an “express quid pro quo” that prevented him from being “made subject to personal liability, or even required to sit for a deposition.”
In a separate 2018 lawsuit, the District Attorney’s Office in Washington D.C. filed a complaint against Facebook Inc. for violating the Districts Consumer Protection Procedures Act (DCCPA). In the lawsuit, Attorney General Karl Racine claimed, “Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used.” In 2019, Facebook tried to terminate the consumer protections lawsuit, but Judge Fern Saddler denied Facebook Inc.’s request. In addition, in 2011 and 2019, lobbyists and lawyers have attempted to keep Mr. Zuckerberg from being named a respondent in privacy cases.
In a change of course, on October 20th, 2021, Washington DC Attorney General Karl Racine added Mr. Zuckerberg to the consumer protection lawsuit, claiming that Mr. Zuckerberg was aware of the data breach happening with Facebook and its potential risk to users. Mr. Zuckerberg is liable under the District of Columbia Consumer Protection Procedures Act which “allows executives to be held personally liable if it can be demonstrated that they had knowledge of violation of the law when they made decisions for the company.”
Unlike many corporations, Mr. Zuckerberg holds tremendous power within Facebook and plays a key role in important decisions. Mr. Zuckerberg has more than 50 percent control of voting shares. With Mr. Zuckerberg being added to the lawsuit, he could now face fines of up to $5,000 per party: the Cambridge Analytica data privacy violation affected around 300,000 individual parties. Facebook has continuously defended itself, their lawyers claiming that Mr. Zuckerberg could not be responsible for tens of thousands of employees. But, FTC Commissioner Rohit Chopra explains that the fine imposed by the FTC provides “blanket immunity” for Facebook executives and does “not fix the core problems that led to these violations.”
And Rohit Chopra’s fears are far from unfounded. The argument over whether or not the FTC has held Facebook and Mr. Zuckerberg accountable for their actions is questionable. Ever since Cambridge Analytica dissolved, former affiliates have formed several new consulting groups, such as Auspex International, a data-driven communications consultancy that focuses on political, social and developmental campaigns.
The Cambridge Aalytica leak exposed weak links within Facebook’s privacy regulations, and has had lasting impacts on the company. Mr. Zuckerberg may finally be held responsible for security leaks and data breaches, but the real solution to controlling Mr. Zuckerberg is lessening his voting power in decision making. The FTC has ordered privacy oversight, such as an independent privacy committee to take away Mr. Zuckerberg’s “unfettered control” over user privacy decisions. Although this privacy committee reports current privacy risks to the FTC, as a way to increase transparency, the real issue lies in the power Mr. Zuckerberg holds over the company. In order for Facebook to become a more secure platform, Mr. Zuckerberg must take actions that place consumer protection over earnings. With the tremendous amount of information Facebook has access to, the protection of user’s data and privacy is of great importance.
Moving forward, the next steps toward regulating Facebook and its privacy and data security does not have a simple solution. Even after the FTC fine, Facebook has failed to prove that it is protecting users’ information on Facebook. New whistleblower reports have exposed more faults within the company, ranging from exempting certain high status individuals from its regulation, to acknowledging its platform’s negative impact on teenage girls. Facebook has shown its resistance to self-regulation, as it knows the issues within the company, and will not take sizable measures to protect its users. Among many proposals, two stand out as viable options. First, creating a new federal agency dedicated to Big Tech oversight, and second, creating stricter privacy regulations that halt collection of personal data. Whatever the case may be, it is apparent that business as usual is untenable, for Facebook and the public they serve.
