Governance & Risk Management , Privacy

Facebook Takes $3 Billion Hit, Anticipating FTC Fine

Questions Loom About Whether Big Fines Will Prompt Privacy Reform
Facebook Takes $3 Billion Hit, Anticipating FTC Fine
The U.S. Federal Trade Commission's building in Washington (Photo: Faungg via Flickr/CC)

Facebook has set aside $3 billion from its first quarter profit to pay for what is likely to be a record-breaking fine from the U.S. Federal Trade Commission, which is investigating its data-sharing practices.

See Also: Zero Trust Cybersecurity for Federal Agencies: Building an Integrated Approach

On Wednesday, the social network said the FTC fine could be as much as $5 billion. Facebook had expected to post about $5.4 billion in profit over the first three months of this year, but it has revised that to $2.4 billion.

"The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome," according to its earnings release.

Subtracting the money set aside for the fine, Facebook's operating margin is still 22 percent - a respectable figure for any business - but less than half the 46 percent margin it recorded for the prior quarter.

Facebook's profit for the first quarter is much less because it is saving money for a likely billion-dollar fine from the FTC. (Source: Facebook)

The FTC and Facebook have been negotiating a settlement into whether the social network violated a 2012 agreement with the agency. The FTC investigation was launched as a result of Cambridge Analytica, a defunct voter-profiling firm, which improperly obtained profile data for 87 million Facebook users without their consent (see: Facebook and Cambridge Analytica: Data Scandal Intensifies).

The FTC's investigation continues as technology companies are facing a backlash over issues ranging from election interference to fake news to privacy to the propagation of violent and offensive content. Also, some critics have called for the break-up of dominant U.S. companies, such as Google, Amazon and Facebook, to protect competition.

The Fine: A Red Herring

A multibillion dollar fine would be the largest-ever issued by the FTC. The largest fine to date the FTC has imposed was a $22.5 million fine against Google in 2012.

But the size of the fine may largely be a red herring, says Corynne McSherry, legal director of the Electronic Frontier Foundation.

Corynne McSherry

"I think focusing on the money may distract from where I think the FTC should really be putting its energy, which is thinking about what it needs to put in place to making a consent decree actually meaningful," McSherry says.

Since 2012, Facebook has been under the FTC's watch. It agreed to a settlement that required it to submit third-party audits to the FTC every two years. It wasn't fined at the time, but the FTC warned it could be fined if it violated the agreement.

The FTC accused Facebook of assuring users that their information would be kept private but then making changes to the site's controls that opened up data to the public without users' consent. The agency also contended that Facebook misrepresented the type of access third-party apps could have to personal data and shared personal data with advertisers.

The Cambridge Analytica issue centered on the sharing of personal information. A Cambridge University researcher, Aleksandr Kogan, deployed a personality quiz on Facebook in late 2013. The quiz collected information for not only people who took the quiz, but also of their friends who didn't take the quiz.

Kogan passed the data to Cambridge Analytica, which Facebook contended was against its rules. It would appear that kind of data sharing - without users' permission - would violate the FTC settlement.

Ensuring Compliance

Pressure is growing on technology companies as privacy and security regulations are strengthened. The European Union's General Data Protection Regulation is influencing technology companies around the world, which are often opting to adjust to that new high bar even if their home country laws are weaker.

The U.S. is also mulling federal privacy legislation that would offer broader protections to consumers in an economy where personal data is a powerful fuel for profit.

But there are questions if fines are enough, especially because the largest technology companies make billions in profits each quarter. In New York, however, a criminal probe against Facebook is underway, with a grand jury investigating controversial data-sharing deals the social network made (see: Prosecutors Probe Facebook's Data Deals).

PwC's 2017 Facebook audit.

There are also questions as to why audits over the intervening years since Facebook's last settlement with FTC didn't raise alarms.

The audits were never intended to be made public. But the Electronic Privacy Information Center, a Washington-based digital watchdog, filed a Freedom of Information Act request in March to obtain three assessments. Last week, EPIC said it obtained a redacted version of a 2017 assessment by PwC.

This time around, McSherry says, the FTC should focus on a new settlement with Facebook that would be meaningful and followed by the company. Longer term, mechanisms need to be put in place to make sure tech companies comply, he says.

"We need transparency as part of a decree now and certainly any regulation down the road," McSherry says. "We need independent audits to be public and not hidden away and ones with real rigor."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.