A bipartisan group of 37 attorneys general, including Colorado Attorney General and Colorado gubernatorial candidate Cynthia Coffman, urged Facebook CEO Mark Zuckerberg to turn over information on Facebook’s business practices and privacy protections.
The request was a result of recent discoveries that Facebook divulged massive amounts of private user data to a Cambridge Analytica, a British political consulting firm, during the last U.S. presidential election.
Facebook’s policies allowed developers to access the personal data of “friends” of people who used certain applications without the knowledge or consent of the users.
“Colorado consumers deserve answers from Facebook regarding their data collection practices, which have raised serious concerns about protecting consumer privacy,” Coffman said in a news release issued by the AG’s office. “Simply downloading an app should never mean that consumers give up their right to control what happens to their personal data or their friends’ personal data, nor does it mean that they have consented to having their every move tracked and their information sold to third parties for profit.”
The letter to Zuckerberg raises a series of questions that the attorneys general want answers to about the social networking site’s policies and practices, including:
- Were those terms of service clear and understandable?
- How did Facebook monitor what these developers did with all the data that they collected?
- What type of controls did Facebook have over the data given to developers?
- Did Facebook have protective safeguards in place, including audits, to ensure developers were not misusing the Facebook user’s data?
- How many users in the states of the signatory attorneys general were impacted?
- When did Facebook learn of this breach of privacy protections?
- During this timeframe, what other third party “research” applications were also able to access the data of unsuspecting Facebook users?
The Colorado Attorney General’s Office is currently working on state legislation to update Colorado’s consumer protection laws regarding data breach notifications and to enhance protections for consumers’ personal information, according to the release.
An unedited copy of the letter follows:
March 26, 2018
1850 M Street, NW
Twelfth Floor
Washington, DC 20036
Phone: (202) 326-6000
http://www.naag.org/
Mark Zuckerberg
Facebook, Inc.
1601 Willow Road
Menlo Park, California 94025
Dear Mr. Zuckerberg:
The undersigned State and Territory Attorneys General are profoundly concerned about the recently published reports that personal user information from Facebook profiles was provided to third parties without the users’ knowledge or consent. As the chief law enforcement officers of our respective states, we place a priority on protecting user privacy, which has been repeatedly placed at risk because of businesses’ failure to properly ensure those protections. Most recently, we have learned from news reports that the business practices within the social media world have evolved to give multiple software developers access to personal information of Facebook users. These reports raise serious questions regarding consumer privacy.
Early reports indicate that user data of at least 50 million Facebook profiles may have been misused and misappropriated by third-party software developers (“developers”). According to these reports, Facebook’s previous policies allowed developers to access the personal data of “friends” of people who used applications on the platform, without the knowledge or express consent of those “friends.” It has also been reported that while providing other developers access to personal Facebook user data, Facebook took as much as thirty (30) percent of payments made through the developers’ applications by Facebook users.
Facebook apparently contends that this incident of harvesting tens of millions of profiles was not the result of a technical data breach; however, the reports allege that Facebook allowed third parties to obtain personal data of users who never authorized it, and relied on terms of service and settings that were confusing and perhaps misleading to its users.
These revelations raise many serious questions concerning Facebook’s policies and practices, and the processes in place to ensure they are followed. Were those terms of service clear and understandable, or buried in boilerplate where few users would even read them? How did Facebook monitor what these developers did with all the data that they collected? What type of controls did Facebook have over the data given to developers? Did Facebook have protective safeguards in place, including audits, to ensure developers were not misusing the Facebook user’s data? How many users in our respective states were impacted? When did Facebook learn of this breach of privacy protections? During this timeframe, what other third party “research” applications were also able to access the data of unsuspecting Facebook users?
In addition to responses to these questions, we request an update about how Facebook will allow users to more easily control the privacy of their accounts. Even with the changes Facebook has made in recent years, many users still do not know that their profile—and personal data—is available to third-party vendors. Facebook has made promises about users’ privacy in the past, and we need to know that users can trust Facebook. With the information we have now, our trust has been broken.
Users of Facebook deserve to know the answers to these questions and more. We are committed to protecting our residents’ personal information. More specifically, we need to understand Facebook’s policies and procedures in light of the reported misuse of data by developers. We appreciate the information you have provided to date and expect your full cooperation going forward in our inquiries into your business practices. To that end, we expect a full accounting for what transpired and, answers to the questions we raised above. We look forward to your prompt response.
Sincerely,
George Jepsen
Connecticut Attorney General
Tim Fox
Montana Attorney General
Ellen F. Rosenblum
Oregon Attorney General
Josh Shapiro
Pennsylvania Attorney General
Marty J. Jackley
South Dakota Attorney General
Steve Marshall
Alabama Attorney General
Eleasalo V. Ale
American Samoa Attorney General
Xavier Becerra
California Attorney General
Cynthia H. Coffman
Colorado Attorney General
Matthew P. Denn
Delaware Attorney General
Karl A. Racine
District of Columbia Attorney General
Elizabeth Barrett-Anderson
Guam Attorney General
Russell A. Suzuki
Hawaii Acting Attorney General
Lawrence Wasden
Idaho Attorney General
Lisa Madigan
Illinois Attorney General
Tom Miller
Iowa Attorney General
Derek Schmidt
Kansas Attorney General
Andy Beshear
Kentucky Attorney General
Janet Mills
Maine Attorney General
Brian Frosh
Maryland Attorney General
Maura Healey
Massachusetts Attorney General
Bill Schuett
Michigan Attorney General
Lori Swanson
Minnesota Attorney General
Jim Hood
Mississippi Attorney General
Josh Hawley
Missouri Attorney General
Gordon MacDonald
New Hampshire Attorney General
Gurbir S. Grewal
New Jersey Attorney General
Hector Balderas
New Mexico Attorney General
Eric T. Schneiderman
New York Attorney General
Josh Stein
North Carolina Attorney General
Wayne Stenehjem
North Dakota Attorney General
Mike DeWine
Ohio Attorney General
Peter F. Kilmartin
Rhode Island Attorney General
Herbert H. Slatery III
Tennessee Attorney General
T.J. Donovan
Vermont Attorney General
Mark R. Herring
Virginia Attorney General
Robert W Ferguson
Washington Attorney General