FTC Privacy Audits of Companies Like Facebook and Google Are ‘Woefully Inadequate’

When Mark Zuckerberg seem before Congress last week , several lawmaker grilled him on Facebook ’s failures to comply with a 2012 consent decree that required the societal media company to render quotidian privacy audit to the Federal Trade Commission .

The FTC ’s privateness audit are widely viewed as one of the warm enforcement mechanisms for keeping technical school ship’s company in line with the privacy promise they make to their users — but anew paperby privacy attorney Megan Gray suggest that the FTC ’s seclusion audits are relatively toothless and involve to undergo major reforms if they are really going to protect consumers . Although Gray currently exploit for the FTC , the paper is base on publicly - useable documents and written during her non - work time .

Facebook ’s 2011 consent decree stem from allegation that will sound eerily familiar to anyone paying attention to the companionship ’s current Cambridge Analytica scandal . The FTC enjoin that Facebook wasunfair and deceptivein its communications to drug user about their privacy , and that it allowed third - party applications to access user datum while lead substance abuser to conceive that they could curb the visibility of that data to their friends only . Under Facebook ’s concord with the FTC , the company must undergo biannual privacy audits for 20 years to ensure that it is n’t misleading users about their privacy .

Argentina’s President Javier Milei (left) and Robert F. Kennedy Jr., holding a chainsaw in a photo posted to Kennedy’s X account on May 27. 2025.

However , those audited account did n’t turn up any information about Cambridge Analytica ’s solicitation of data on 87 million Facebook exploiter , even though Facebook pick up about it in 2015 , leading phallus of Congress to evoke that Facebook is n’t complying with the consent order .

Allowing apps like the one used by Cambridge Analytica to access user data was an act of “ headstrong blindness , ” Senator Richard Blumenthal told Zuckerberg . “ It was heedless and foolhardy , which , in fact , add up to a violation of the FTC consent decree,”he say . ( Zuckerberg responded that , while he thought in retrospect that Facebook should have notified the FTC of Cambridge Analytica ’s action at law , it had no legal obligation to do so . )

Although members of Congress seemed to blame Facebook for not coming unobjectionable to the FTC , Gray ’s paper evoke that the FTC ’s privacy audits are betray by design . The current process essentially admit company under consent orders to self - regulate , while data misuse by the likes of Cambridge Analytica is swept under the rug . If the representation genuinely want to catch privacy violations and protect consumers from damage , it needs to make its auditing process more fast-growing and strict , according to Gray .

William Duplessie

“ The agency regularly touts its important and extensive work as the chief consumer privacy ‘ bull on the musical rhythm . ’ But this chest - thumping can recoil — consumers may more promptly partake in personal information via on-line weapons platform free-base on a belief that the FTC is guarding against misuse , ” Gray writes . “ Careful reappraisal , however , shows the audit are woefully inadequate . ”

The FTC ’s 2012 consent decree against Facebook , and a 2011 order against Google , were extremely regarded as hard actions to protect consumer privacy . But the audit process lay out in those consent orders is n’t live up to the ballyhoo , Gray says .

“ On closer inspection , the orders arguably did not postulate ‘ reasonable privacy protection , ’ ” she writes . “ Rather , the parliamentary law were more constrained , and required only a ‘ comprehensive privacy program ’ that was ‘ reasonably design ’ to ‘ reference ’ ‘ privacy risks . ’ Under this language , given the company ’ drawn-out secrecy insurance basically state that users did not have any privacy , the FTC could confront an rising struggle in maintain misuse of consumer information . ”

Starship Test 9

Companies like Facebook and Google are allowed to hire their own auditors , and the contracts between auditors and companies are not public , so it ’s unmanageable to determine how much a society spent on an audited account . The audits swear largely on program line by fellowship employees — basically , if executive tell the attender that they ’re doing enough to protect user privacy , the attender reports that the company is execute its obligation .

“ That is wholly useless . It ’s not just toothless , it ’s worse than toothless , ” Nate Cardozo , a older staff lawyer with the Electronic Frontier Foundation , told Gizmodo . “ It ’s demand the Charles James Fox to ward the henhouse . If the FTC had take an auditor and ask Facebook to open its server to any question the auditor had , maybe we would n’t have have to Cambridge Analytica . ”

The audited account also run to only scratch the surface of what a large company ’s privacy reach might be . Google ’s audit , for instance , covers only seven points — which Gray calls “ so vague or duplicative as to be meaningless”—and does n’t dig into the various privacy concern that come up in Google ’s myriad products , from hunt to email to YouTube to ego - driving machine .

Lilo And Stitch 2025

Allowing the listener to parrot whatever a companionship tells them create an environment where privacy violations go unreported . “ The FTC ’s privacy cases have not unremarkably staunch from designed transgressions ; rather , the cases unremarkably get up from issues the company miss or did not adequately expose to consumer . A privacy audit that trust on management assertions will rarely unveil these blind spot , ” Gray writes .

Security expertAlec Muffettputs the problem another way :

In sporting metaphor : a vender ( in this case , Google ) gets to design their own high - startle bar , document how improbable it is and what it is made of , how they mean to startle over it ; and then they jump over it and the certification federal agency simply attests that they have successfully performed a high - jump over a bar of their own conception . The aim document and jump technique do not need to be made public .

CMF by Nothing Phone 2 Pro has an Essential Key that’s an AI button

The FTC is aware that the audited account process is broken , Gray notes . The World Privacy Forum recommended last fall that the agency go so far as to apprize its employees to stop referring to the oeuvre as “ audits ” altogether and employ the musical phrase “ assessments ” instead .

“ We suggest that any Commission staff fellow member who hash out a Commission consent decree in populace and who mention to an assessment as an audit be required to stay after oeuvre and write 100 times ‘ An judgment is not an audited account … . ’ ” WPF ’s executive manager Pam Dixonwrote in a commentto the FTC on its consent decree againstUber .

Gray make a phone number of recommendations for improving the FTC ’s secrecy audit . The most drastic , she says , would be for the FTC to stop relying on corporate attestations of secrecy protection altogether . However , the current simulation could be improved if the FTC draft what it expects auditors to cover with more granularity , including represent the stream of consumer data through a ship’s company ’s systems and analyzing violations of the monastic order that occurred while the fellowship was under scrutiny .

Photo: Jae C. Hong

Gray also commend that the FTC incorporate industry - received principles for data privacy into the audited account cognitive process , such as the Generally Accepted Privacy Principles and theFair Information Practices , so that companies are evaluate against more widely accepted rubrics . Although some of the GAPP or FIP testimonial might not apply to a finical production — for example , an auditor might not be able-bodied to assess a Cartesian product that only stores data while in transit under the passport for data retention — an auditor should still plow those principles and explicate why they do not utilize , the paper argues .

“ The FTC will soon have an entirely Modern ticket of commissioner , ” Gray note . “ They may be conformable to a comprehensive redevelopment of how the agency monitors its privateness orders . ”

Whether the new commissioners will be interested in break through down on Silicon Valley ’s concealment usurpation remains to be watch . “ The Trump disposal has made it clear that it is no friend of Silicon Valley and , in this especial context , that could be estimable for user privacy , ” Cardozo read . “ On the other hand , the Trump administration has made it clean that it does n’t like government regularisation and the administrative state . ”

Doctor Who Omega

chastening : A previous version of this clause falsely stated that Facebook consent order was cut in 2011 and Google ’s was write out in 2012 . In fact , it was the other fashion around : Facebook ’s consent rescript wasfinalized in August 2012 , while Google ’s wasfinalized in October 2011 . We rue the mistake .

Cambridge AnalyticaFacebookGooglePrivacy

Get the best tech , scientific discipline , and culture news in your inbox day by day .

intelligence from the future tense , deliver to your present .