Facebook sued by Washington, D.C. over data breach accusations
In its lawsuit, the Office of the Attorney General (OAG) alleges Facebook’s lax oversight and misleading privacy settings allowed, among other things, a third-party application to use the platform to harvest the personal information of millions of users without their permission and then sell it to a political consulting firm.
In the run-up to the 2016 presidential election, some Facebook users downloaded a “personality quiz” app which also collected data from the app users’ Facebook friends without their knowledge or consent.
The app’s developer then sold this data to Cambridge Analytica, which used it to help presidential campaigns target voters based on their personal traits.
Facebook took more than two years to disclose this to its consumers.
OAG is seeking monetary and injunctive relief, including relief for harmed consumers, damages, and penalties to the District.
Among the ways that Facebook harmed consumers, the complaint alleges, are:
Misleading users about the security of their data: Facebook represented to users that it would protect the privacy of their personal information, and that it required applications and third-party developers to respect consumers’ privacy. However, Facebook allowed Kogan to collect and sell the data of users who had not downloaded or used Kogan’s app.
Failing to properly monitor third-party apps’ use of data: Although Facebook was aware as early as 2014 that Kogan wanted to download the personal information not only of his app’s users, but also of his users’ friends, Facebook failed to monitor or audit the app to see if it was abiding by Facebook’s policies for third-party applications and user data.
Making it difficult for users to control data settings for apps: Facebook maintained confusing and ambiguous privacy and applications settings that made it difficult for consumers to control how their data was shared.
Instead of allowing users to control access to their information on third-party apps directly from its main privacy settings page, Facebook required users to go to a different part of its platform for third-party app privacy settings. This made it harder for consumers to realize that apps could be harvesting their data.
Failing to disclose the Cambridge Analytica breach to consumers for more than two years: Facebook first became aware in 2015 that Cambridge Analytica had obtained millions of users’ data.
The company conducted a cursory investigation and confirmed that the data had been improperly harvested from users and then sold to Cambridge Analytica. However, Facebook did not inform users affected by the breach until 2018.
Failing to ensure users’ improperly obtained data was deleted: Even after it confirmed its users’ data had been improperly harvested, Facebook took Cambridge Analytica at its word that the company had deleted the data.
They did this even though Facebook staffers were embedded with the Trump campaign and other campaigns, working alongside Cambridge Analytica staff to use the data to target voters.
Failing to inform consumers that some companies could override data privacy settings: Facebook also failed to inform consumers that it granted certain companies, many of whom were mobile device makers, special permissions that enabled those companies to access consumer data and override consumer privacy settings.
OAG is seeking an injunction to ensure Facebook puts in place protocols and safeguards to monitor users’ data and to make it easier for users to control their privacy settings. In addition, OAG is seeking restitution for consumers, penalties, and costs. ■