Investigation Finds Facebook Did Little to Prevent Apps from Sharing Sensitive User Data
Although Facebook Has Taken Positive Steps to Remediate Problem in Response to DFS’s Inquiry, Internal Controls Need Further Improvement
The Report Can be Found Here
Governor Andrew M. Cuomo today accepted a New York State Department of Financial Services report detailing the findings of an investigation into the transmission of sensitive user data by application and website designers to Facebook. Following a report by the Wall Street Journal, the Governor directed DFS to perform an investigation which found that app developers regularly sent Facebook sensitive data, including medical and personal data, derived from consumers’ usage of third-party websites and applications. The data was then shared with Facebook by app developers as part of Facebook’s free online data analytics services. Though such data-sharing violated Facebook policy, Facebook took few steps to enforce the policy or to block the flow of sensitive data prior to the state’s investigation.
“Large internet companies have a duty to protect the privacy of their consumers – period,” Governor Cuomo said. “A lack of universal standards and online regulation has led to unsolicited and predatory data collection and sharing which has compromised the privacy of countless New Yorkers and we’re taking steps to hold these bad actors accountable and to create the strongest privacy protections in the nation.”
“Consumer protection is at the center of everything we do at DFS, and data privacy is increasingly important to consumers. Facebook instructed app developers and websites not to share medical, financial, and other sensitive personal consumer data but took no steps to police this rule,” said Superintendent of Financial Services Linda A. Lacewell. “By continuing to do business with app developers that broke the rule, Facebook put itself in a position to profit from sensitive data that it was never supposed to receive in the first place. Consumers deserve better.”
The Department found that consumer data was regularly shared with Facebook by app developers who downloaded Facebook’s Software Development Kit as part of Facebook’s free online data analytics services. Personal data that was wrongfully shared included sensitive and/or medical data such as health diagnoses, blood pressure readings, and even fertility data.
The report focuses on the facts surrounding the conduct described by the WSJ, the inadequate controls at Facebook that allowed it to happen, the remedial measures Facebook has undertaken as a result of the DFS investigation, and the Department’s recommendations on how to better protect consumer privacy:
- Inadequate Controls: Despite the fact that sensitive data has been transmitted to Facebook every day in violation of Facebook policy, prior to the DFS investigation, Facebook did little to track whether app developers were violating its policies and to this day takes no real action against developers that do.
- Remediation Efforts as a Result of the Department’s Investigation: As a result of the DFS investigation, Facebook built and implemented a screening system that is designed to identify and block sensitive information before it enters the Facebook system. Facebook also enhanced app developer education to better inform developers of their obligations to avoid transmitting sensitive data and took steps to give users more control over data that is collected about them, including from off-Facebook activity.
- Recommended Further Action: Although Facebook’s remediation efforts are important first steps, Facebook must meaningfully ensure that developers are fully aware of its prohibition on transmitting sensitive data, and the report recommends Facebook do more to prevent developers from transmitting sensitive data in the first place rather than simply relying on a back-end screening system. The report further urges Facebook to take additional steps to police its own rules by putting in place appropriate consequences for doing so.
- Federal Regulatory Oversight: Current laws and regulations have not kept pace with the technological advancements of the “big data” industry. Although the U.S. Federal Trade Commission has taken some action, consumers would benefit from a comprehensive federal regulatory approach, as noted in the DFS’s Twitter report.
The report also supports the adoption of Governor Cuomo’s proposal to enact NYDATA, a comprehensive data privacy law that would significantly enhance privacy protections for New Yorkers. The law would mandate that any entity that collects data on large numbers of New Yorkers disclose the purposes of such collection, and limit the data collected to that purpose.