Facebook privacy audit by auditors finds everything is awesome!

FTC's heavily redacted report says everything's hunky dory

The US Federal Trade Commission has released an audit of Facebook's privacy practices and it turns out there's nothing to worry about, at least as far as accounting firm PricewaterhouseCoopers (PwC) is concerned.

Clearly, there's nothing to worry about. Go back to your homes, people.

PwC, retained to check on how Facebook has been complying with its 2011 FTC consent decree for deceiving consumers, believes the social ad network – the same one recently pilloried by US lawmakers for allowing profile data to be spirited away to data firm Cambridge Analytica – has been doing a bang-up job.


Facebook puts 1.5bn users on a boat from Ireland to California


In response to an inquiry by the Electronic Privacy Information Center (EPIC), an advocacy group, the FTC recently published a heavily redacted version of the confidential audit on its website.

"In our opinion, Facebook's privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information [for the two-year period between February 12, 2015 and February 11, 2017]," PwC's audit concludes.

Problem solved. But the redacted portions of the report make it difficult to understand how that conclusion was reached.

Er, does that sound accurate to you?

Marc Rotenberg, executive director of EPIC, one of the privacy groups responsible for the 2011 consent order that bound Facebook to biennial privacy reviews for 20 years, called the audit remarkable and not in a good way.

"Something is clearly off the rails," said Rotenberg in a phone interview with The Register. "In 2017, according to PwC, Facebook was doing a great job with privacy compliance. But that was two years after Cambridge Analytica had begun harvesting the data of Facebook users."

EPIC on Friday filed a lawsuit under the Freedom of Information Act (FOIA) to obtain the unreacted version of the audit, in the hope of understanding more about Facebook's privacy safeguards and whether it has breached the terms of the consent decree.

"The question is, after the FTC consent order, why do these problems continue to occur?" said Rotenberg. "That's what the FOIA is for."

The FTC, he said, made repeated use of the trade secret exemption as a justification for withholding information that Facebook does not want revealed. He found that ironic, he said, for a company that wants its users to share all their information.

It's troubling, he said, that the FTC seems unwilling to bring any legal action against either Facebook or Google to enforce privacy settlements.

Were Facebook to be found in breach of its agreement, the fines reportedly could reach $41,484 per violation per user per day. That could translate into billions if the violations applied to the more than 200 million US Facebook users over the course of a year or more.

Rotenberg was reluctant to speculate about why the FTC appeared to be so incapable of action. He chalked it up to "lack of political will." ®

Other stories you might like

  • Firefox kills another tracking cookie workaround
    URL query parameters won't work in version 102 of Mozilla's browser

    Firefox has been fighting the war on browser cookies for years, but its latest privacy feature goes well beyond mere cookie tracking to stop URL query parameters.

    HTML query parameters are the jumbled characters that appear after question marks in web addresses, like website.com/homepage?fs34sa3aso12knm. Sites such as Facebook and HubSpot use them to track users when links are clicked, and other websites like YouTube use them to enable certain site features too.

    On June 28, Firefox 102 released a feature that enables the browser to "mitigate query parameter tracking when navigating sites in ETP strict mode." ETP, or enhanced tracking protection, encompasses a variety of Firefox components that block social media trackers, cross-site tracking cookies, fingerprinting and cryptominers "without breaking site functionality," says Mozilla's ETP support page.

    Continue reading
  • California state's gun control websites expose personal data
    And some of it may have been leaked on social media

    A California state website exposed the personal details of anyone who applied for concealed-carry weapons (CCW) permits between 2011 and 2021.

    According to the California Department of Justice, the blunder happened earlier this week when the US state's Firearms Dashboard Portal was overhauled.

    In addition to that portal, data was exposed on several other online dashboards provided the state, including: Assault Weapon Registry, Handguns Certified for Sale, Dealer Record of Sale, Firearm Safety Certificate, and Gun Violence Restraining Order dashboards. 

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading

Biting the hand that feeds IT © 1998–2022