Facebook Cambridge Analytica Settlement: UK Watchdog Gagged

Do you recall the application review that Facebook’s founder, Mark Zuckerberg, stated he would undertake almost three years ago during the peak of the Cambridge Analytica controversy? In fact, the technology corporation is very interested in ensuring this matter is not brought to your attention.

The United Kingdom’s information commissioner recently informed a parliamentary subcommittee concerning online harms and misinformation that a confidential agreement between her office and Facebook restricts her from publicly disclosing whether Facebook contacted the ICO regarding the completion of the widely announced ‘app audit.’

“I believe I could address that question with you and the committee in a private setting,” stated information commissioner Elizabeth Denham to questioner, Kevin Brennan, MP.

When further pressed to respond immediately regarding whether Facebook had ever informed the regulator about finishing the app audit—with Brennan pointing out “this was a pledge made by Mark Zuckerberg publicly before a US Senate committee”—Denham directly referenced a private arrangement with Facebook that she indicated prevented her from discussing such specifics publicly.

“This is a component of an agreement we reached with Facebook,” she explained to the committee. “Concerning our legal proceedings against Facebook. Therefore, there is an agreement that is not publicly available, which is why I would prefer to discuss this privately.”

In October 2019, Facebook reached a settlement with the UK’s data protection authority—agreeing to fully pay a £500,000 penalty announced by the ICO in 2018 related to the Cambridge Analytica breach, which Facebook had been challenging.

Upon settling with the ICO, Facebook did not acknowledge responsibility. It had previously achieved a victory in a first-tier legal tribunal in June, which determined that “procedural fairness and allegations of bias” against the regulator should be considered during its appeal, causing its litigation against Facebook to begin unfavorably—likely motivating the ICO to settle with Facebook’s private legal team.

In a statement issued at the time, outlining the settlement’s basic details, the ICO stated that Denham believed the agreement “best serves the interests of all UK data subjects who are Facebook users.”

That disclosure contained no mention of any ‘gagging clauses.’ However, the regulator did note that the agreement’s terms permitted Facebook to “retain documents disclosed by the ICO during the appeal for other purposes, including furthering its own investigation into issues surrounding Cambridge Analytica.”

Consequently, Facebook gained control of a substantial amount of strategically valuable information.

The settlement appears to have been exceptionally advantageous for Facebook. Not only was the financial cost minimal (Facebook paid $5 billion to settle with the FTC following the Cambridge Analytica scandal shortly thereafter); and not only did it provide Facebook with a wealth of ICO-obtained data to conduct its own investigation into Cambridge Analytica privately; but it also guaranteed that the UK regulator would be limited in its public statements.

To the extent that the information commissioner has declined to comment publicly on Facebook’s post-Cambridge Analytica app audit.

The ICO seized a significant volume of data from the discredited (and now-defunct) company that had become a major issue for Facebook, following a raid on Cambridge Analytica’s UK offices in early 2018. The extent to which that data ended up with Facebook through the ICO settlement remains uncertain.

Notably, the ICO also never released a comprehensive report on its Cambridge Analytica investigation.

Instead, it sent a letter to the DCMS committee last year—in which it outlined several conclusions, reaffirming its view that the network of companies including CA had been compiling datasets from commercial sources to attempt to “make predictions on personal data for political alliance purposes,” as it phrased it; also confirming that the improperly obtained Facebook data had been integrated into an existing database containing “voter file, demographic and consumer data for US individuals.”

The ICO also stated at that time that its investigation did not uncover any evidence that the Facebook data sold to Cambridge Analytica had been utilized for political campaigning related to the UK’s Brexit Referendum. However, there was no comprehensive report detailing the underlying processes by which the regulator reached its conclusions.

Again, from Facebook’s standpoint, a rather favorable result.

When questioned today by the DCMS committee regarding why the regulator had not produced the anticipated final report on Cambridge Analytica, Denham referred to several other reports it published throughout the multi-year inquiry, such as audits of UK political parties and an investigation into credit reporting agencies.

“The letter was comprehensive,” she also argued. “My office produced three reports on the investigation into the misuse of data in political campaigning. So we had a policy report and we had two enforcement reports. So we had looked at the entire ecosystem of data sharing and campaigning… and the strands of that investigation are reported out sufficiently, in my view, in all of our work.”

“Taken together the letter, which was our final line on the report, with the policy and the enforcement actions, prosecutions, fines, stop processing orders, we had done a lot of work in this space — and what’s important here is that we have really pulled back the curtain on the use of data in democracy which has been taken up by… many organizations and parliamentarians around the world,” she added.

Denham also confirmed to the committee that the ICO has preserved data related to the Cambridge Analytica investigation—which could be valuable to other ongoing investigations globally. However, she denied that her office had been requested by the US Senate Intelligence Committee to provide information obtained from Cambridge Analytica—seemingly contradicting an earlier report by the US committee that indicated it had been unable to obtain the information it sought. (We’ve contacted the committee to inquire about this. Update: Senator Warner’s office has now informed us: “The Committee did engage with the ICO.”)

Denham did state that evidence obtained from Cambridge Analytica was shared with the FTC, SEC, and with states attorneys general.

We’ve also contacted Facebook regarding its private arrangement with the ICO and to inquire again about the status of its post-Cambridge Analytica ‘app audit.’ (And will update this report with any response.)

The company has issued periodic updates about the audit’s progress, stating in May 2018 that approximately 200 apps had been suspended as a result of the internal review, for instance.

Then in August 2019, Facebook also informed the DCMS committee that the app audit was “ongoing.”

In its initial audit pledge—in March 2018—Zuckerberg promised a thorough investigation into any other ‘questionable’ apps operating on Facebook’s platform, responding in a lengthy Facebook post to the revelations that a third party had illicitly obtained data on millions of users with the intention of creating psychographic profiles for voter targeting. It subsequently emerged that an app developer, operating freely on Facebook’s platform under existing developer policies, had sold user data to Cambridge Analytica.

“We will investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity,” Zuckerberg wrote at the time. “We will ban any developer from our platform that does not agree to a thorough audit. And if we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps. That includes people whose data [Aleksandr] Kogan misused here as well.”

It is important to note that the Facebook founder did not commit to transparently and publicly reporting audit findings. This is, of course, what ‘self-regulation’ looks like: invisible final ‘audit’ reports.

An ‘audit’ that is entirely controlled by an organization deeply involved in the core elements of what is being examined is clearly not worth the paper it is (not) written on. However, in Facebook’s case, this initiated-but-never-concluded ‘app audit’ appears to have fulfilled its crisis PR objective.