Facebook failed to closely monitor device makers after granting them access to the personal data of hundreds of millions of people, according to a previously unreported disclosure to Congress last month.
Facebook’s loose oversight of the partnerships was detected by the company’s government-approved privacy monitor in 2013. But it was never revealed to Facebook users, most of whom had not explicitly given the company permission to share their information. Details of those oversight practices were revealed in a letter Facebook sent last month to Senator Ron Wyden, the Oregon Democrat, a privacy advocate and frequent critic of the social media giant.
“Facebook claimed that its data-sharing partnerships with smartphone manufacturers were on the up and up,” Mr. Wyden said. “But Facebook’s own, handpicked auditors said the company wasn’t monitoring what smartphone manufacturers did with Americans’ personal information, or making sure these manufacturers were following Facebook’s own policies.” He added, “It’s not good enough to just take the word of Facebook — or any major corporation — that they’re safeguarding our personal information.”
Because the United States has no general consumer privacy law, F.T.C. consent decrees have emerged as the federal government’s chief means of regulating privacy practices at Facebook, Google and other companies that amass huge amounts of personal data about people who use their products. In letters and congressional testimony, F.T.C. officials have pointed to the decrees as evidence of robust consumer privacy protection in the United States.
A spokesman for PricewaterhouseCoopers acknowledged in a statement that Facebook defines the privacy procedures, known as “controls,” that are tested during the assessments.
“Changes to controls may occur as platforms evolve, such that a control tested in one period may not be identical in a subsequent period,” the spokesman said.
It remains unclear whether Facebook has ever scrutinized how its partner companies handled personal data. A spokeswoman declined to provide any examples of the company’s doing so.
A BlackBerry official, who declined to discuss details of the companies’ data-sharing agreement, said BlackBerry did not think that Facebook had ever audited its data use, but noted that BlackBerry’s business model relies on protecting users’ personal information.