The FTC just announced the details of its settlement agreement with Facebook over years of privacy practices in violation of a previous order. To say the settlement is favorable to Facebook, even with the record $5 billion penalty, is an understatement; the company’s lawyers are probably popping champagne right about now. Here’s why.
1. $5 billion is a laugh
Indeed, $5 billion may sound like a lot, but in this context it is simply not a meaningful amount. Leaving aside that Facebook at this point probably makes that in a month, it simply does not correspond to the harm done or rewards reaped.
It’s highly likely that Facebook’s “unjust enrichment,” made as a result of the forbidden user data collection in which it engaged, is more than $5 billion. As Commissioner Rohit Chopra says in his dissenting statement, “breaking the law has to be riskier than following it.” In other words, you shouldn’t be able to steal $100, then pay a fine of $50 to get off the hook.
“The fact that Facebook’s stock value increased with the disclosure of a potential $5 billion penalty may suggest that the market believes that a penalty at this level makes a violation profitable,” wrote Commissioner Rebecca Kelly Slaughter in her own dissent.
In the case of Google, which in spirit is similar to this one, the settlement with the FTC amounted to several times the company’s unjust enrichment. Why isn’t that the case with Facebook? Because the investigation didn’t look into it.
2. The investigation was rushed and incomplete
No one likes it when serious investigations of wrongdoing (not that Facebook officially admits to any) drag on for too long, because in the meantime the wrongdoing may very well continue. But this case isn’t a simple one where Facebook may have violated one or two of the FTC’s prohibitions for a short period of time in 2014. The company ignored the government-ordered restrictions systematically for years, meriting an investigation on a similar scale.
Instead of getting deep into the questions of who was responsible, how much money was made, whether public statements were misleading, the extent of public harm, etc., the investigators opted to quickly establish a pattern of violating behavior and slap the company with a nice round number. (Let’s hope the antitrust investigation announced today is a bit more thorough.)
The brevity and limitations of the investigation are evident from the fact that…
3. They didn’t grill any executives
“The Commissioners supporting this outcome do not cite a single deposition of Zuckerberg or any other Facebook officer or director,” writes Chopra. Although there may have been off-record conversations or letters from execs in response to questions sent by investigators, they did not put Zuckerberg or Sandberg or any other big players in the hot seat. Seems fundamental when the investigation alleges complicity at the highest levels, right?
But not only were no executives put to the question…
4. There are no charges or consequences for them either
“I started Facebook, and at the end of the day I’m responsible for what happens on our platform,” wrote Mark Zuckerberg last year during the fracas surrounding his questioning by Congress. Nor is that only his opinion. There is a great deal of precedent for leveling additional, complementary charges at executives alongside those aimed at the company. They might not even need testimony to do it:
“I believe there is already sufficient evidence, including through public statements, to support a charge against Mark Zuckerberg for violating the 2012 order,” writes Chopra, and Commissioner Slaughter concurred. Even if that weren’t the case, they could state with certainty that leadership, if it was not directly complicit in rulebreaking, at least failed in their responsibility to prevent it.
Going after individuals, however, may involve separate fact-finding work, expensive and time-consuming litigation and, of course, the risk that after all that, the judge will rule against the FTC and officially exonerate the defendant and set an unsavory precedent. They may have decided that risk was too great, but surely if some revealing information comes to light tomorrow individual charges may result.
5. You get immunity! And YOU get immunity!
It’s ordinary in settlements like to this to “release” companies from claims that they violated an agreement — like a plea bargain where you get probation and no record in exchange for a fine and community service. But the Facebook settlement gives both the company and its executives blanket immunity, not just for any violations the FTC has claimed, but for any violations it hasn’t claimed.
In other words, it’s giving Facebook a blank slate not only for violations it definitely did, but for any it might have secretly done between 2012 and 2018. “A release of this scope is unjustified by our investigation and unsupported by either precedent or sound public policy,” writes Slaughter. “I have not been able to find a single Commission order — certainly not one against a repeat offender — that contains a release as broad as this one,” concurs Chopra.
It’s extraordinary that a repeat offender that has shown a disdain for the FTC’s authority would get such comprehensive, top-to-bottom immunity. This isn’t just a plea bargain, it’s a plenary indulgence.
6. The privacy measures are honor system
This was perhaps the FTC’s best chance to lay down strong rules as to what Facebook can and can’t do with user data going forward — especially considering the previous ones were shrugged off. Instead, apart from a few new rules like better notification of facial recognition systems, it basically just told Facebook it can do what it wants as long as it files the paperwork.
The settlement requires Facebook to document lots of things. If a new product is a potential risk, Facebook has to write a report on what data will be collected, how it will notify users, whether they can opt out and how it is (and isn’t) planning to reduce that risk. Nowhere does the FTC spell out what constitutes unreasonable risk, minimum notification or opt-out requirements, or whether a product or strategy (like absorbing WhatsApp) is automatically suspect.
“It is akin to if federal regulators, instead of ordering automakers to install seatbelts, ordered them to document the pros and cons of installing seatbelts, and to decide for themselves whether it would be worthwhile,” writes Chopra.
As long as it files its paperwork, Facebook is free to decide what constitutes risk, damage to users and how it should handle those things. It’s a bit like asking a bank robber to write a journal. But even if someone reads it and finds something objectionable…
7. The oversight is toothless
Facebook must establish a Privacy Committee, Compliance Officers and an Independent Assessor to make sure that the rules it sets for itself are sufficient and being followed sufficiently. Unfortunately, what they do is a whole lot of reviewing, certifying and briefing — and no doing.
The Compliance Officers sign off on the privacy program, to be sure, but they have few specific goals, like prevent this or ensure that. The Assessor also lacks authority, so if they decide the privacy program is not working out, they simply register their complaint and wait for Facebook to justify itself.
The “independent” committee’s makeup will be highly affected by the powers that be at Facebook, which have enormous voting power and will be able to make it hard on any troublesome members. Even if they couldn’t, the committee has no power over management — it’s just another Facebook-issued stamp for Facebook-written paperwork.
8. Fancy meeting you here
As The Hill’s Harper Neidig points out: Sean Royall, Facebook’s head counsel in these proceedings, was deputy director at the FTC’s Competition Bureau (not the Bureau of Consumer Protection, which led this action) from 2001-2003. His boss at the bureau then was Joseph Simons — the current chairman of the FTC.
It’s probably just a coincidence.
9. It changes nothing, and endorses Facebook’s continued monetization of mass surveillance
Nothing in this order challenges the fundamental problem that over the last decade has increasingly caused friction between Facebook and both its users and (supposed) regulators: that its business model is predicated on mass collection of personal data on its users, which it distills then sells to advertisers.
That’s a business model that should give any consumer protection regulator pause, and yet this settlement is a tacit endorsement of it. The order really amounts to little more than additional paperwork for Facebook to fill out while it pursues its original course without any divergence.
To be fair, the FTC is a reactive agency, and as such is limited by how much it can really require proactively. But it doesn’t seem like they were testing those limits today. The decision not to litigate, the unimaginative penalty amount and the eye-popping immunity grant suggest the agency is working comfortably within them and just wanted to get this thing out the door.
The requirements of the settlement were barely even considered on today’s earnings call, on which there appeared to be an understanding that it wouldn’t affect much if anything at all. Even the fear that Zuckerberg voiced earlier today that it would require hiring a thousand people who might otherwise be working on new products (a questionable claim, incidentally) went unaddressed.
This was an opportunity for the FTC to demonstrate that the U.S. is a venue where global internet companies like Facebook can still be held accountable for their actions. It was made clear today that not only will a big check change that, but that the check doesn’t even have to be that big.