FTC withholds hundreds of Facebook audit records
An independent audit of Facebook says “substantial additional work” is still needed to fix the company’s privacy problems. Just how much work is unclear, as the US Federal Trade Commission has kept hundreds of records from the 236-plus page report secret.
The Facebook audit is one of the provisions of its $5 billion settlement with the FTC over the Cambridge Analytica scandal. The previous auditor, PwC, reportedly failed to spot the Cambridge Analytica scandal in earlier assessments, but the FTC promised in its July 2019 enforcement action that the settlement would “boost accountability and transparency.”
Earlier this month, GDR revealed that Protiviti is Facebook’s new auditor. GDR obtained the information through a FOIA request after the FTC redacted Protiviti’s identity from a prior Facebook internal assessment that GDR had also obtained.
After obtaining Protiviti’s identity, GDR made another FOIA request with the FTC for the auditing firm’s report. An FTC attorney responded that the agency was “working to get the audits posted to our public website” and offered to notify GDR when that took place “so we can avoid the FOIA process”. GDR confirmed that it wanted to move ahead with the FOIA request.
But instead of disclosing the documents, the FTC apparently published them in a heavily redacted form on Tuesday. The FTC also provided the records to MLex, which published a story on them last Friday.
The records include a heavily redacted letter Facebook wrote about the report, as well as 18 pages of Protiviti’s 236-page report.
The letter, signed by Facebook chief privacy officer Michel Protti, says the report signals a “watershed moment at Facebook, and that the company has made substantial investments in order compliance.”
Whether that’s true isn’t clear, because its 18-page executive summary is also heavily redacted. Moreover, it’s not clear what could be in the report, because nearly the entire table of contents is redacted.
The information available among the redacted 18 pages describes the rigour with which Protiviti claims to have assessed Facebook.
“Protiviti met with members of Facebook's Independent Privacy Committee (IPC) of the board of directors [REDACTED],” the report says. “We also met with the FTC four times, and regularly met with members of Facebook's management team and outside legal advisors, to inform them of the progress of the assessment and of the gaps and weaknesses that were noted as a result.”
Information about those gaps and weaknesses has also been removed. The report does say that flaws “demonstrate that substantial additional work is required, and additional investments must be made, in order for the programme to mature [REDACTED].”
Among Protiviti’s recommendations is that Facebook should fully establish an independent oversight function and a risk-control mindset, and that it should apply the company’s strong automation and analytics tools to its privacy programme. But the sections under each of those recommendations are redacted.
The Tech Transparency Project told GDR that the heavily redacted report indicates another failure by the FTC and Facebook to follow through on transparency promises.
"Facebook says publicly that it wants transparency, but the company has yet to practice meaningful transparency," said Tech Transparency Project director Katie Paul. "The heavy redactions of this report – paired with the [Wall Street Journal] series regarding Facebook burying internal research – show that the company knows so much more than is publicly disclosed, and it's important for that information to see the light of day.
"Facebook's failure to disclose its data regarding the company's operations and the harms of its platform are just one more indicator that Facebook should not be regulating itself."
Privacy groups have also criticised the FTC’s redactions of past Facebook audits, including the PwC assessment that failed to spot the Cambridge Analytica scandal.
“Why is the FTC not more forthcoming with the public? We don’t believe that the agency should be permitted to hide behind trade secrets,” then-Electronic Information Privacy Center (EPIC) executive director Marc Rotenberg told Wired in 2018 after his organisation obtained the PwC report. “The public need to know is simply too great.”
EPIC took particular exception with the FTC redacting the identity of Protiviti earlier this year.
“The public has a right to know who is conducting independent audits of Facebook's privacy practices, which are a key part of the FTC's 2019 Facebook order,” EPIC told GDR in March. “And the public is entitled to a full account of Facebook's privacy programme and privacy risk assessment process.”
EPIC said withholding the identity of Protiviti at the time was “significant because the public cannot compare these independent audits to past audits, or even other company’s privacy audits to see if the assessors are actually doing what is necessary to critically evaluate privacy practices”.
“How is the public supposed to conduct meaningful scrutiny of the assessment process and of Facebook’s current privacy practices if the FTC withholds major portions of the report?” EPIC said.
The FTC has not responded to GDR inquires about the matter.
Facebook, for its part, said that it is standard practice for reports like the Protiviti report to include redactions in order to protect the “integrity of the assessment and the confidentiality of commercial information.”
“The redactions were determined by the FTC with input from Facebook and the independent assessor,” a Facebook spokesperson said. “They reflect the portions of the report containing confidential commercial information, which is protected from public release by law.”
The Facebook spokesman further emphasised that “the report’s recommendations are consistent with what one would expect to see for a rapidly evolving, early stage program of this level of complexity.”
“You also shouldn’t miss the fact that the report ‘calls out our extensive investments in privacy compliance and notes that the scope of our privacy program and the structure we’ve used to organize it are comprehensive,’” the spokesman said. “As a result, the key foundational elements necessary for an effective program are now in place even if some are still developing.”
But groups like EPIC and the Tech Transparency Project disagree.
"The public has a clear interest in seeing whether Facebook is complying with the terms of its consent decree,” the Tech Transparency Project said. “This is exactly the kind of document that should be made public in as much detail as possible – it's not an ongoing investigation and there isn't much competitive harm Facebook could suffer.”
Facebook intro letter
Facebook executive summary