Additionally, Protti says that the privacy reviews include examinations of topics like transparency, user controls, and data retention policies where applicable. Despite years of near-constant privacy controversy and that record FTC fine, Protti and Egan both maintain that Facebook already built all of its software with privacy in mind from the start, but that the company is now committing to this maxim more deeply.
“This privacy review process since it’s gotten rolling has caused us to delay some product launches, which isn’t a bad thing necessarily,” Protti says, “because at the end of the day the most important thing is getting this right for the ultimate user.”
In one recent example, Protti says that Facebook delayed the launch of its Accounts Center service, which offers features across the company’s apps. A series of privacy reviews showed that user controls and transparency mechanisms weren’t clear enough abouton what information would be used based on which features were enabled or disabled.
“Our internal experts sent the product team back to revise their plan,” Protti says. “And the end result was a redesigned control hub and overall a much better and clearer product. It took a little bit longer to launch, but we’re happier and prouder of what we’ve built as a result.”
Both Protti and Egan say that the biggest challenges in Facebook’s privacy revamp is communicating the depth of the company’s commitment and making sure all users understand how their data is used, as well as the tools and controls that are available to them.
“Something I wake up every day thinking about [is] how we can continue to help people understand that our business model is privacy protective,” Egan says. “It’s never been more important and more challenging to help the world understand that people’s privacy and the personalized experiences that we create for people don’t have to be at odds with each other. Some companies I think are framing this as a choice—personalized advertising or privacy. And that’s just not true. You can have both.”
But privacy advocates and researchers who have been studying tech giants like Facebook for years have found a mountain of evidence to the contrary.
“The fundamental truth is that surveillance capitalist monopolies cannot be reformed,” says Evan Greer, deputy director of the digital rights and privacy-focused group Fight for the Future. “The FTC agreement tinkers around the edges, but largely allows Facebook to police itself, which it has consistently shown it is incapable of doing. There is no single silver bullet solution that will ‘fix’ Facebook, but the FTC agreement barely scratches the surface. What we really need is for Congress to pass strong federal data privacy legislation.”
Policy analysts point out that without being able to see any of the reports Facebook submits to the FTC, the public will have to trust that the regulator has adequate insight into what’s going on at the company through the certified reports and independent assessor and that the FTC is actually holding Facebook accountable. Broadly, the FTC established similar mechanisms for oversight in its 2011 agreement with Facebook, including periodic independent audits, but the measures were largely unsatisfactory. The Electronic Privacy Information Center mounted a challenge to the Facebook-FTC agreement in 2019, but it was dismissed.
“I understand that such reports may contain sensitive company data, but just like with privacy impact assessment documents, they can be modified to be releasable,” says Lukasz Olejnik, an independent privacy researcher and consultant. “There is no reason for these reports from Facebook not to be published in some form.”
Zuckerberg laid out a cogent and robust roadmap for Facebook’s privacy journey in 2011 after the company’s first agreement with the FTC, including hiring Egan to join the team.