FTC ripped for blacking out Facebook’s privacy report

The US Federal Trade Commission has been slammed for redacting the majority of a report that would ostensibly shine light on Facebook’s internal data policies and practices, with activists accusing the FTC of failing to live up to “transparency” promises it made when announcing the settlement some 20 months ago.

The Facebook privacy report is a quarterly update the company must file with the FTC as part of a settlement agreement the two parties struck in July 2019 over the Cambridge Analytica scandal. GDR obtained the first of these reports in January through a Freedom of Information Act (FOIA) request.

More than half of the 57-page report was redacted as the FTC deemed it confidential. In the “comprehensive privacy program” section, for instance, entire subsections are missing. The entire fourth section on “privacy review” is also missing, as are section eight and nine on “compliance reporting” and “recordkeeping”, as well as most of section five on “third-party oversight and management” and section six on IT.

Moreover, most of the information available in the document was already publicly known – such as details about Facebook’s new facial recognition setting, which had already been announced by the company. Other available information in the report includes bland generalities about corporate governance and training, revealing little about the concrete steps the company is taking.

The FTC cited FOIA’s trade-secret exemption as the reason for most of the redactions.

GDR has requested that the FTC lift some, if not all, of the redactions. Shortly before the publication of this article, a FOIA attorney for the FTC said that if GDR launches a formal appeal, Facebook would have a say in whether any redactions are lifted.

A narrow challenge to reveal, for example, the identity of Facebook’s independent assessor may have better prospects for success than a blanket appeal to unredact the entire report, the official suggested. GDR would have to file a lawsuit if the appeal is unsuccessful, according to the official.

Meanwhile, privacy and transparency advocates alike are criticising the FTC for the broad redactions. 

"The FTC is unlawfully withholding vital information from Facebook's privacy report,” said the Electronic Privacy Information Center (EPIC), taking particular exception to the redaction of the identity of Facebook’s independent assessor. “The public has a right to know who is conducting independent audits of Facebook's privacy practices, which are a key part of the FTC's 2019 Facebook order. And the public is entitled to a full account of Facebook's privacy program and privacy risk assessment process.”

"The public has a clear interest in seeing whether Facebook is complying with the terms of its consent decree,” the Tech Transparency Project told GDR. “This is exactly the kind of document that should be made public in as much detail as possible – it's not an ongoing investigation and there isn't much competitive harm Facebook could suffer.”

Other experts were less harsh in their criticism, saying they never had their hopes up in the first place that the Facebook report would reveal much of anything useful.

“The two sections that seemed like they could be most interesting – user consent for FB's own practices, and monitoring of third parties – were 100% redacted. Of course, I'm not sure those sections actually would have been very illuminating even if they were included,” said Justin Brookman, director of consumer policy and tech policy for the consumer advocacy group Consumers Report. “I remain sceptical about the value that the FTC's mandated third-party audits actually provide other than a minor inconvenience for the company (a paltry alternative to strong penalties).”

Lindsey Barrett, a professor of technology law and policy at Georgetown University, agreed with Brookman. 

“I also share Justin's view on the limitations of these reports to begin with – Facebook reporting that it cleared bars that it essentially set for itself isn't much of a guarantee,” Barrett told GDR.

But regardless of whether the report is a useful tool for transparency or just simply bureaucratic paperwork, the FTC still has a legal obligation to release an unredacted version, according to EPIC and the Tech Transparency Project.

“Frankly, it shouldn’t require a reporter to make a request, let alone do battle with the agency to pry it from their hands. And it shouldn’t be littered with redactions,” the Tech Transparency Project said, recommending that the FTC listen to newly appointed US attorney general Merrick Garland, who said at his confirmation hearing that the government should read FOIA “generously”.

“As the FTC itself said, the whole thing is meant to provide transparency and build public confidence,” the organisation added. This last statement from the Tech Transparency Project is in reference to the FTC’s 24 July 2019 press release announcing the $5 billion settlement, in which the commission said the deal would boost transparency.

“To prevent Facebook from deceiving its users about privacy in the future, the FTC’s new 20-year settlement order overhauls the way the company makes privacy decisions by boosting the transparency of decision making and holding Facebook accountable via overlapping channels of compliance,” said the press release, which also featured a subhead proclaiming: “FTC settlement imposes historic penalty, and significant requirements to boost accountability and transparency”.

Other FTC members have also made bold statements about the efficacy of the settlement agreement, despite not always having records to support that claim.

For instance, at an October 2019 Brookings Institution event on data privacy, FTC member Christine Wilson said Facebook was already taking proactive steps to improve data privacy – even though the settlement had yet to be approved by a district court.

About two months later, Wilson again reported big things happening at Facebook. “For all new products and services, they are embedding restrictions on sharing user data within their programming … They’re implementing practices to allow people to access and delete their data,” the commissioner said in December 2019 at the National Association of Attorneys General conference in Washington, DC.

When GDR asked Wilson last April what information underpinned her public statements, the commissioner clarified that her statements were based on Facebook’s public announcements, as well as communications apparently taking place between the company and FTC staffers.

“Based on this information, I concluded that, while I could not vouch for Facebook’s representations, early signs validate the FTC’s decision to enter this settlement,” she said. “At the same time, the FTC is monitoring Facebook’s compliance closely and will not hesitate to take action if the company fails to comply with the FTC order.”

GDR sent inquiries to Wilson, asking whether she stands by her earlier statements now that she has presumably reviewed Facebook’s privacy report. Wilson declined to comment.


  • Facebook privacy report

    Download document Facebook privacy report

Get unlimited access to all Global Data Review content