Facebook is reportedly unable to identify where most of its user data is located, or how it is used, after it is collected, according to a leaked internal document penned by privacy engineers at Facebook last year. The team, which builds and maintains Facebook’s advertisement system — the heart of the company’s business model, has flagged “data lineage” issues with how user data is handled. The report raises questions of whether Facebook will be able to comply with inbound privacy regulations from various regions around the world.
According to a leaked 2021 report procured by Motherboard, the privacy engineers working on Facebook’s Ad and Business Product attempted to highlight issues with handling of personal data at the company and called for changes to the existing system. The engineers warn that the company has “built systems with open borders”, using the analogy of pouring a bottle of ink (representing third party data, first party data and other sensitive information) in a lake (Facebook’s open data systems) — then trying to put the ink back into the bottle.
The report warns of incoming regulation from countries around the world, which have begun pushing for stronger regulation for social media companies that handle user data. “We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation,” the engineers explain in the document.
Facebook, which is estimated to have nearly three billion users, is facing increasing scrutiny from regulators in various regions like Egypt, India, the EU, South Africa, South Korea, Thailand, and the US. Proposed regulation seeks to limit how personal data of users is handled by social media companies. The engineers warn that the company’s data handling problem — referred to as “data lineage” in the report — will cause issues with regulation from these regions. For example, the EU’s stringent GDPR law includes “purpose limitation” that restricts the use of data collected for one purpose, from being used for another.
Meanwhile, Facebook denied that the company was not complying with privacy regulations, adding that the document did not describe its extensive processes and controls to comply with privacy regulations. Facebook representatives told Motherboard that the company was building infrastructure to meet requirements set out by privacy laws, including analysing user data and using automation instead of humans — an effort that will require significant investments, which is a priority for the company.
The company also appears to be working on a product called “Basic Ads” that could let users opt-out of personalised ads based on the personal data collected by the company — to comply with regulations from around the world in the short term, according to the report. However, it also mentions that the product was supposed to be launch ready in Europe by January 2022 — while the company is yet to make any announcements for Basic Ads.