Cyberwarfare / Nation-State Attacks , Data Loss Prevention (DLP) , Fraud Management & Cybercrime
UK Parliament Seizes Internal Facebook Privacy Documents
Pinkini App Developer's Lawsuit Discovery Feeds Parliament's Facebook ProbeA British lawmaker says he has obtained sealed U.S. court documents, as Parliament continues its investigation into data security and privacy controls at Facebook as well as parallel investigations into fake news and Russian information warfare campaigns.
See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries
Damian Collins, the Conservative member of parliament who chairs the Digital, Culture, Media and Sport Committee in the House of Commons, employed a rarely used parliamentary privilege to compel the founder of a U.S. software company - a U.S. citizen who was in the U.K. - to provide the documents to Parliament, the Observer first reported.
In another rare move, Collins dispatched the sergeant-at-arms for the House of Commons to the man's hotel room, warning him that he had two hours to comply with Parliament's request, the Observer reported. When the man failed to comply, he was reportedly brought before Parliament and warned that despite being a U.S. citizen, at that moment he was subject to U.K. jurisdiction and faced fines or even imprisonment if he failed to comply.
The documents he turned over reportedly pertain to a lawsuit filed by Six4Three, which had invested $250,000 in Pinkini, an app designed to allow Facebook users to search for pictures of people wearing swimsuits. The lawsuit, which was filed in California state court in 2015 and had been sealed, alleged that Facebook made changes to its privacy policy that blocked some apps from obtaining user data, while creating a "white list" that still allowed access to some apps. As part of the lawsuit's discovery process, Six4Three reportedly obtained internal Facebook communications that show officials discussing potential changes to the company's privacy policies.
In 2015, the Wall Street Journal reports, Facebook's changes led to Pinkini being forced to shut down, according to the lawsuit.
Facebook: 'Claims Have No Merit'
Facebook didn't immediately respond to a request for comment.
But a spokesman told the Observer that Six4Three's "claims have no merit, and we will continue to defend ourselves vigorously."
Facebook also said: "The materials obtained by the DCMS committee are subject to a protective order of the San Mateo Superior Court restricting their disclosure. We have asked the DCMS committee to refrain from reviewing them and to return them to counsel or to Facebook. We have no further comment."
Richard Allan, Facebook's vice president for public policy, who's due to testify before a DCMS committee this week, responded to Collins' move in an email on Sunday, saying that Six4Three's lawsuit against Facebook was "entirely without merit" and should not be taken at "face value."
Allan is a former Liberal Democrat MP who since 2010 has been a life peer, meaning he was appointed by the queen to serve as a member of the House of Lords.
"We hope you will want to reflect on the core issue behind the complaint," he wrote in his letter, a copy of which was posted to Twitter by Observer reporter Carole Cadwalladr, who broke the story.
NEW: Facebook responds to UK parliament's seizure of internal docs. It is getting its lines of attack out there. This is copy of its letter to @DamianCollins that it has just sent me... pic.twitter.com/lfSeoM1j2l
— Carole Cadwalladr (@carolecadwalla) November 25, 2018
"The case being brought by Six4Three is a challenge against our efforts to restrict access to data by apps in 2014/2015," Allan wrote. "On earlier occasions, your committee appeared to endorse this more restrictive approach. If this has now changed, it would be useful to understand why."
Parliament May Publish Documents
Collins, however, fired back, noting that as Allan was surely aware, U.K. lawmakers were acting well within their remit. "The House of Commons has the power to order the production of documents within the U.K. jurisdiction, and a committee of the House can publish such documents if it chooses to, with the protection of parliamentary privilege."
I have written back to Richard Allan at Facebook following their email to me today regarding the documents ordered by @CommonsCMS from Six4Three. You can read a copy of it here pic.twitter.com/lXWS2gOPBM
— Damian Collins (@DamianCollins) November 25, 2018
It's not clear how the lawsuit or existence of the documents came to the attention of Parliament. But Collins says his committee was driven to seek the information in part because of Facebook CEO Mark Zuckerberg's failure to testify before Parliament, despite its multiple requests that he do so. Instead, Facebook this week is sending Allan (see: Mark Zuckerberg's European Appearance: Thumbs Down).
"We are in uncharted territory," Collins said of his committee's move to seize the Facebook documents. "This is an unprecedented move, but it's an unprecedented situation. We've failed to get answers from Facebook, and we believe the documents contain information of very high public interest."
Cambridge Analytica Investigation
The parliamentary committee's investigation is focusing in part on the acquisition of 87 million profiles by Cambridge Analytica, the now-defunct analytics firm that worked on President Donald Trump's election campaign for about five months and also worked with the "Leave" campaign during Britain's 2016 "Brexit" referendum on its EU membership (see: Besieged Cambridge Analytica Shuts Down).
Aleksandr Kogan, a psychologist at Cambridge University, collected the Facebook data via a Facebook app he created, before passing the data to Cambridge Analytica. Facebook says he violated its developer policies, although has also admitted that it was not enforcing those policies, and that more than 200 other apps may also have exposed user data (see: Report: Facebook App Exposed 3 Million More Users' Data).
In October, the Information Commissioner's Office, the U.K.'s data protection authority that enforces the country's privacy laws, imposed the maximum fine allowed by law on Facebook over the Cambridge Analytica incident. One measure of the seriousness of the data privacy violation is that only one other organization - Equifax - has ever been hit with the maximum possible £500,000 ($640,000) fine (see: Facebook Slammed With Maximum UK Privacy Fine).
Russian Interference Investigation
The DCMS committee is investigating not only Facebook, but also Russian interference in the U.K. political sphere. "We have very serious questions for Facebook. It misled us about Russian involvement on the platform. And it has not answered our questions about who knew what [and] when with regards to the Cambridge Analytica scandal," Collins said. "We have followed this court case in America, and we believed these documents contained answers to some of the questions we have been seeking about the use of data, especially by external developers."
In June, the Wall Street Journal reported that Facebook had struck special deals with some companies, including Nissan, giving them access to very large sets of user data, well after it says it blocked such access.
Later that month, in written answers provided to questions posed by Congress, Facebook said that despite its claim that it had cracked down on developers' access to user data in 2015, it continued to give 61 organizations - including ABC Television Network, dating site Hinge, carmaker Nissan and Russian webmail portal Mail.ru - extra access to user data (see: Facebook to Congress: We Shared More Data Than We Said).
The acquisition of the internal Facebook documents by the parliamentary committee means that any sensitive information they contain, especially pertaining to the social network's internal discussions on its data security and privacy practices, could be made public by the committee. The information might also be used when questioning Allan during his planned appearance this week before the committee.
"I look forward to seeing you again on Tuesday," Collins wrote in his reply to Allan.