AG Racine Sues Facebook for Failing to Protect Millions of Users’ Data

WASHINGTON, D. C. – Attorney General Karl A. Racine today sued Facebook, Inc. for failing to protect its users’ data, enabling abuses like one that exposed nearly half of all District residents’ data to manipulation for political purposes during the 2016 election. In its lawsuit, the Office of the Attorney General (OAG) alleges Facebook’s lax oversight and misleading privacy settings allowed, among other things, a third-party application to use the platform to harvest the personal information of millions of users without their permission and then sell it to a political consulting firm. In the run-up to the 2016 presidential election, some Facebook users downloaded a “personality quiz” app which also collected data from the app users’ Facebook friends without their knowledge or consent. The app’s developer then sold this data to Cambridge Analytica, which used it to help presidential campaigns target voters based on their personal traits. Facebook took more than two years to disclose this to its consumers. OAG is seeking monetary and injunctive relief, including relief for harmed consumers, damages, and penalties to the District.

“Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used,” said AG Racine. “Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission. Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.”

Facebook, Inc., headquartered in Menlo Park, California, is a digital social networking service with more than 2 billion active users around the world. Through a website and a mobile application, Facebook allows users to communicate and share content with personalized networks of “friends.”

As part of its business model, Facebook collects data that touches on every aspect of users’ personal lives. This includes information provided by the user (name, gender, birthdate, email address, hometown, interests, education, political affiliation, photos, messages, etc.) and information about users’ digital behavior (their friends, “likes,” “shares,” clicks on the site, and more). Facebook offers social networking services for free and uses the personal data it collects to sell targeted advertising to marketers. It also allows third-party developers to build applications that operate on the Facebook platform and offer services including calendar and email integration, games, and quizzes.

In 2013, Facebook allowed Aleksandr Kogan, a researcher affiliated with England’s Cambridge University, and his company, Global Science Research (GSR), to launch an app on the Facebook platform called “thisisyourdigitallife.” The app claimed to be a personality quiz and offered to generate a personality profile in exchange for users downloading the app and granting it access to their Facebook data. Although only 852 Facebook users in the District installed Kogan’s app, it also collected the personal information of those users’ Facebook friends—amounting to nearly half of all District residents. GSR then sold that information to Cambridge Analytica, a political consulting firm.

An investigation by OAG found that this abuse was among the many examples of Facebook’s failure to protect consumers’ data adequately. The investigation found that Facebook violated the District’s Consumer Protection Procedures Act (CPPA), which prohibits unfair and deceptive trade practices. Among the ways that Facebook harmed consumers, the complaint alleges, are:

• Misleading users about the security of their data: Facebook represented to users that it would protect the privacy of their personal information, and that it required applications and third-party developers to respect consumers’ privacy. However, Facebook allowed Kogan to collect and sell the data of users who had not downloaded or used Kogan’s app.
• Failing to properly monitor third-party apps’ use of data: Although Facebook was aware as early as 2014 that Kogan wanted to download the personal information not only of his app’s users, but also of his users’ friends, Facebook failed to monitor or audit the app to see if it was abiding by Facebook’s policies for third-party applications and user data.
• Making it difficult for users to control data settings for apps: Facebook maintained confusing and ambiguous privacy and applications settings that made it difficult for consumers to control how their data was shared. Instead of allowing users to control access to their information on third-party apps directly from its main privacy settings page, Facebook required users to go to a different part of its platform for third-party app privacy settings. This made it harder for consumers to realize that apps could be harvesting their data.
• Failing to disclose the Cambridge Analytica breach to consumers for more than two years: Facebook first became aware in 2015 that Cambridge Analytica had obtained millions of users’ data. The company conducted a cursory investigation and confirmed that the data had been improperly harvested from users and then sold to Cambridge Analytica. However, Facebook did not inform users affected by the breach until 2018.
• Failing to ensure users’ improperly obtained data was deleted: Even after it confirmed its users’ data had been improperly harvested, Facebook took Cambridge Analytica at its word that the company had deleted the data. They did this even though Facebook staffers were embedded with the Trump campaign and other campaigns, working alongside Cambridge Analytica staff to use the data to target voters.
• Failing to inform consumers that some companies could override data privacy settings: Facebook also failed to inform consumers that it granted certain companies, many of whom were mobile device makers, special permissions that enabled those companies to access consumer data and override consumer privacy settings.

OAG is seeking an injunction to ensure Facebook puts in place protocols and safeguards to monitor users’ data and to make it easier for users to control their privacy settings. In addition, OAG is seeking restitution for consumers, penalties, and costs.

A copy of OAG’s complaint against Facebook is available at: http://oag.dc.gov/sites/default/files/2018-12/Facebook-Complaint.pdf

Protecting Yourself Online
District consumers should take the following steps to protect their personal information when using social media platforms like Facebook here. For more information on how to protect your data online, visit OAG’s Consumer Protection Library here.

How to File a Consumer Complaint
Consumers can report data theft, scams, and unlawful or abusive business practices by calling OAG’s Office of Consumer Protection at (202) 442-9828, emailing consumer.protection@dc.gov, or submitting a complaint online using OAG’s Consumer Complaint Form.