A bipartisan group of 37 attorneys general, including Colorado Attorney General and Colorado gubernatorial candidate Cynthia Coffman, urged Facebook CEO Mark Zuckerberg to turn over information on Facebook’s business practices and privacy protections.

The request was a result of recent discoveries that Facebook divulged massive amounts of private user data to a Cambridge Analytica, a British political consulting firm, during the last U.S. presidential election.

Facebook’s policies allowed developers to access the personal data of “friends” of people who used certain applications without the knowledge or consent of the users.

“Colorado consumers deserve answers from Facebook regarding their data collection practices, which have raised serious concerns about protecting consumer privacy,” Coffman said in a news release issued by the AG’s office. “Simply downloading an app should never mean that consumers give up their right to control what happens to their personal data or their friends’ personal data, nor does it mean that they have consented to having their every move tracked and their information sold to third parties for profit.”

The letter to Zuckerberg raises a series of questions that the attorneys general want answers to about the social networking site’s policies and practices, including:

  • Were those terms of service clear and understandable?
  • How did Facebook monitor what these developers did with all the data that they collected?
  • What type of controls did Facebook have over the data given to developers?
  • Did Facebook have protective safeguards in place, including audits, to ensure developers were not misusing the Facebook user’s data?
  • How many users in the states of the signatory attorneys general were impacted?
  • When did Facebook learn of this breach of privacy protections?
  • During this timeframe, what other third party “research” applications were also able to access the data of unsuspecting Facebook users?

The Colorado Attorney General’s Office is currently working on state legislation to update Colorado’s consumer protection laws regarding data breach notifications and to enhance protections for consumers’ personal information, according to the release.

- Advertisement -

An unedited copy of the letter follows:

March 26, 2018
1850 M Street, NW
Twelfth Floor
Washington, DC 20036
Phone: (202) 326-6000
http://www.naag.org/
Mark Zuckerberg
Facebook, Inc.
1601 Willow Road
Menlo Park, California 94025

Dear Mr. Zuckerberg:

The undersigned State and Territory Attorneys General are profoundly concerned about the recently published reports that personal user information from Facebook profiles was provided to third parties without the users’ knowledge or consent. As the chief law enforcement officers of our respective states, we place a priority on protecting user privacy, which has been repeatedly placed at risk because of businesses’ failure to properly ensure those protections. Most recently, we have learned from news reports that the business practices within the social media world have evolved to give multiple software developers access to personal information of Facebook users. These reports raise serious questions regarding consumer privacy.

Early reports indicate that user data of at least 50 million Facebook profiles may have been misused and misappropriated by third-party software developers (“developers”). According to these reports, Facebook’s previous policies allowed developers to access the personal data of “friends” of people who used applications on the platform, without the knowledge or express consent of those “friends.” It has also been reported that while providing other developers access to personal Facebook user data, Facebook took as much as thirty (30) percent of payments made through the developers’ applications by Facebook users.

Facebook apparently contends that this incident of harvesting tens of millions of profiles was not the result of a technical data breach; however, the reports allege that Facebook allowed third parties to obtain personal data of users who never authorized it, and relied on terms of service and settings that were confusing and perhaps misleading to its users.

These revelations raise many serious questions concerning Facebook’s policies and practices, and the processes in place to ensure they are followed. Were those terms of service clear and understandable, or buried in boilerplate where few users would even read them? How did Facebook monitor what these developers did with all the data that they collected? What type of controls did Facebook have over the data given to developers? Did Facebook have protective safeguards in place, including audits, to ensure developers were not misusing the Facebook user’s data? How many users in our respective states were impacted? When did Facebook learn of this breach of privacy protections? During this timeframe, what other third party “research” applications were also able to access the data of unsuspecting Facebook users?

In addition to responses to these questions, we request an update about how Facebook will allow users to more easily control the privacy of their accounts. Even with the changes Facebook has made in recent years, many users still do not know that their profile—and personal data—is available to third-party vendors. Facebook has made promises about users’ privacy in the past, and we need to know that users can trust Facebook. With the information we have now, our trust has been broken.

Users of Facebook deserve to know the answers to these questions and more. We are committed to protecting our residents’ personal information. More specifically, we need to understand Facebook’s policies and procedures in light of the reported misuse of data by developers. We appreciate the information you have provided to date and expect your full cooperation going forward in our inquiries into your business practices. To that end, we expect a full accounting for what transpired and, answers to the questions we raised above. We look forward to your prompt response.

Sincerely,

George Jepsen
Connecticut Attorney General

Tim Fox
Montana Attorney General

Ellen F. Rosenblum
Oregon Attorney General

Josh Shapiro
Pennsylvania Attorney General

Marty J. Jackley
South Dakota Attorney General

Steve Marshall
Alabama Attorney General

Eleasalo V. Ale
American Samoa Attorney General

Xavier Becerra
California Attorney General

Cynthia H. Coffman
Colorado Attorney General

Matthew P. Denn
Delaware Attorney General

Karl A. Racine
District of Columbia Attorney General

Elizabeth Barrett-Anderson
Guam Attorney General

Russell A. Suzuki
Hawaii Acting Attorney General

Lawrence Wasden
Idaho Attorney General

Lisa Madigan
Illinois Attorney General

Tom Miller
Iowa Attorney General

Derek Schmidt
Kansas Attorney General

Andy Beshear
Kentucky Attorney General

Janet Mills
Maine Attorney General

Brian Frosh
Maryland Attorney General

Maura Healey
Massachusetts Attorney General

Bill Schuett
Michigan Attorney General

Lori Swanson
Minnesota Attorney General

Jim Hood
Mississippi Attorney General

Josh Hawley
Missouri Attorney General

Gordon MacDonald
New Hampshire Attorney General

Gurbir S. Grewal
New Jersey Attorney General

Hector Balderas
New Mexico Attorney General

Eric T. Schneiderman
New York Attorney General

Josh Stein
North Carolina Attorney General

Wayne Stenehjem
North Dakota Attorney General

Mike DeWine
Ohio Attorney General

Peter F. Kilmartin
Rhode Island Attorney General

Herbert H. Slatery III
Tennessee Attorney General

T.J. Donovan
Vermont Attorney General

Mark R. Herring
Virginia Attorney General

Robert W Ferguson
Washington Attorney General