The report casts doubt on the company’s ability to comply with privacy regulations.
According to an internal assessment released to Motherboard, Facebook is unable to account for much of the personal user data under its control, including what it is used for and where it is stored.
The report was written by Facebook’s Ad and Business Product team last year with the intention of being read by the company’s leadership. It outlined how Facebook could deal with an increasing number of data usage requirements, such as new privacy laws in India, South Africa, and other countries. The authors of the research portrayed a platform that was frequently unaware of the personal data of its estimated 1.9 billion members.
The engineers warned that Facebook would have difficulty making promises to countries on how it would treat the data of its citizens. “We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose,’” wrote the report’s authors. “And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation.”
Facebook’s main obstacle to tracking down user data appears to be the company’s lack of “closed-form” systems, the report states. In other words, the company’s data systems have “open borders” that mix together first-party user data, third-party user data and sensitive data. To describe how difficult it is to track down specific Facebook’s data, the report’s authors came up with the metaphor of pouring a bottle of ink into a lake… and then trying to get it back in the bottle:
- The college social network you didn’t use is being shut down by Facebook.
- Facebook removes fake accounts that spread Russian disinformation in Ukraine.
“This bottle of ink is a mixture of all kinds of user data (3PD, 1PD, SCD, Europe, etc.) You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere. How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?”
More succinctly, a former Facebook employee who spoke anonymously to Motherboard said the question of where data goes inside the company is “broadly speaking, a complete shitshow.”
The authors state that Facebook previously had “the ‘luxury’ of addressing [new privacy regulations] one at a time,” like the EU’s GDPR and the California Consumer Privacy Act. But subsequent years brought more data protection legislation from all over the world, including India, Thailand, South Africa and South Korea. The document casts doubt on if Facebook has been able to comply with such legislation, and if it’s equipped to weather the “tsunami” of new laws that make similar restrictions. (A Facebook spokesperson denied to Motherboard that the company is not currently complying with privacy regulations.)
“Considering this document does not describe our extensive processes and controls to comply with privacy regulations, it’s simply inaccurate to conclude that it demonstrates non-compliance,” the spokesperson told Motherboard. New privacy regulations across the globe introduce different requirements and this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations,”
