Eric Schneiderman, New York Attorney General, talked with TechRepublic's Dan Patterson about Facebook's and Cambridge Analytica's possible law violations and how he and other state attorney generals will hold Facebook accountable. Here's their conversation.
Patterson: Your office issued a statement (on March 20) that said, "Consumers have a right to know their information is used, and companies like Facebook, have a fundamental responsibility to protect their users' personal information regarding Facebook and Cambridge Analytica." The statement went on to say New Yorkers deserve answers, and if any company or individual violated the law, we will hold them accountable. So, let's start at the beginning here. Did Facebook and Cambridge Analytica violate the law?
Schneiderman: Well, we're conducting an investigation to determine what laws, if any, they violated and we're at the early stages of the investigation, but my counterpart in Massachusetts, Attorney General Maura Healy, and I have sent them a detailed letter demanding documents. They've already begun production. We also sent a document whole letter requiring preservation of files to Cambridge Analytica, so we'll see what laws were violated.
Different states have different data breach laws, different unfair and deceptive trade-practices laws. There is a law in New York against persistent illegal conduct and operating a business, so we're not sure what laws were violated, but we're going to conduct a very thorough investigation and find that out.
SEE: Facebook's Mark Zuckerberg admits "mistakes," "breach of trust" (CBS News)
Patterson: Earlier this week, Mr. Zuckerberg and Facebook issued a statement that enumerated a few bullets on how they will rectify the situation and how, in the future, they plan on protecting users' data. Did this statement go far enough?
Schneiderman: Well, it was a pretty general statement. I appreciate the fact that he took responsibility and has admitted they'd done something wrong, but I think at this point it's fair to say no one is just gonna take Facebook's word on this. They've lost a lot of public trust. And look, we've had good experiences. I have had good experiences working with Facebook in the past. We made a deal with them to take down all the pages that said, "Gun for sale, no background check." We set up a system to get Amber alerts to Facebook users in a community where a child went missing, so our hope is that they'll want to work with us on developing solutions going forward but that's only going to happen if they're transparent, if we get all the documents we need and talk to all the witnesses we need to talk to to find out exactly what happened.
SEE: IT leader's guide to big data security (Tech Pro Research)
I mean, keep in mind, Facebook knew all of this customer data was compromised back in 2015, and they didn't do what they should've done then, so I think that they're going to have to do some work to credibly assert that now in 2018, all of a sudden, they're going to do everything right.
That having been said, we think, at the end of the day, the right solution is for us to determine what laws are violated, get the facts out to the public, and hopefully Facebook will then see it's in their interest to work with us on solutions going forward that state attorneys general, being the most important law enforcement officers, are going to be looking at this given the circumstances in Washington, are able to attest to the fact that they have, in fact, made these changes.
Patterson: That's so incredibly important. Often in the news cycle, we look at Washington and we think about national politics and our national representatives, but it's really the state's attorney general, in this case, that are enforcing some of the privacy regulations or at least the privacy concerns that consumers might have. What role do all state's attorney general, or at least in your case, have in protecting consumers?
Schneiderman: We have a tremendously important role and since this new administration came into power in January of 2017, the state's attorney general have been the leading edge of the legal resistance to bad public policies coming out of Washington. Congress, I don't think anyone should expect them to take meaningful action on this, if you look at what's happened over the last year or so. But we have beaten the federal government on all versions of the anti-Muslim travel ban, we've kept the DACA program going for the Dreamers through getting injunctions, both in New York and California, and on a host of environmental issues, health care issues, civil rights issues.
The genius of the United States is the founders left a lot of power at the state level because they were concerned about this new federal government they were creating maybe getting in the hands of the wrong people. This is something they talked about.
So it is true that a lot of folks that write about this particular people in the tech industry, you don't really focus that much on states, tend to think only of Washington. But I assure you, in this case, the most aggressive law enforcement is going to be coming from state AGs. We are hopeful that the Federal Trade Commission will also be looking at this. They said they will. Facebook entered into a consent decree with the FTC in 2011 that could have been, very well may have been violated in the Cambridge Analytica situation, so we welcome support from the federal government, but we're not going to wait for it. We're going to pursue this.
Patterson: Do you have all the tools you need, the legal tools you need, to properly pursue not just this case but similar cases?
Schneiderman: Yeah, we do. We can conduct full law enforcement investigations, civil or criminal, and we have a broad array of tools. We can subpoena documents, we can compel witnesses to testify, so our powers are similar to the powers of federal agencies, but I don't think you should look for Jeff Sessions in the US Justice Department to be aggressively be going after corporate malfeasance these days. So given that weakness in enforcement in federal laws and them essentially shutting down, work with the Consumer Financial Protection (Bureau), but they're not going to be aggressive protectors of consumers and that's where the states can fill in.
Patterson: Would you like to or would it be necessary at any point to speak to Mr. Zuckerberg?
Schneiderman: It may be. We're starting out by getting documents and we're also encouraging whistle-blowers to come forward, contact my office. We want to get to the facts. We want to get all the facts out, and we're interested in hearing what Facebook has to say. We're interested in talking to anyone else who's a witness who may have interesting information to convey to us. Again, I do think in the long run this may be a little bit challenging for them and in the long run it's in Facebook's interest to get the facts out there and regain the public trust and that's something that we hope they will see as we go forward.
Patterson: Are there lessons that other companies or other entities could learn from the way that Facebook and Cambridge Analytica handled data storage and disclosure to the public?
Schneiderman: Oh, sure. I think one of the shocking things about the facts of this report, and again, we're going to find out what the facts were, but one of the shocking things is really how inadequate Facebook's response was when in 2015 they learned that millions of Facebook users' data had been compromised and requiring not doing an audit, not checking what Cambridge Analytica was doing, they made it way to0 easy for them to get the data and then they made it way too easy for them to avoid any consequences. Asking them to certify that they destroyed the data, which Mr. Wiley, who's obviously an important witness here, said that just involved checking a box on his computer screen. That's not an adequate way to protect consumers.
So I think a lot of companies are gonna look at this and say, "Okay, we have to get our act together. We can't allow data to be compromised." Facebook's argument so far has been somewhat technical. They're saying, "Oh, well. It wasn't technically a breach. We don't like the use of the word breach because no one hacked into our system." Well, I don't think the public views it as much of a defense to say, "No, they didn't hack into us. We just let them in and let them have all the data." And then when we discovered they had it we said, "Will you promise us to destroy it?" That's like, they didn't break into the warehouse where we were storing your stuff. We just left the door open and went shopping. That's not a very good defense.
Patterson: There is a regulation coming up very soon in Europe called the GDPR, that's the (General) Data Privacy Regulation, and that will change how companies manage and store data in the cloud and as almost every company is undergoing digital transformation or becoming more a cloud base, we'll see other instances of data protection and the lack of data protection. Is this a policy or regulation than would make sense in the United States as well?
Schneiderman: I think one of the things that has become apparent already to those of us who are focused on it, but will become even more clear in the months ahead, is the incredible gap between law enforcement and data protection, privacy protection in Europe and in the United States. We are just way behind. And again, I think it's in the interest of Facebook and others in the industry to really try and ensure that we steer towards smart, effective regulation. The notion that there will be no further regulation is misguided, they may put it off for a little while but the public's just going to demand it.
As you can see, this data breach has gotten a different response from the public. This is something that I think reflects a significant change in public awareness and the determination to ensure that something better is done, is very strong. Again, I appreciate Mr. Zuckerberg's statement that he took responsibility. We're looking forward to them working with us and others to ensure that they actually do take the steps necessary to regain the trust of their consumers.
Patterson: It is reassuring to learn that they have worked with your office in the past, but also in the past Facebook has had privacy challenges that have been controversial and when the controversy dies down they kind of go back to the old way of doing business or at least an incremental version of the old way of doing business.
If this blows over as well, at least in terms of public outcry, what are the consequences if Facebook doesn't do what they said they would do?
Schneiderman: Oh, I would be very surprised if this blows over. I think that, if anything, I think you're going to have more questions being raised. I mean, keep in mind, it was so easy for Cambridge Anaylytica to get access to the private information of millions of Facebook users. That raises the question, who else got access? Since the door was virtually wide open, this raises more question and some of the statements they've made in the last week or so, have raised more questions than they've answered, so I don't think this is going to go away and I think there will be ... they're going to have to address this in a more comprehensive way.
But our goal, first and foremost is to protect New Yorkers and others who may have had their private information compromised improperly, and find out what representations are made, what their policies were, what their interaction and what their contracts were with Aleksandr Kogan, who was the academic who worked with Cambridge Analytica and the facilitator of them getting the data. We've got to examine all the facts and our first and foremost goal is to protect consumers and, in addition to Attorney General Healy and myself, there are other states that have sent letters or subpoenas to Facebook, and I think there will be a strong law-enforcement effort here and Facebook should work with us, rather than against us. We're looking forward to getting out the facts and I think they should be also.
Patterson: Mr. Attorney General, thank you for your time today. One last question. America has been divided for almost ten years on this. Are you an Android person or an iPhone person?
Schneiderman: This is one of the big fissures. I am an iPhone person.
- Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
- Could Facebook's data debacle force more companies to act like Apple on privacy? (TechRepublic)
- Facebook's failure to protect personal data is irresponsible (TechRepublic)
- Cambridge Analytica's Facebook game in politics was just the beginning, the enterprise was next (TechRepublic)
- EU General Data Protection Regulation (GDPR): A cheat sheet (TechRepublic)
- Apple's Tim Cook: Facebook's privacy blunder 'so dire' we need regulations (ZDNet)
- EU General Data Protection Regulation (GDPR) policy (Tech Pro Research)
- Facebook: We'll pay you to report apps that misuse data (CBS News)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.