The current shift to privacy, though, comes after more than a decade of scrutiny over Facebook's serious privacy lapses and data sharing issues. Privacy advocates and policy analysts have also expressed skepticism about the FTC's mandates from the start, since it doesn't include broad limits on the entities Facebook can share data with or the types of data the company can collect. And a significant portion of the FTC agreement leaves the methods for privacy improvement up to Facebook itself, a dubious arrangement given the company's track record.As part of the agreement, Facebook is sharing quarterly and annual updates with the FTC on its progress; the company is submitting its first quarterly report at the end of this week. These compliance reports are signed by CEO Mark Zuckerberg, and the FTC agreement includes a condition that "any false certification will subject [Facebook] to individual civil and criminal penalties." Facebook will also submit to reviews by an independent assessor, the first of which begins next week. None of these reports and findings will be made public. The FTC declined to comment for this story.
Both Protti and Egan argue that the company is making substantive changes. Every new employee now goes through training to reinforce that privacy is everyone's responsibility across every department. The company has also started doing annual privacy risk assessments across 30 of its "key" business units to identify gaps and potential problems and rectify them—a process that Protti and Egan says has already led to improvements. And the company's board of directors now also has a privacy committee meant to oversee and verify improvements as an accountability mechanism.
"From our perspective, we’ve made important progress, but we still have a tremendous amount of work to do," Protti says. "We’re in the early phases of a multi-year and ongoing effort to evolve our culture, our operations, and our technical systems to honor people’s privacy."Protti says that the company has overhauled its privacy review process for products and services that share user data in new ways. One specific point in the FTC agreement is that Facebook can no longer use customer phone numbers collected for two-factor authentication for targeted advertising and to recommend friends, a controversial practice that Facebook admitted to only after a 2018 investigative piece by Gizmodo. Protti says Facebook wants not only to meet its regulatory obligations, but to also go beyond that with more robust technical validations, documentation, and implementation checks. He stressed the importance of collaboration between teams to ensure that a product or feature's privacy protections are not only functioning as designed, but that the design itself is sound.