In announcing the record-breaking $5-billion fine against Facebook for its relentless privacy violations, Federal Trade Commission Chairman Joe Simons and his two Republican colleagues on Wednesday pronounced themselves “extremely proud” of the settlement.
Despite their crowing about the “landmark penalty and conduct relief” that the FTC extracted from the giant social media company, it’s hard to see what they’re proud of. The settlement demonstrates the essential toothlessness of the FTC’s approach to manifest legal wrongdoing and its unwillingness to bring individual wrongdoers to account.
That’s because the “conduct relief” that the FTC imposed on Facebook will be plainly ineffective and easy for the company to subvert, and Facebook’s management, including Chairman and CEO Mark Zuckerberg, Chief Operating Officer Sheryl Sandberg and the entire board of directors are receiving a release from all liability for the company’s past violations.
I started Facebook, I run it, and I’m responsible for what happens here.
Mark Zuckerberg
Yes, Zuckerberg would face potential “personal liability, including civil and criminal penalties,” for future violations of the settlement, as the Simons statement observed. But he could have been held liable for violations of the consent order the company signed in 2012, which gave rise to Wednesday’s announced settlement, and wasn’t. “Our complaint announced today alleges that Facebook failed to live up to its commitments under that order,” Simons acknowledged.
Why should he think matters will be different the next time around?
Zuckerberg claims the settlement builds on what Facebook already does. “We have a responsibility to protect people’s privacy,” he wrote on a company blog. “We already work hard to live up to this responsibility, but now we’re going to set a completely new standard for our industry.” It should go without saying that if Facebook genuinely was working hard to live up to its privacy responsibility, there wouldn’t be an FTC settlement to discuss.
The flaws in the settlement were thoroughly set forth in dissents filed Wednesday by the FTC’s two Democratic commissioners, Rebecca Kelly Slaughter and Rohit Chopra, both of whom voted against the deal.
Slaughter noted that the settlement’s release of “any and all claims” against Facebook, Zuckerberg, and the company’s directors for violating the 2012 settlement is “unjustified by our investigation and unsupported by either precedent or sound public policy.”
Chopra similarly observed that the settlement lets Facebook “off the hook” for its violations and called the blanket grant of immunity for its officers and directors a “giveaway.”
The settlement underscores the folly of government enforcement deals that levy fines or penalties against corporations but leave their executives and directors — the true wrongdoers — with their pockets full. Experts in white collar crime have explained again and again that business wrongdoing won’t be deterred unless the human beings in charge of corporations face jail and financial consequences for their actions.
That’s especially true in Facebook’s case, as Slaughter and Chopra point out. The fine of $5 billion is certainly stupendous when measured against FTC fines in previous cases, but it’s still a pittance compared with Facebook’s financial heft, particularly since its violations were directly related to the business model that made it rich.
“During the years of Facebook’s continuous alleged lawlessness,” Slaughter wrote, “its gross annual revenue increased from $5 billion to over $55 billion.” As Chopra emphasized, there are few public corporations in America that are as tightly controlled by a single individual as Facebook is by Mark Zuckerberg. As he declared in congressional testimony in April 2018, “I started Facebook, I run it, and I’m responsible for what happens here.”
Let’s take a look at the violations of law that the FTC alleges against Facebook and why its settlement will do so little to change its behavior.
According to the FTC’s legal complaint, also made public Wednesday, the company deceived its users into believing that they could use the privacy settings on their web accounts to restrict the sharing of their private information with others, including strangers. In fact, third-party developers could obtain broad access to that information without the users’ knowledge.
Facebook failed to enforce its own policies that ostensibly limited its commercial partners’ access to that data. The FTC alleges that the reason was “the financial benefit that violator third-party app developers provided to Facebook.”
Facebook didn’t bother to disclose this gap in its privacy enforcement to the entities set up under the 2012 consent order to monitor its enforcement.
Facebook allegedly deceived users into handing over personal information to enhance their security online. This included their phone numbers, which Facebook implied would be used for two-factor authentication — a way of enhancing password protections by requiring users to sign onto their accounts with a code sent to their phones. But Facebook then used those phone numbers to feed its advertising business.
The core problem, of course, is that Facebook’s business model depends on advertising, and that means feeding advertisers as much information as it can about members of their target market. The company’s voracious appetite for advertising dollars is what prompted it to effectively turn a blind eye to violations by third-party application developers using its online platform.
Those third parties included Cambridge Analytica, a political consultancy that freely snarfed up information about Facebook users — in violation of Facebook’s wink-wink policies — and allegedly used it on behalf of the Trump presidential campaign and the Brexit campaign in Britain. That made Facebook allegedly complicit in suborning the democratic process in both countries, which surely warrants a stringent regulatory response.
The remedies imposed by the FTC aren’t that. The majority commissioners go on at some length in their defense of the settlement about how it “imposes significant new privacy and data security obligations on Facebook” and mandates “a sea change” in how Facebook complies with its security obligations.
But the settlement doesn’t require Facebook to change its data collection practices, only to report more forthrightly about what it’s up to. Slaughter says she’s “skeptical” that the order “will have a meaningful disciplining effect on how Facebook treats data and privacy, since it has no “meaningful limitations on how Facebook collects, uses, and shares data.”
The obligations that Simons and his fellow Republicans refer to include the creation of a new committee of independent directors to oversee privacy policies. Supposedly this committee will act as a brake on Zuckerberg. Chopra is doubtful. The order seems to overlook the essential fact that Zuckerberg exercises unassailable control over the board of directors by virtue of his ownership of nearly 60% of shareholder votes.
“The proposed settlement ratifies Facebook’s governance structure instead of changing it,” Chopra says. The Independent Privacy Committee, he observes correctly, “has little independence, no meaningful powers, and no buy-in from shareholders.” The committee member will be chosen by a nominating committee of the board “whose members the controlling shareholder, Zuckerberg, can essentially pick or vote not to retain, reducing their level of independence. Even if truly independent directors were chosen, they would be virtually powerless: The order gives them no authority to veto any management decision, and their fiduciary duty is to shareholders, not users.”
Chopra concludes that “ultimately, the Committee’s only clear power is to ensure that the company has assembled the paperwork required by the order. Corporate plans to integrate platforms, change terms of service, or other key decisions will be beyond the reach of the Committee, even if its members were sufficiently independent to want to intervene.”
FTC Chairman Simons and his GOP colleagues say in their defense that the settlement at hand was the best they could achieve without litigating against Facebook in court, with the risk that the FTC might lose. They claim the settlement “far exceeds what the Commission could expect to receive at the end of litigation years from now.”
Is that so? In litigation, Chopra notes, “we would surely face risks — but so would Facebook.” Even if a court failed to impose all the penalties encompassed in the FTC order, the public airing of accusations against the company, the forced testimony of Zuckerberg and Sandberg, and other disclosures that come from a court case would have their own benefits. And that’s not even to mention signaling to other wrongdoing corporations that the FTC is serious about holding them to account.
Wednesday’s settlement may not be the last word on Facebook’s privacy practices. The deal must be signed by a judge and could come under scrutiny by Congress. We can hope against hope that they show more spine than the FTC. And then there’s the prospect of enforcing this order against future violations. It’s possible that Zuckerberg will be sufficiently chastened by the experience of this FTC investigation to change his and Facebook’s ways to avoid another one down the line. But based on the record thus far, that’s not the way to bet. The only question is how much damage Facebook can do to its users’ privacy and to social norms before it’s again held to account.