In a letter to Facebook CEO Mark Zuckerberg, 37 State Attorneys General called on the company to provide further data about their latest user data scandal.
VICE News reports that 37 State Attorneys General have signed a letter to Facebook CEO Mark Zuckerberg, calling on the company to answer questions about their most recent data scandal, which allegedly involved the user data of 50 million people used by analysis firm Cambridge Analytica. The National Association of Attorneys General published the letter addressed to Zuckerberg which can be read in full below:
Dear Mr. Zuckerberg:
The undersigned State and Territory Attorneys General are profoundly concerned about the recently published reports that personal user information from Facebook profiles was provided to third parties without the users’ knowledge or consent. As the chief law enforcement officers of our respective states, we place a priority on protecting user privacy, which has been repeatedly placed at risk because of businesses’ failure to properly ensure those protections. Most recently, we have learned from news reports that the business practices within the social media world have evolved to give multiple software developers access to personal information of Facebook users. These reports raise serious questions regarding consumer privacy.
Early reports indicate that user data of at least 50 million Facebook profiles may have been misused and misappropriated by third-party software developers (“developers”). According to these reports, Facebook’s previous policies allowed developers to access the personal data of “friends” of people who used applications on the platform, without the knowledge or express consent of those “friends.” It has also been reported that while providing other developers access to personal Facebook user data, Facebook took as much as thirty (30) percent of payments made through the developers’ applications by Facebook users.
Facebook apparently contends that this incident of harvesting tens of millions of profiles was not the result of a technical data breach; however, the reports allege that Facebook allowed third parties to obtain personal data of users who never authorized it, and relied on terms of service and settings that were confusing and perhaps misleading to its users.
These revelations raise many serious questions concerning Facebook’s policies and practices, and the processes in place to ensure they are followed. Were those terms of service clear and understandable, or buried in boilerplate where few users would even read them? How did Facebook monitor what these developers did with all the data that they collected? What type of controls did Facebook have over the data given to developers? Did Facebook have protective safeguards in place, including audits, to ensure developers were not misusing the Facebook user’s data? How many users in our respective states were impacted? When did Facebook learn of this breach of privacy protections? During this timeframe, what other third party “research” applications were also able to access the data of unsuspecting Facebook users?
In addition to responses to these questions, we request an update about how Facebook will allow users to more easily control the privacy of their accounts. Even with the changes Facebook has made in recent years, many users still do not know that their profile—and personal data—is available to third-party vendors. Facebook has made promises about users’ privacy in the past, and we need to know that users can trust Facebook. With the information we have now, our trust has been broken.
Users of Facebook deserve to know the answers to these questions and more. We are committed to protecting our residents’ personal information. More specifically, we need to understand Facebook’s policies and procedures in light of the reported misuse of data by developers. We appreciate the information you have provided to date and expect your full cooperation going forward in our inquiries into your business practices. To that end, we expect a full accounting for what transpired and, answers to the questions we raised above. We look forward to your prompt response.
The letter was signed by 37 State Attorneys General from the following states and territories:
District of Columbia
The Attorneys General interest in the case is unsurprising and was predicted by Laura Moy, the deputy director of the Georgetown Law Center on Privacy and Technology, last week in an interview where she stated, “State attorneys general will probably be looking at this case under state data security and breach notification laws and under state laws that prohibit unfair and deceptive practices by companies.”