Leaked Document Shows That Facebook Doesn’t Know What It Does With Your Data

A leaked internal Facebook document warns that the company is facing a “tsunami” of global privacy regulations with engineers disclosing that its systems are not built with such regulation in mind.

As reported by Motherboard, the document explains that: “We’ve built systems with open borders. The result of these open systems and open culture is well described with an analogy: Imagine you hold a bottle of ink in your hand. This bottle of ink is a mixture of all kinds of user data (3PD [third party data], 1PD [first party data], SCD [sensitive categories data], Europe, etc.) You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere. How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?”

The document is dated from last year by the Ad and Business Product team that looks after Facebook’s advertising revenue systems, the lynchpin of the social giant’s core business. The paper comes in response to the incoming regulations across the world, from Europe to the US to India, where pressure has been building up in recent years to become more stringent in data privacy.

The document reveals how the engineers were “surprised” by regulatory changes in India and the EU with regards to first party data use and that its second party data enforcement plans were already “insufficient” in adapting to ongoing regulations let alone further ones.

In recent years, data regulation has been revisited globally with many countries and regions bringing in new data protection laws and guarantees. The European Union’s 2018 General Data Protection Regulation (GDPR), for example, stipulates that companies can only collect data for “specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. More recently, India implemented the Personal Data Protection (PDP) bill, a new set of regulations that establish privacy as a fundamental right under the constitution. Although this bill will be brought in incrementally, it has still caught legacy data companies such as Facebook off guard.

As the document itself stipulates, the problem is “data lineage”, with the leaked paper remarking that: “We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation”.

In response to the leak, Facebook said that: “Considering this document does not describe our extensive processes and controls to comply with privacy regulations, it's simply inaccurate to conclude that it demonstrates non-compliance. New privacy regulations across the globe introduce different requirements and this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations,” before adding that the lake analogy “lacks the context that we do, in fact, have extensive processes and controls to manage data and comply with privacy regulations.”