In July 2019, Facebook settled with the Federal Trade Commission over a litany of the tech giant's privacy violations. The agreement, the Justice Department's civil division approved at the end of April, is most memorable for levying a $5 billion fine against Facebook. But it also laid out requirements for a slew of changes to Facebook's internal privacy mechanisms and corporate culture. Six months into implementing these improvements, Facebook's chief privacy officer of product Michel Protti and chief privacy officer of policy Erin Egan spoke with WIRED about the effort, which they say is driving concrete changes.

"I’ve worked on data and privacy policy issues at Facebook for nine years, and during that time I have seen firsthand how we’ve changed and continue to grow as a company and as technology evolves," Egan says. She likens the FTC agreement to Facebook's 2012 "shift to mobile," in which the company rapidly refocused on developing all of its tools and services to run natively on smartphones. "This is something we do, when we have clear priorities we move fast and adapt, that’s just part of our DNA."

The current shift to privacy, though, comes after more than a decade of scrutiny over Facebook's serious privacy lapses and data sharing issues. Privacy advocates and policy analysts have also expressed skepticism about the FTC's mandates from the start, since it doesn't include broad limits on the entities Facebook can share data with or the types of data the company can collect. And a significant portion of the FTC agreement leaves the methods for privacy improvement up to Facebook itself, a dubious arrangement given the company's track record.

As part of the agreement, Facebook is sharing quarterly and annual updates with the FTC on its progress; the company is submitting its first quarterly report at the end of this week. These compliance reports are signed by CEO Mark Zuckerberg, and the FTC agreement includes a condition that "any false certification will subject [Facebook] to individual civil and criminal penalties." Facebook will also submit to reviews by an independent assessor, the first of which begins next week. None of these reports and findings will be made public. The FTC declined to comment for this story.

Both Protti and Egan argue that the company is making substantive changes. Every new employee now goes through training to reinforce that privacy is everyone's responsibility across every department. The company has also started doing annual privacy risk assessments across 30 of its "key" business units to identify gaps and potential problems and rectify them—a process that Protti and Egan says has already led to improvements. And the company's board of directors now also has a privacy committee meant to oversee and verify improvements as an accountability mechanism.

"From our perspective, we’ve made important progress, but we still have a tremendous amount of work to do," Protti says. "We’re in the early phases of a multi-year and ongoing effort to evolve our culture, our operations, and our technical systems to honor people’s privacy."

Protti says that the company has overhauled its privacy review process for products and services that share user data in new ways. One specific point in the FTC agreement is that Facebook can no longer use customer phone numbers collected for two-factor authentication for targeted advertising and to recommend friends, a controversial practice that Facebook admitted to only after a 2018 investigative piece by Gizmodo. Protti says Facebook wants not only to meet its regulatory obligations, but to also go beyond that with more robust technical validations, documentation, and implementation checks. He stressed the importance of collaboration between teams to ensure that a product or feature's privacy protections are not only functioning as designed, but that the design itself is sound.

Source: Wired

Powered by NewsAPI.org