LOS ANGELES – Facebook Inc. uncovered emails that appear to connect Chief Executive Mark Zuckerberg to potentially problematic privacy practices at the company, according to people familiar with the matter.
Within the company, the unearthing of the emails in the process of responding to a continuing federal privacy investigation has raised concerns that they would be harmful to Facebook – at least from a public-relations standpoint – if they were to become public, one of the people said.
The potential impact of the internal emails has been a factor in the tech giant’s desire to reach a speedy settlement of the investigation by the Federal Trade Commission, one of the people said. Facebook is operating under a 2012 consent decree with the agency related to privacy, and the emails sent around that time suggest that Zuckerberg and other senior executives didn’t make compliance with the FTC order a priority, the people said.
It couldn’t be determined exactly what emails the agency has requested and how many of them relate to Zuckerberg.
The FTC investigation began more than a year ago after reports that personal data of tens of millions of Facebook users improperly wound up in the hands of Cambridge Analytica, a data firm that worked on President Trump’s 2016 campaign. The FTC is investigating whether that lapse violated the 2012 consent decree with the agency in which Facebook agreed to better protect user privacy. Since the Cambridge Analytica affair, other privacy missteps have come to light, adding to Facebook’s headaches.
Facebook has been eager to strike a deal with the FTC and put the Cambridge Analytica scandal behind it. The firm said in April it was expecting to pay up to $5 billion as part of an accord with the agency.
“We have fully cooperated with the FTC’s investigation to date and provided tens of thousands of documents, emails and files. We are continuing to work with them and hope to bring this matter to an appropriate resolution,” a Facebook spokesperson said on Tuesday in a statement. On Wednesday, after publication of this article, the company sent an additional statement, saying: “At no point did Mark or any other Facebook employee knowingly violate the company’s obligations under the FTC consent order nor do any emails exist that indicate they did.”
It couldn’t be determined whether any of the emails – which have been described by people familiar with them but not reviewed by The Wall Street Journal – reveal practices that violated the 2012 accord. Any evidence that Zuckerberg was directly involved in a potential failure on Facebook’s part to honor the terms of its consent decree with the FTC could complicate efforts on both sides to resolve the matter.
At least some internal emails already provided to the agency show Facebook grappling with gray areas in how it should address privacy under the consent order, with Zuckerberg closely involved, according to people familiar with the messages.
In one email exchange from April 2012 that has caught regulators’ attention, according to a person familiar with the matter, Zuckerberg asked employees about an app that claimed to have built a database stocked with information about tens of millions of Facebook users. The developer had the ability to display that user information to others on its own site, regardless of those users’ privacy settings on Facebook, the person said.
Zuckerberg wanted to know if such extensive data collection was possible and if Facebook should do anything to stop developers from displaying that data, the person said.
Another employee responded to Zuckerberg’s question, saying it was possible and many developers do the same thing but adding it was a complicated issue, the person said.
The discussion continued without Zuckerberg or anyone else suggesting by email that the company investigate how many other apps were stockpiling user data, the person said. Eventually Facebook suspended the app in question, the person said, adding that it didn’t move aggressively to address the broader problem.
At the time, Facebook executives were largely focused on increasing the company’s user base and adding advertisers, and appeared to be less diligent about enforcing its data-use rules, developers and former employees have said. The company had repeatedly said it was too slow to react to privacy and security issues.
That email exchange occurred after the FTC’s consent decree had been announced but before it went into effect. The decree says Facebook must honor a user’s privacy settings and not share data without a user’s explicit permission. If it had been in effect at the time, the stockpiling of such user data would potentially have violated it. Zuckerberg’s message seemed to indicate he was aware of that, according to the person who was familiar with the exchange.
FTC staffers have been exploring the episode as part of the investigation, the person said.
A multibillion-dollar civil penalty would be a record for the FTC, but the agency is under pressure from some lawmakers to extract more punitive terms or litigate the matter, since even such a large financial penalty would inflict little pain on the tech giant.
Some FTC officials have debated whether to name Zuckerberg as a respondent in the complaint that would be filed by the agency as part of a settlement. If there are documents suggesting Facebook and Zuckerberg specifically didn’t take regulators seriously, that could complicate those discussions. There is no indication that any of the documents turned over to the FTC show that.
Facebook has vigorously opposed any efforts to hold Zuckerberg personally liable as part of a settlement, according to people familiar with the matter.
The FTC alternative of suing Facebook in court holds risks for both sides. Even if it were to win, the agency would likely obtain far less in both monetary penalties and operational changes at Facebook than it could gain through a settlement, legal observers have said. For Facebook, those people said, litigation would make emails involving Zuckerberg and other senior executives more likely to become public, possibly casting doubt on the company’s renewed public commitment to privacy.
Zuckerberg, who last year said he made a “huge mistake” in not focusing on user privacy earlier, has been talking about charting a new path for Facebook. He announced earlier this year that the company would pivot toward encrypted and ephemeral messaging products and would support the US government imposing personal-data protection along the lines of Europe’s existing laws.
Legal and political efforts in numerous jurisdictions are continuing to explore the company’s past practices.
Sealed American court documents obtained and made public by the British Parliament show Facebook sought to expand its access to users’ data without informing them and snooped on mobile phone users’ activities on other platforms.
In the US, the attorney general of Washington, D.C., Karl Racine, is suing the company over the Cambridge Analytica matter, alleging in a recent filing that Facebook’s staffers were aware that its data was being misused for political purposes as early as 2015.
Facebook is fighting the D.C. lawsuit and has disputed that the company knew of the Cambridge Analytica misconduct in 2015. The company has called the documents obtained by UK officials “cherry-picked” and misleading.