Facebook’s agreement with regulators is a result of the company’s early experiments with data sharing. In late 2009, it changed the privacy settings of the 400 million people then using the service, making some of their information accessible to all of the internet. Then it shared that information, including users’ locations and religious and political leanings, with Microsoft and other partners.
Facebook called this “instant personalization” and promoted it as a step toward a better internet, where other companies would use the information to customize what people saw on sites like Bing. But the feature drew complaints from privacy advocates and many Facebook users that the social network had shared the information without permission.
The F.T.C. investigated and in 2011 cited the privacy changes as a deceptive practice. Caught off guard, Facebook officials stopped mentioning instant personalization in public and entered into the consent agreement.
Under the decree, the social network introduced a “comprehensive privacy program” charged with reviewing new products and features. It was initially overseen by two chief privacy officers, their lofty title an apparent sign of Facebook’s commitment. The company also hired PricewaterhouseCoopers to assess its privacy practices every two years.
But the privacy program faced some internal resistance from the start, according to four former Facebook employees with direct knowledge of the company’s efforts. Some engineers and executives, they said, considered the privacy reviews an impediment to quick innovation and growth. And the core team responsible for coordinating the reviews — numbering about a dozen people by 2016 — was moved around within Facebook’s sprawling organization, sending mixed signals about how seriously the company took it, the ex-employees said.
Critically, many of Facebook’s special sharing partnerships were not subject to extensive privacy program reviews, two of the former employees said. Executives believed that because the partnerships were governed by business contracts requiring them to follow Facebook data policies, they did not require the same level of scrutiny. The privacy team had limited ability to review or suggest changes to some of those data-sharing agreements, which had been negotiated by more senior officials at the company.
Facebook officials said that members of the privacy team had been consulted on the sharing agreements, but that the level of review “depended on the specific partnership and the time it was created.”