Facebook's biggest failures

Mark Zuckerberg admits that Facebook "made mistakes" in allowing Cambridge Analytica to harvest personal information for 50 million of its users. Chief operating officer Sheryl Sandberg is more emphatic, describing it as a "major violation of people's trust."

Where the two are in agreement is that the world's biggest social network must do much better in protecting its members from prying eyes. That is a recurring theme over the company's short history, revealing a business forever pushing the boundaries of users' privacy and comfort while getting them to spend more time on its platform.  

Over the years, Facebook's responses to such flubs have ranged from contrite pledges to improve to blanket rejections of wrongdoing. Here's a look back at some of the past controversies that have dogged the social networking giant, along with how the company responded:

Information Beacon (2007)

In 2007, Facebook rolled out a tracking program called Beacon. Beacon took information encompassing about 50 million Facebook users' purchases and activities on other websites -- like Travelocity, Fandango, The Knot and Overstock.com -- and posted it to their News Feed, without always clearly asking for the user's approval. 

Several weeks into Beacon's existence, tens of thousands of Facebook members had signed a petition to drop the feature. After a month, Facebook created an "opt-out" from the service, effectively ending its abbreviated life.

"We simply did a bad job with this release, and I apologize," founder Mark Zuckerberg wrote in December of that year in commenting on Beacon. "I'm not proud of the way we've handled this situation, and I know we can do better."

Login with Facebook (2008)

Facebook rolled out the ability to log in to other sites with your Facebook credentials in late 2008, and the tool, called OpenID, gradually began to spread across the web. This tool opened the door to Facebook's eventual dominance of the internet. The company soon made its "like" button available on other websites, opening the door to widespread tracking of individuals' web browsing history—even those who weren't Facebook users. 

"That was a big thing, because Facebook extended its ability to track you across websites," said Jeff Chester, executive director of the Center for a Digital Democracy.

A year after OpenID came out, Facebook changed its default privacy settings, making user profiles public by default. It took five years of user pushback for the company to change the default to be visible to users' friends.


FTC settlement (2011)

In 2009, the Center for Digital Democracy and eight other groups filed complaints with the Federal Trade Commission over Facebook's practices, and two year later, the FTC admonished Facebook for playing fast and loose with users' data. The company, which had nearly 900 million users at the end of that yeat, "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public," the agency charged. In particular, the consumer watchdog alleged that Facebook:

  • Made public some private information, such as users' friends lists, without warning them or asking permission

  • Understated the amount of Facebook content that third-party apps would be able to access

  • Denied that it shared personal information with advertisers (it did share personal information with advertisers)

  • Falsely claimed to have vetted the security of apps participating in its "Verified Apps" program

  • Allowed access to photos and videos on accounts that had been deleted

In a 2012 settlement with the FTC, Facebook agreed to implement a privacy program, ask users for permission before broadly sharing their information and get regular third-party privacy audits for the following 20 years. The settlement appeared designed to prevent the type of "share first, ask later" dust-up caused by the Beacon program.

Zuckerberg acknowledged the flub. "I'm the first to admit that we've made a bunch of mistakes," he wrote while lamenting that those errors "overshadowed much of the good work we've done."

He concluded: "[W]e can also always do better. I'm committed to making Facebook the leader in transparency and control around privacy."

6 million phone numbers revealed (2013) 

In June 2013, Facebook notified about 6 million users that their contact information, including phone numbers and emails, had been inadvertently exposed.

For a platform with about 1 billion users at that point, the numbers were relatively small. But the breach -- which Facebook called a "bug" -- also revealed that Facebook had been quietly compiling fuller profiles of its users by merging their information with data submitted by their contacts—data that Facebook itself acknowledged "was not necessarily accurate."

The bug even affected people who didn't use Facebook and whose contact information may been uploaded by friends, which made many "furious," ZDNet wrote at the time. "The policy being that in this area, your data is not yours; it belongs to your friends, and by its rules your friends -- or merely people you know -- have more control over your data than you do."

In a blog post and messages to users, Facebook downplayed the breach. "It's likely that anyone who saw this is not a stranger to you," the company said in a notification. Facebook also assured that "all of us at Facebook take this issue very personally" and that the company had taken steps to prevent future breaches — though it hastened to add that "no company can ensure 100 percent prevention of bugs."

Inflated video views (2016)

After several years of pushing video content on its platform, Facebook revealed that it had been miscalculating performance metrics in a way that inflated the average amount of time videos were viewed. 

The average Facebook user isn't likely to care about video view time, but advertisers were upset because it potentially meant they had overpaid for ads. 

Though Facebook said the error had no effect on billing, it still said expressed regret. "We sincerely apologize for the issues this has created for our clients," wrote David Fischer, the company's vice president of business and marketing partnerships.

Fake people (2017)

After accusations that it helped sow division during the 2016 presidential campaign, Facebook cracks down on fake accounts. The site deletes tens of thousands of followers in the run-up to national elections in France and in Germany. In the U.S., Facebook nixes millions of fake "likes" and followers that had targeted news outlets, with USA Today losing nearly six million overnight

Six weeks after the purge, USA Today asked the FBI to investigate the "swarm" of fake accounts.

Fake news (2017)

Shortly after the shock election of President Donald Trump in November 2016, news reports examined Facebook's role as an information publisher. BuzzFeed found that fake news reached more people than real news during the campaign season, and traced more than 100 pro-Trump accounts to a single town in Macedonia.

Mark Zuckerberg initially downplayed the findings, calling the possibility that fake news swayed the election "pretty crazy," but later said he regretted being so dismissive.

In September, Facebook revealed that it had sold about $100,000 worth of ads to fake accounts linked to Russia during the U.S. presidential campaign. The ads reached as many as 126 million people, it estimated. Faced with the threat of legislation that would require it to disclose its advertisers, Facebook rolled out a tool that allows users to check who's behind the ads they are seeing. 

Last month, 13 Russian actors were indicted for their role in the campaign, accused of breaking U.S. laws to meddle in the elections via advertisements and groups on Facebook. "We know we have more to do to prevent against future attacks," said the company, whose name appears 35 times in the indictment.

The Cambridge Analytica "breach"

Political intelligence firm Cambridge Analytica is the latest entity to be in hot water over misusing Facebook members' data. The firm, at one point run by former White House adviser Steve Bannon and tied to Republican donor Robert Mercer, acquired data on 50 million Facebook members that it used to develop "psychographic" profiles.

The tool worked through an app built by researcher Aleksandr Kogan. The app, titled "thisisyourdigitallife," gave users a personality prediction, and asked to share their data for "research purposes." But Kogan used it to effectively scrape profiles of users who signed up for the app -- as well as that of their friends -- amassing detailed information on tens of millions users. (Hillary Clinton did something similar in the 2016 campaign, and Barack Obama's reelection campaign in 2011 used the same developer tool to target voters.)

Facebook on Friday suspended Cambridge Analytica and its parent company, Strategic Communication Laboratories, and said it was launching a "forensic audit" into the events. The social network, however, disputed the characterization of the event. Cambridge Analytica has also suspended its CEO pending an investigation.

"The claim that this is a data breach is completely false," Facebook initially wrote. "[E]veryone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked." Kogan only broke the platform's terms, Facebook said, when he handed over the information to a third party, and when he falsely certified to Facebook that he had destroyed the data.

The fact that a company party was able to gain access to such detailed information with minimal vetting, and without actually hacking Facebook's systems, was not lost on privacy activists. Many on Twitter criticized Facebook for the amount of data it controls and its ability to unilaterally exclude users.

The FTC on Tuesday reportedly began a probe into whether Facebook violated its 2012 agreement when it allowed "thisisyourdigitallife" to access information of friends of those who signed up, without informing them of the matter.

"We're also working with regulators as they investigate what happened," Zuckerberg wrote on Wednesday. It could be just the beginning. The attorneys general of Massachusetts and New York have launched an investigation into Facebook and its handling of the data Cambridge Analytica received. Sens. Dianne Feinstein (D-Calif.) and Chuck Grassley (R-Iowa) have spoken disapprovingly of Facebook's flub, with Sen. Richard Blumenthal (D-Conn.) calling for Zuckerberg to testify before Congress.