Senate committee presses Meta over data access by developers in 'high risk' countries, per 2018 app audit

Facebook's murky history of letting third party apps help themselves to user data which you may recall blew up into a major global privacy scandal back in 2018 (aka, Cambridge Analytica), gouging the company's stock price, leading to its founder being hauled in front of Congress -- and finally, in mid 2019, to a $5 billion settlement with the FTC over what sometimes got euphemistically reported as 'privacy lapses' -- appears to be coming back to haunt it via unsealed legal discovery.

Internal documents in a related privacy litigation that emerged late last month have trigged the chairs of the US Senate Select Committee on Intelligence, Mark Warner and Marco Rubio, to write a letter to Meta's Mark Zuckerberg asking fresh questions about what he and his company knew about how much user data the platform was leaking back then. And what security implications may be attached to said leaks.

Thing is, per the unsealed documents, the company now known as Meta appears to have suspected that developers from high risk jurisdictions where authoritarian regimes are known to "gather data for intelligence targeting and cyber-espionage" -- including North Korea, Russia, China and Iran -- were among thousands also accessing Facebook users' personal data via the same sort of friends' data permissions route that the Cambridge Analytica data-set was extracted by the contracted developer, GSR.

"It appears from these documents that Facebook has known, since at least September 2018, that hundreds of thousands of developers in countries Facebook characterized as “high-risk,” including the People’s Republic of China (PRC), had access to significant amounts of sensitive user data," they write.

"As the chairman and vice chairman of the Senate Select Committee on Intelligence, we have grave concerns about the extent to which this access could have enabled foreign intelligence service activity, ranging from foreign malign influence to targeting and counter-intelligence activity," the pair add, pressing Meta to respond to a series of questions about how it acted after its internal audit flagged that user data may have been accessed by thousands of developers in high risk locations.

It's fair to say that Meta doesn't like to dwell on a data access/policy enforcement failure scandal that led to its founder sitting on a booster cushion in Congress and being plied with questions by irate US lawmakers. Quite possibly because it paid $5billion to the FTC to make the whole scandal go away -- a settlement that conveniently granted blanket immunity to its executives for any known or unknown privacy violations.

But the problem with Meta wanting the whole episode to be filed away under 'forever resolved', is that it has never actually answered all the questions lawmakers asked at the time. Nor in the years following -- as additional details have emerged.

It hasn't even published the results of the third party app audit Zuckerberg pledged in 2018 would be carried out. (Although we did find out -- indirectly, in 2021 -- that a settlement it reached with the UK's privacy watchdog included a gag clause that prevented the commissioner from talking publicly about the investigation.)

Yet this still unpublished third party app audit formed the keystone of Facebook's crisis PR response at the time -- a promised comprehensive accounting that successfully shielded Zuckerberg and his company from deeper scrutiny. Exactly when the pressure was greatest on it to explain how information on millions of users was lifted out of its platform by a developer with bona fide access to its tools without the knowledge or consent of the actual Facebook users.

The price of this shielding has probably actually been pretty high -- both reputationally for Meta (which, after all, felt the need to undertake an expensive corporate rebranding and try to reframe its business in the new arena of VR); and also in future compliance costs (which obviously won't only affect Meta) as a number of laws drafted in the years since the scandal seek to put new operational limits on platforms. Limits that are often justified by a framing that foregrounds a perception of Big Tech's lack of accountability. (See, for e.g., the UK's Online Safety Bill which even includes, in a recent addition, criminal sanctions for CEOs who breach requirements. Or the EU's Digital Services Act and Digital Markets Act.)

Still, Meta has remained extremely successful at avoiding the kind of in-depth scrutiny of its internal processes, policies and decision-making which paved the way for Cambridge Analytica to take place on Zuckerberg's watch --- and, potentially, for scores of similar data heists, at least per details emerging via legal discovery.

This is why the spectre of Facebook's failed accountability reappearing is compelling viewing. (See also: A privacy litigation that Meta finally moved to settle last year, with a timing that apparently spared Zuckerberg and former COO Sheryl Sandberg from having to appear in person after they'd been deposed to give testimony -- for a settlement price-tag that was not disclosed.)

Whether anything substantial comes of the latest visitation of the ghost of unresolved Facebook privacy scandals remains to be seen. But Meta now has a new long-list of awkward questions from lawmakers. And if it tries to duck substantive answers its execs could face a fresh summons to a public committee grilling. (It's never the crime, it's the cover-up etc etc.)

Here's what the Committee is asking Meta to answer re: the findings of the internal investigation:

Asked for a response to the lawmakers concerns, Meta spokesman Andy Stone did not respond to specific questions -- including whether it will finally publish the app audit; and whether it will commit to informing users whose information was compromised as a result of features of its developer platform (so presumably that's a 'no' and a 'no') -- opting instead to send this brief statement: