Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Facebook's Zuckerberg Takes First Drubbing in D.C.Florida Sen. Bill Nelson: 'Facebook Failed Us'
Facebook CEO Mark Zuckerberg informally met with U.S. lawmakers on Monday ahead of two congressional hearings this week where he is expected to face a bruising examination.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Zuckerberg is scheduled to testify on Tuesday before a joint hearing of the Senate Judiciary and Commerce committees. On Wednesday, Zuckerberg will testify before the House Committee on Energy and Commerce, which released his opening comments on Monday.
Zuckerberg's written comments largely stick to Facebook's talking points since the Cambridge Analytica scandal erupted last month. Whistleblowing by a former data scientist at the voter-profiling firm has raised concerns over whether Facebook allowed too much access to its rich troves of personal data.
Facebook has said personal details for 87 million people may have been transferred to Cambridge Analytica, whose executives have claimed credit for propelling President Donald Trump's digital campaign (see: Facebook: 87M Accounts May Have Been Sent To Cambridge Analytica).
In his statement, Zuckerberg again apologized for the Cambridge Analytica situation as well as ongoing parallel concerns: the manipulation of the platform by Russian actors, bogus news, hate speech and privacy leaks.
"We didn't take a broad enough view of our responsibility, and that was a big mistake," Zuckerberg says in his prepared statement. "It was my mistake, and I'm sorry. I started Facebook, I run it, and I'm responsible for what happens here."
Senator: 'Facebook Failed Us'
Facebook has weathered privacy controversies in the past with little pushback from users. But the connection of Cambridge Analytica to the Trump campaign and how app developers could harvest large amounts of personal data without direct consent has propelled the pushback.
"I just met one-on-one with Mr. Zuckerberg and in no uncertain terms reminded him that Facebook has a responsibility to its users to protect our personal data. Facebook failed us."
—Sen. Bill Nelson
In one of his first meetings with lawmakers, Zuckerberg took a drubbing. He met privately with Sen. Sen. Bill Nelson, D-Fla., who sits on the Senate Commerce Committee.
Nelson's office published a photo of the meeting, with Zuckerberg sitting straight in a suit and tie with a solemn look. Nelson said in a statement that Facebook failed to protect the personal information of millions of users then sought to conceal it.
"I just met one-on-one with Mr. Zuckerberg and in no uncertain terms reminded him that Facebook has a responsibility to its users to protect our personal data," Nelson said. "Facebook failed us."
The Guardian reported in December 2015 that Cambridge Analytica had acquired the data, which is how Facebook found out. The situation simmered until Chris Wylie, a former data scientist, gave interviews with The Observer and The New York Times.
Wylie maintained the data still exists, although Facebook says it made the company certify it was deleted around 2016. The data was collected in 2013 through an app called This Is Your Digital Life.
The app paid people to participate in a personality survey. When someone used the app, it then scraped data for all of those users' friends without permission. That was in line with Facebook's rules at the time, which the company subsequently changed.
But Facebook maintains that This Is Your Digital Life was deployed under false pretenses and that it thought the app was an academic project. The app's creator, a Cambridge University psychologist Aleksandr Kogan, sold the data to Cambridge Analytica.
Security Changes: Too Little, Too Late?
The privacy mess has raised broader questions over whether Facebook has been too loose with its personal data controls. In the past few weeks, it has announced changes, including making it more clear to users what personal data apps can collect and also tighter restrictions on apps.
Facebook is under investigation by data protection regulators around the world. The U.S. Federal Trade Commission is investigating whether the company violated a 2011 agreement over its data-handling practices. Facebook settled charges that it told users their data would be kept private, but repeatedly kept sharing it without permission.
Zuckerberg's statement also addresses the issue of Russian manipulation. In February, the Justice Department announced the indictment of 13 Russian nationals for allegedly interfering with the U.S. political system (see: US Indicts 13 Russians for Election Interference).
Twelve of those indicted worked for the Internet Research Agency, which is alleged to have used social networking platforms such as Facebook, Instagram, YouTube and Twitter to push divisive narratives.
As a result, Facebook now has about 15,000 staff members working on security and reviewing content. Zuckerberg says that figure should rise to 20,000 by year's end.
"I've directed our teams to invest so much in security - on top of the other investments we're making - that it will significantly impact our profitability going forward," Zuckerberg says. "But I want to be clear about what our priority is: protecting our community is more important than maximizing our profits."
In a separate post on Facebook, Zuckerberg writes that the company is also "establishing an independent election research commission that will solicit research on the effects of social media on elections and democracy. Looking back, it's clear we were too slow identifying election interference in 2016, and we need to do better in future elections."
The company's focus over the past decade has been on aggressively acquiring users. That has boosted its digital advertising profits to $2 billion. But if lawmakers find that those gains were made at the expense of privacy, companies whose trade is targeting advertising based on data could face more restrictive regulations.
Nelson says the bottom line is that "if Facebook can't fix its privacy problems, then how can Americans trust them to be caretakers of their sensitive information?"