ENTERPRISE | CONSUMER PRIVACY TIPS | DATA BREACHES & ALERTS | WHITEPAPERS

Facebook Answers Senate Questions on Privacy

Facebook received over 2,000 questions from Congressional members as a result of CEO Mark Zuckerberg’s testimony during April 10-11, 2018. The responses to questions were just sent by Facebook to the Senate on June 8th. They have now been posted online and are available for review.

There are nearly 500 pages of questions and answers between the two documents for the Senate. Rather than pick through them for additional information about the Cambridge Analytica scandal, or looking for answers that just didn’t answer the question (there were plenty that will probably get supplemented later), we looked for quotes from Facebook that would be helpful to privacy professionals. Facebook’s handling of inquiries on Cambridge Analytica may end up setting the standard for privacy online for years to come. So it is important to understand what Facebook has been doing to bolster privacy. Here are a few highlights from the responses that we thought would be of interest to privacy professionals:

congress

In response to Question 4 from Chairman Thune:

“While ‘up front’ information like that contained in the terms of service are useful, research overwhelmingly demonstrates that in-product controls and education are the most meaningful to people and the most likely to be read and understood. On-demand controls are also important, and we recently redesigned our entire settings menu on mobile devices from top to bottom to make things easier to find.”

In response to Question 10 from Chairman Thune:

“We do not have a ‘business reason’ to compromise the personal data of users; we have a business reason to protect that information…. If people’s experiences are not positive—if we fail to maintain their trust—they will not use our services.”

In response to Question 5 from Senator Blunt:

“Third, we enable people to learn more about the data we collect through interactive tools such as Download Your Information, which lets people download a file containing data that they may want to take to another service, and Access Your Information, a tool we’ve launched for people to more easily access and manage their data on Facebook.”

“Our approach to control is based on the belief that people should be able to choose who can see what they share and how their data shapes their experience on Facebook and should have control over all data collection and uses that are not necessary to provide and secure our service. People can control the audience for their posts and the apps that can receive their data.”

In response to Question 2 from Senator Moran:

“The Data Abuse Bounty will reward people with first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people’s data to another party to be sold, stolen or used for scams or political influence. We’ll review all legitimate reports and respond as quickly as possible when we identify a credible threat to people’s information. If we confirm data abuse, we will shut down the offending app and, if necessary, take legal action against the company selling or buying the data. We’ll pay a bounty to the person who reported the issue, or allow them to donate their bounty to a charity, and we’ll also alert those we believe to be affected.”

In response to Question 27 from Senator Blumenthal:

“We routinely test new products and consent flows before rolling them out broadly to ensure that there are no bugs or unintended behaviors that would lead to an unintended or negative user experience. In designing the GDPR roll out, like all product roll outs, we rely on design principles and research derived from numerous sources, including user research and academic research, to develop experiences that are engaging and useful for the broadest number of people. We also conducted cross-disciplinary workshops, called “design jams,” with experts around the world to collect input on user interaction principles that would inform our work. We have learned from our work and other design research in the field that people are less likely to make informed or thoughtful decisions when bombarded with many different choices in succession. To avoid so-called “notice fatigue,” we streamlined the number of data choices people are presented with as part of the GDPR roll out to 2-3 choices (depending on the user’s existing settings), responding to early testing of a version with several additional choices, which the people who tested this version did not like. We also used a layered approach that gave people the information needed to make an informed choice on the first screen, while enabling ready access to deeper layers of information and settings for those interested in a particular topic. We will continue to monitor how these and other privacy settings perform with users.”

In response to Question 28 from Senator Blumenthal:

At Facebook, we make decisions about privacy through a cross-functional, crossdisciplinary effort that involves participants from departments across the company. This process is a collaborative approach to privacy that seeks to promote strong privacy protections and sound decision making at every stage of the product development process. Our privacy program is responsible for reviewing product launches, major changes, and privacy-related bug fixes to products and features to ensure that privacy policies and procedures are consistently applied and that key privacy decisions are implemented for the product. This approach has several key benefits.

First, it is designed to consider privacy early in the product development process. This allows us to consider the benefits that a feature is intended to have for people who use our services, how data will be used to deliver those benefits, and how we can build features from the ground up that include privacy protections to enable those benefits while protecting people’s information and putting them in control.

Second, while complying with our obligations is critically important, taking a crossdisciplinary approach to privacy encourages us to think about data protection as more than just a compliance exercise. Instead, we evaluate how to design privacy into the features that we build and consider this from the perspective of things like how we design interfaces that make data use intuitive, taking a consistent approach to privacy across our services, and building protections in how our software is engineered. Accordingly, while we scale our privacy review process depending on the complexity of a particular data use, reviews typically involve experts who evaluate proposed data practices from the perspective of multiple disciplines.

In response to Question 76 from Senator Cruz:

“All users must expressly consent to Facebook’s Terms and Data Policy when registering for Facebook. The Data Policy explains the kinds of information we collect, how we use this information, how we share this information, and how users can manage and delete information. After joining Facebook, people are presented with the opportunity to consent to additional data collection and uses, such as the use of location or the users’ address book on their mobile device.”

For those who want the full effect, here are the two sets of answers.

Facebook Answers Senate Questions on Privacy

Contact

888-252-5653

About

Consumers

Businesses