“Like pouring ink into a lake”: leaked docs indicate Facebook unsure of own privacy issues

The social media giant does not know where all of its user data goes or what it does with it, according to a team memo.

A leaked internal company document seen by Vice/ Motherboard appears to suggest that the social media giant doesn't understand what most of its user data is used for.

In the memo sent last year, engineers for the site pointed out flaws in its data management system, saying they can't track where its 2.9bn users' data goes.

The team that penned the memo referred to the system as one with “open borders”. The system was described as one that doesn't allow for the strict management that regulators in some regions have legislated for.

Facebook's privacy engineers stated in the document that the platform has no real way of tracking the data of its 2.9bn users after it enters Facebook's automated processes.

First-party user data, third-party data, and even sensitive data are all stored together due to "open borders," eventually making it difficult to manage a single piece of the data.

"How do you put that ink back in the bottle?"

According to the paper, there's no way to know whether or not the data originated directly from Facebook after it's consolidated. 

The memo warns that this corporate strategy concerning data management will make it practically hard to commit to policy reforms in future.

The ad ops team also used an example to communicate their concerns about the overflowing data to the supervisors.

"Imagine you hold a bottle of ink in your hand," it wrote. "This bottle of ink is a mixture of all kinds of user data….You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere.”

It then asks: "How do you put that ink back in the bottle? How do you organise it again, such that it only flows to the allowed places in the lake?"

The EU's General Data Protection Regulation (GDPR) requires personal data to be "collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes." This legislation has been one of the key regulations enacted against Meta in recent years. 

“Wrong to assume that document exhibits non-compliance”

In a statement to Motherboard, a Meta representative denied that the document shows the company is not complying with mandated privacy regulations.

The Meta representative said it is wrong to assume that the document exhibits non-compliance as it doesn't describe the firm's processes and controls to comply with privacy legislation.

The spokesperson said: "New privacy regulations across the globe introduce different requirements, and this document reflects the technical solutions we are building to scale the current measures we have in place to manage data and meet our obligations." 

“Tracking customers was what got us into this situation, whereas we should have been speaking to them”

Paul Coggins, Co-Founder and CEO, Adludio said: "The Facebook news is not surprising. For almost two decades, the platform’s business model has been based on monetising the personal data of its almost three billion users. GDPR, and the world's move towards data privacy, shook this model to the core and so the fact that Facebook has no quick or easy fix was, of course, to be expected.

“Obviously data compliance now needs to be baked into companies, and this is clearly not the case with the world’s largest social network. But the conversation should not just be about compliance. Indeed, tracking customers was what got us into this situation, whereas we should have been speaking to them. 

“Creativity, therefore, in engaging and interactive ads, should be prioritised and technologies toward it should be engaged with. Not only do creative ads avoid the privacy obstacle, but they lead to more meaningful brand experiences. This will also move us on from the public distrust in digital ads that Facebook helped cause."

“They simply weren’t built with privacy in mind”

Gabe Morazán, Product Director, Sourcepoint, said: “One of the main issues highlighted by the leaked document is specifically related to purpose limitation. This has been one of the most difficult aspects of regulatory compliance for many apps, including Facebook, because they amassed consumer data without ever engaging in meaningful dialogue with the user about how it would be used. It’s much harder to reverse engineer the data provenance and purpose limitation than to build with that in mind.

“This is a great example of why enterprise applications struggle with data privacy, particularly purpose limitation. They simply weren’t built with privacy in mind. In a race to embrace agility and cloud transformation, enterprise applications have decoupled and decentralized customer data making it difficult to track where customer data is going and how it’s being used. 

“In addition, it highlights the need for compliance teams to operationalize data privacy and embed ‘privacy by design’ practices throughout the organization or they’ll continue to face massive disruptions each time a new law is introduced or an existing law is changed. It’s no longer acceptable to do the bare minimum when it comes to customer trust and privacy.”

"Parties in the ad-tech ecosystem starting to think seriously about their responsibilities... and the vendors they work with"

Tim Spratt, Co-founder at Permutive, said: “What the recent Meta breach shows is that despite being closed ecosystems, walled gardens aren't immune from the impact of privacy regulation. This is especially pertinent considering the rise in closed platforms as an answer to the deprecation of third-party data. In reality, consent is far bigger than the removal of cross-context identifiers – it sits at the heart of every first-party data company now, and the ability to control first-party usage is critical to being able to legally operate a business.

“Meta’s Facebook platform was built in an era of unfettered data, where loose constraints were applied within its four walls. The regulatory requirement is to have full oversight and understanding of the data within these walls and enforce users' preferences. The information coming from the leak suggests this isn’t the case for Meta, and their ads business is likely non-compliant with the GDPR and upcoming privacy regulations in other jurisdictions.

“Going forward, the ability to track and enforce consent of first-party data at a granular level can't just be a bolt-on – it must be treated with the highest importance. Ultimately, Meta’s existing infrastructure design makes it technically infeasible for them to meet GDPR requirements such as the right to erasure, leaving them with a ticking regulatory time bomb. Ensuring consent is a first-class consideration requires rearchitecting first-party data platforms from the ground up, as evidenced by the large investment Meta proposes in the leak, and we're seeing parties in the independent ad-tech ecosystem start to think seriously about their responsibilities and the vendors they work with.”