Attorney General Karl A. Racine
Office of the Attorney General for the District of Columbia
Facebook Enforcement Action Press Call
December 19, 2018
Good afternoon, everyone. Today, we are filing a lawsuit against Facebook, Inc., because the company failed to protect its users’ personal information. We conducted an investigation and found evidence that Facebook’s lax oversight of its privacy protocols and confusing privacy settings put the personal information of millions of Americans at risk.
We also found that Facebook failed to inform consumers that it had granted certain favored companies special permissions that enabled those companies to access consumer data and override consumer privacy settings. This is the same kind of deceptive privacy practice that the New York Times reported on this morning.
Facebook’s consumers reasonably expect that Facebook will take appropriate steps to maintain and protect their data. Indeed, Facebook tells them as much, promising that it requires apps to respect a Facebook consumer’s privacy. However, Facebook has failed to live up to this commitment. Specifically, it allowed Cambridge Analytica – a political consulting firm – to purchase personal information that was improperly obtained from 70 million Americans, including 340,000 District of Columbia residents. That’s nearly half of the number of residents that live in the District of Columbia. After learning about the massive exploitation of its users’ personal information, Facebook waited for more than two years to disclose the problem to consumers and the appropriate authorities.
In our lawsuit, we are seeking to hold Facebook accountable for jeopardizing and exposing the personal information of tens of millions of its users. We are also seeking to require Facebook to develop new protocols that will safeguard users’ data to ensure this never happens again. Lastly, we are also seeking restitution for the consumers who have been hurt as well as appropriate fines and penalties. I want to make a point about the injunctive relief we’re making as being important not only for platforms like Facebook but also for platforms in the broader technology space.
As we know, Facebook is an online social networking site that was launched in 2004. More than 2 billion people around the world are active Facebook users. As part of its business model, Facebook collects data that touches on every aspect of these 2 billion users’ personal lives. This includes information like a user’s name, gender, birthdate, email address, hometown, interests, education, political affiliation, and photos, as well as their friends.
Facebook also collects information about their users’ behavior and preferences, such as their friends, causes, or other Facebook or website pages they “like,” and what they choose to share on the platform. Facebook’s business model offers social networking services for free and collects personal data from consumers that it can then use to sell targeted advertising to marketers. The company also allows third-party developers to build apps that operate on the Facebook platform and offer services including calendar and email integration, games, and quizzes.
One of the most important jobs we have at the Office of the Attorney General for the District of Columbia is to protect consumers. Under our consumer protection law, companies may not mislead consumers, and they must take reasonable measures to protect consumers’ sensitive personal information. That’s why we’ve brought this lawsuit under the District’s Consumer Protection Procedures Act, which prohibits unfair and deceptive trade practices.
Our office began an investigation into Facebook’s privacy practices shortly after the Cambridge Analytica incident was uncovered earlier this year. Our investigation found that, in the run-up to the 2016 presidential election, some Facebook users downloaded an app called “thisisyourdigitallife” on Facebook. This app claimed to be a “personality quiz” and offered to generate a personality profile for consumers in exchange for downloading the app and granting the app access to some of the consumer’s Facebook data. Unbeknownst to them, this app also collected data from the app users’ Facebook friends. The Facebook users who actually downloaded the app gave permission for their name, gender, birthdate, current city, and “likes” to be harvested. However, the app also harvested all of this same data from all of the friends of the user who downloaded it – even though none of those people had affirmatively provided permission to share such data.
Public reports indicated that, in 2014, the app’s developer sold the consumers’ data to Cambridge Analytica – including the data of millions of people who never downloaded the app or chose to grant it permission to see or use their information. In fact, only 862 District residents downloaded the personality quiz, but more than 340,000 had their data sold to Cambridge Analytica. After they bought that data, Cambridge Analytica and its clients then used it for political purposes to benefit a presidential campaign in 2016. Even though Facebook learned that the personal information of millions of its users was stolen and sold in 2015, the company waited more than two years to inform users and authorities.
Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used. Facebook’s “Terms of Service” represented that Facebook required app developers to respect users’ privacy, and the company claimed that third-party apps would only be able to access information belonging to the consumer who downloaded the app and not to anyone else. Facebook failed to follow its own corporate policies on monitoring the way third-party apps used data collected from consumers, leading to the sale of data to Cambridge Analytica in express violation of Facebook’s own policy. Indeed, the app itself contained terms that directly contradicted Facebook’s policy, expressly stating that collected data could be used for commercial purposes. Nevertheless, Facebook did not take any action against the app and instead permitted it to harvest and sell Facebook consumers’ data without oversight.
In addition, Facebook made it difficult and confusing to control its users’ privacy settings for third-party apps. Facebook users have the ability to tailor their privacy settings for Facebook as well as third-party apps to ensure that they do not share more details with the public or with app developers than they would like to. However, in the period leading up to the Cambridge Analytica data harvest, Facebook made it difficult for users to control privacy settings for apps by placing controls for apps in a completely different part of their platform than their general security settings.
Facebook also failed to make sure that Cambridge Analytica deleted the data as promised after the company found out about the theft. In fact, Facebook took Cambridge Analytica’s word for it that they had deleted the data—even though Facebook staff members were working alongside Cambridge Analytica officials embedded in the Trump campaign, using the very data that Cambridge Analytica had claimed they deleted.
And beyond the Cambridge Analytica data harvest, our investigation uncovered evidence that Facebook was fast and loose with consumers’ personal data in other ways. For instance, Facebook failed to inform consumers that it granted certain favored tech companies, including some mobile device makers, special access to users’ data on the Facebook platform, regardless of those users’ privacy settings.
Our goal with this lawsuit is to obtain relief for harmed consumers who were exploited because of Facebook’s failure to protect their personal information and to make sure this does not happen again. We hope this lawsuit will ensure that Facebook takes better care with consumers’ data and also serves as a broader warning to other social networking and other online companies that they have a legal duty to take the utmost care to safeguard individuals’ information from fraud and exploitation.