Blog

What does Facebook know about you? Clearly a whole lot more than it’s comfortable letting on.

Today, during testimony in front of the House Energy & Commerce committee, CEO Mark Zuckerberg was pressed by congressman Jerry McNerney on whether Facebook lets users download all their information — and he ended up appearing to contract its own cookies policy, which — if you go and actually read it — states pretty clearly that Facebook harvests users’ browsing data.

See, for e.g.:

We use cookies if you have a Facebook account, use the Facebook Products, including our website and apps, or visit other websites and apps that use the Facebook Products (including the Like button or other Facebook Technologies). Cookies enable Facebook to offer the Facebook Products to you and to understand the information we receive about you, including information about your use of other websites and apps, whether or not you are registered or logged in.

Yet you won’t find your browsing data included in the copy of the information you can request from Facebook. Nor will you find a complete list of all the advertisers that have told Facebook they can target you with ads. Nor will you find lots of other pieces of personal information like images that Facebook knows you’re in but which were uploaded by other users, or a phone number you declined to share with it but which was uploaded anyway because one of your friends synced their contacts with its apps, thereby handing your digits over without your say so.

And that’s just to name a few of the missing pieces of information that Facebook knows and holds about you — won’t tell you about if you ask it for a copy of “your information”.

Here’s the key exchange — which is worth reading in full to see how carefully Zuckerberg worded his replies:

McNerney: “Is there currently a place that I can download all of the Facebook information about me including the websites that I have visited?”

Zuckerberg: “Yes congressman. We have a download your information tool, we’ve had it for years, you can go to it in your settings and download all of the content that you have on Facebook.”

McNerney: “Well my staff, just this morning, downloaded their information and their browsing history is not in it. So are you saying that Facebook does not have browsing history?”

Zuckerberg: “Congressman that would be correct. If we don’t have content in there then that means that you don’t have it on Facebook. Or you haven’t put it there.”

McNerney: “I’m not quite on board with this. Is there any other information that Facebook has obtained about me whether Facebook collected it or obtained it from a third party that would not be included in the download?”

 Zuckerberg: “Congressman, my understanding is that all of your information is included in download your information.”

McNerney: “I’m going to follow up with this afterwards.”

If you read Zuckerberg’s answers carefully you’ll see that each time he reframes the question to only refer to information that Facebook users have themselves put on Facebook.

What he is absolutely not talking about is the much more voluminous — and almost entirely unseen — supermassive blackhole’s worth of data the company itself amasses about users (and indeed, non-users) via a variety of on and offsite tracking mechanisms, including — outside its walled garden — cookies, pixels and social plug-ins embedded on third party websites.

According to pro-privacy search engine DuckDuckGo, Facebook’s trackers are on almost a quarter of the top million websites — meaning that anyone browsing popular websites can have their activity recorded by Facebook, linked to their Facebook identity, and stored by the company in its vast but unseen individual profiling databases.

This background surveillance has got Facebook into legal hot water with multiple European data protection agencies. Albeit it hasn’t — thus far — stopped the company tracking Internet users’ habits.

The key disconnect evident in Zuckerberg’s testimony is that Facebook thinks of this type of information (metadata if you prefer) as belonging to it — rather than to the individuals whose identity is linked to it (linking also conducted by Facebook).

Hence the tool Zuckerberg flagged in front of Congress is very deliberately called “download your information” [emphasis mine].

With that wording Facebook does not promise to give users a copy of any of the information it has pervasively collected on them. (Doing so would clearly be far more expensive, for one thing.)

Although given that McNerney pressed Zuckerberg in his follow up for a specific answer on “any other information that Facebook has obtained about me” — and the CEO still equivocated, it’s hardly a good look.

Transparency and plain dealing from Facebook? Quite the opposite on this front.

Facebook has faced more pressure on its lack of transparency about the information it holds on users in Europe where existing privacy regulations can mandate that organizations must respond to so-called ‘subject access requests’ — by providing individuals who make a request with a copy of the information they hold about them; as well as (if they make a small payment) telling them whether any personal data is being processed; giving them a description of the personal data, the reasons it is being processed, and whether it will be given to any other organizations or people.

So, in other words, subject access requests are a world away from Facebook’s current ‘download your information tool’ — which just shows users only the information they have personally volunteered to give it.

Even so, Facebook has not been meeting the full disclosure obligations set out in EU privacy law — instead pursuing legal avenues to avoid fulsome compliance.

Case in point: Late last month Paul-Olivier Dehaye, the co-founder of PersonalData.IO, told a UK parliamentary committee — which has also been calling for Zuckerberg to testify (so far unsuccessfully) — how he’s spent “years” trying to obtain all his personal information from Facebook.

Because of his efforts he said Facebook built a tool that now shows some information about advertisers. But this still only provides an eight-week snapshot of advertisers on its platform which have told it they have an individual’s consent to process their information. So still a very far cry from what individuals are supposed to be able to request under EU law.

“Facebook is invoking an exception in Irish law in the data protection law — involving, ‘disproportionate effort’. So they’re saying it’s too much of an effort to give me access to this data,” Dehaye told the committee. “I find that quite intriguing because they’re making essentially a technical and a business argument for why I shouldn’t be given access to this data — and in the technical argument they’re in a way shooting themselves in the foot. Because what they’re saying is they’re so big that there’s no way they could provide me with this information. The cost would be too large.”

“They don’t price the cost itself,” he added. “They don’t say it would cost us this much [to comply with the data request]. If they were starting to put a cost on getting your data out of Facebook — you know, every tiny point of data — that would be very interesting to have to compare with smaller companies, smaller social networks. If you think about how antitrust laws work, that’s the starting point for those laws. So it’s kind of mindboggling that they don’t see their argumentation, how it’s going to hurt them at some point.”

With the incoming GDPR update to the bloc’s data protection laws — which beefs up enforcement with a new regime of supersized fines — the legal liabilities of shirking regulatory compliance will step up sharply in just over a month’s time. But it remains to be seen whether Facebook — or indeed any of the other ad-tech giants whose business models rely on pervasive tracking of web users (ehem Google ehem) — will finally reveal all the information held on users, rather than just giving up a few selective snapshots.

Apple Music is continuing its upward climb in subscriber count, quickening its pace as it seeks to overtake Spotify in the battle for users’ ears. The music streaming service now has 40 million subscribers, according to a report today from Variety. Apple has confirmed this number to TechCrunch.

The service still has a ways to go before it surpasses Spotify, which currently has 70 million paid Premium subscribers. A report in The Wall Street Journal earlier this year suggests that Apple Music’s quicker growth rate (five percent versus Spotify’s two percent growth) could mean it surpassing the Swedish streaming service as soon as this summer, however. Apple Music hit 30 million subscribers in September of 2017.

In addition to an updated note regarding subscriber notes, the report also says that the streaming service will have a new boss with the promotion of Oliver Schusser to the role of VP of Apple Music & International Content. He will report directly to services head Eddy Cue. Schusser has been at Apple for 14 years, previously leading efforts outside the U.S. on content efforts surrounding the App Store.

Apple’s continued prominence in the music streaming market comes after a rocky introduction thanks to a rough user interface. For Apple to continue to court Spotify Premium subscribers, they’re going to have to continue to focus on more intuitive app design and a more intelligent user recommendation engine, areas where Spotify is still holding strong ahead of it. With Spotify going public last month with a hefty market cap of $28 billion, it’s clear that the company has a lot riding on its ability to stay ahead of Apple in intelligence and continue driving more sophisticated playlists to users.

An area where Apple’s $9.99 per month service is undoubtedly succeeding is in the intimate tie between its audio hardware and Apple Music. Users of the HomePod and AirPods gain essential functionality for music playback only if they are subscribers to Apple Music.

The fact that Facebook probably has a profile of you whether you’re a Facebook user or not might come as a surprise to some users, though today even the company’s chief executive denied knowledge of the practice — or at least the term used to describe it.

In this morning’s hearing with the House Energy and Commerce Committee, New Mexico Representative Ben Lujan cornered Mark Zuckerberg with a question about so-called “shadow profiles” — the term often used to refer to the data that Facebook collects on non-users and other hidden data that Facebook holds but does not offer openly on the site for users to see.

In one of the handful of slightly candid moments of the past few days, Rep. Lujan pressed Zuckerberg on the practice today:

Lujan: Facebook has detailed profiles on people who have never signed up for Facebook, yes or no?

Zuckerberg: Congressman, in general we collect data on people who have not signed up for Facebook for security purposes to prevent the kind of scraping you were just referring to [reverse searches based on public info like phone numbers].

Lujan: So these are called shadow profiles, is that what they’ve been referred to by some?

Zuckerberg: Congressman, I’m not, I’m not familiar with that.

Lujan: I’ll refer to them as shadow profiles for today’s hearing. On average, how many data points does Facebook have on each Facebook user?

Zuckerberg: I do not know off the top of my head.

Lujan: Do you know how many points of data Facebook has on the average non-Facebook user?

Zuckerberg: Congressman, I do not know off the top of my head but I can have our team get back to you afterward.

Lujan: It’s been admitted by Facebook that you do collect data points on non-[Facebook users]. My question is, can someone who does not have a Facebook account opt out of Facebook’s involuntary data collection?

Zuckerberg: Anyone can turn off and opt out of any data collection for ads, whether they use our services or not, but in order to prevent people from scraping public information… we need to know when someone is repeatedly trying to access our services.

Lujan: It may surprise you that we’ve not talked about this a lot today. You’ve said everyone controls their data, but you’re collecting data on people who are not even Facebook users who have never signed a consent, a privacy agreement.

And it may surprise you that on Facebook’s page when you go to “I don’t have a Facebook account and would like to request all my personal data stored by Facebook” it takes you to a form that says “go to your Facebook page and then on your account settings you can download your data.”

So you’re directing people that don’t even have a Facebook page to sign up for a Facebook page to access their data… We’ve got to change that.

As TechCrunch’s Natasha Lomas explained during a 2013 Facebook privacy scandal:

Chances are someone you have corresponded with — by email or mobile phone — has let Facebook’s data spiders crawl through their correspondence, thereby allowing your contact data to be assimilated entirely without your knowledge or consent.

During that privacy breach, Facebook exposed the email addresses and phone numbers of six million users, though it later became apparent that a chunk of those accounts were never handed over to the platform directly by Facebook users. This information can be drawn into Facebook’s vast data aggregation machine through friends or friends of friends via all kinds of channels, including the “find friends” feature that allows the app to scan mobile contacts.

For all of Zuckerberg’s claims that Facebook users own their data, users — and non-users — have no way of determining the full trove of data that the company stores on an individual. As Rep. Lujan was suggesting, it’s likely that the Facebook data users are able to view on the platform is likely only the tip of the company’s immense data iceberg.

Welp. While Mark Zuckerberg gets the grilling of a lifetime on Capitol Hill, the firm at the center of all of this is losing its top (if temporary) executive. As day two of the Facebook testimony was unfolding, Cambridge Analytica sent out a brief statement from its Board of Directors, noting that acting CEO Alexander Tayler was stepping down from the gig.

The two sentence press release thanked Tayler, “for his service in what has been a challenging time for the company.” Well, yeah. Tayler will be sticking with Cambridge Analytica, however, returning to his former role as Chief Data Officer.

Tayler stepped into the temporary after it was vacated in late-March, when then-CEO Alexander Nix was suspended following the release of an undercover video shot by the UK’s Channel 4 News. Shortly after his appointment, Tayler reportedly told employees that he didn’t expect Nix to return to the company.

The exact reason for this latest move isn’t clear just yet. The company says the executive did so “in order to focus on the various technical investigations and inquiries,” but given everything swirling around the company at the moment, it’s probably safe to say that there’s a little more to it than that. Cambridge Analytica has yet to name a temporary (or permanent) replacement for its temporary replacement. 

The company has been at the center of Facebook’s latest controversy ever since it was revealed that as many as 87 million users potentially had their data exposed to the firm. Even more damning information has been exposed over the course of Zuckerberg’s two-day grilling, including the revelation that users’ inboxes may have also been exposed.

The firm, meanwhile, has been attempting to do damage control on social media over the last 48 hours — but most of the damage is, no doubt, already done.

Uber is done being solely a ride-hailing company. Under the leadership of CEO Dara Khosrowshahi, the company is well on its way to becoming a multi-modal transportation platform.

At a future of mobility event in Washington, D.C. today, Khosrowshahi announced Uber’s foray into car rentals, shared bikes in D.C. and public transportation. Khosrowshahi also sat on a panel with Washington, D.C. Mayor Muriel Bowser and Stephen Goldsmith, Daniel Paul Professor of the Practice of Government at the Harvard Kennedy School, to discuss Uber’s new approach to partnering with cities.

A lot of the conversation focused on making transportation safe, equitable and affordable across multiple modes. Those modes include ride-hailing, car rentals, public transportation and more. In order to achieve the goal of safe, equitable and affordable transportation, Uber is forming deeper partnerships with cities, like Washington, D.C.

Uber envisions being able to bring data, on-demand transportation and solving for real-time transportation needs to public transit, Khosrowshahi said. If people can reliably know when a bus will show up, he said, “we think that’s going to drive use and ultimately that’s going to make it even better to live in a city like this one.”

Uber CEO Dara Khosrowshahi at a Washington, D.C. event

Shared rides

One of Uber’s goals is to reduce the need for individual car ownership, thereby reducing congestion in cities. For those who don’t want to take public transit, Uber says it’s investing “hundreds of millions of dollars per year” in its Express carpooling product. That investment comes in the form of price cuts to the end user.

“There are these societal norms that we have to battle,” Khosrowshahi said. “You share a car with someone, and it kind of feels a little weird,” noting how people don’t know if it’s socially acceptable to work, chat or say nothing at all.

“So we are having to discount very aggressively, much more than you’d think,” Khosrowshahi said, to get people to share rides. “The combination of the societal norms and then the question of when exactly am I going to get there are the real friction points we’ve had to fight.”

Autonomous is still coming

Uber has, of course, been under scrutiny as of late due to the fatal crash involving one of its self-driving cars in Tempe, Arizona last month. Uber is currently working with the National Transportation Safety Board to determine what happened.

While Uber has pulled its self-driving car programs in all the markets where it operated, as well as not reapplied for a permit to operate in San Francisco, Khosrowshahi says not to take today’s announcements as any sign that Uber is moving away from autonomous.

“Autonomous is part of the solution and I think long-term is going to be an important part of the solution of getting rid of car ownership,” Khosrowshahi said.

Ultimately, Khosrowshahi does envision the world becoming much safer due to autonomous driving.

“Autonomous, at maturity,” he said, “will be safer.”

Google is testifying once again before the congress about the Cambridge Analytica debacle and Facebook’s privacy policy in general. One representative in particular nailed down Facebook CEO Mark Zuckerberg’s position on many subjects.

The U.S. Representative for California's 18th congressional district Anna Eshoo started by setting the tone. “First, I believe that our democratic institutions are undergoing a stress test in our country,” she said. “Putting our private information on offer without concern for possible misuses is simply irresponsible,” she added.

Eshoo asked her constituants to submit questions that they want to ask Zuckerberg. The result is an intense four-minute yes-or-no round of questions.

While Zuckerberg was pretty good at answering yes or no to Eshoo’s questions, it wasn’t so simple with the business model question. “Are you willing to change your business model in the interest of protecting individual privacy?” she asked.

“Congresswoman, we have made and are continuing to make changes to reduce the amount of data…” Zuckerberg said. Eshoo stopped him and repeated her question word for word.

“Congresswoman, I’m not sure what that means,” Zuckerberg said.

Earlier questions were also quite telling. “Do you think you have a moral responsibility to run a platform that protects our democracy? Yes or no?” she asked. After a short hesitation, Zuckerberg answered yes.

Later in the conversation, Eshoo asked if Facebook would offer a blanket opt-in option to share their personal data with third-party companies.

“Congresswoman, yes, that’s how our platform works. You have to opt in to sign in to any app before you use it,” Zuckerberg said.

“Let me just add that it is a minefield in order to do that and you have to make it transparent, clear, in pedestrian language: ‘this is what we will do with your data, do you want this to happen or not?’ So I think this is being blurred, I think you know what I mean,” Eshoo said.

Even more interesting, when Zuckerberg said that Facebook was investigating third-party developers who “had access to large amounts of data,” Eshoo couldn’t take it.

“What does that mean?” she said. Zuckerberg repeated his answer about the internal investigation, without clarifying what Zuckerberg means by large amounts of data and who qualifies for that.

No other representative thought about asking a basic question about Cambridge Analytica’s data. Eshoo asked if Zuckerberg’s data was included in the data sold to the malicious third parties. Zuckerberg simply answered “yes.”

A few weeks after passing both the Senate and House with an overwhelming majority, the controversial Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA) has been signed into law.

In spite of only becoming official today, the bill has already begun to have a profound impact around the Web. Craigslist notably shuttered its Personals section here in the U.S., and Reddit adjusted its own rules in an attempt to brace for the coming law.

The Justice Department also began cracking down on sites — late last week, Backpage was seized by the DOJ and its owners were hit with a staggering 93-count indictment that reads like a laundry list of things for which you don’t want to get indicted.

“Trafficking is probably worse today than at any time in our history,” Trump told the press during a signing ceremony today. Ohio Senator Rob Portman, who co-sponsored the bill, sent out a press release stating, “This is a momentous day in the fight to help stop online sex trafficking, and a big victory for trafficking victims and survivors who for too long have been denied the opportunity to get the justice they deserve.”

In spite of overwhelming support from both sides of the aisle, the bill has been a controversial one, both among sex workers and internet rights advocates. In a post from late-February, the Electronic Frontier Foundation called the potential bill “a disaster,” noting that the onus for policing content would fall exclusively in the hands of sites hosting third-party content.

“[The bill] might sound noble, but it would do nothing to stop sex traffickers,” the EFF writes. “What it would do is force online platforms to police their users’ speech more forcefully than ever before, silencing legitimate voices in the process.”

Sex workers have been equally critical of the bill and have called it, “devastating,” both with regards to their livelihood and a fear of increased violence if these sites are shuttered.

Who are you? That’s both an existential question, and also a very practical administrative concern. Today, identity is often exchanged through the use of government ID cards and official paperwork, but what happens when someone loses that paperwork or it is destroyed? Or, as is often the case in many countries around the world, a citizen never received the paperwork to begin with?

Element wants to completely change the way banks, hospitals, and other service providers work with their customers by providing a platform for decentralized biometric identity. The company’s software runs on any mobile device, and using the device’s camera, it can identify a user’s face, palm, and fingerprints to create a verified match. Users have options on which modality they want to use.

Biometric identification is a tough machine learning application, so it shouldn’t be surprising that Element, which was formed in 2012, was co-founded by Adam Perold, a Stanford-educated product designer, and Yann LeCun, a famed machine learning researcher. LeCun was the progenitor of convolution neural nets, which today form one of the foundational theories for deep learning AI. He is now chief science advisor for the company, having taken a role as Director of AI Research at Facebook in New York while continuing his professorship at NYU.

Element is announcing a $12 million Series A round, led by PTB Ventures and GDP Ventures, with David Fields of PTB and On Lee of GDP joining the company’s board of directors. Earlier investors of the company included Pandu Sjahrir, Scott Belsky, Box Group, and Recruit Strategic Partners.

While technologies like Apple’s Touch ID and Face ID systems have popularized biometric identity, neither of these were around when Element got started. The early years of the company were devoted to solving critical technical challenges. Wireless connectivity can be limited in many developing countries, which meant that identities had to be local to the device in order to be useful. That also meant that the platform couldn’t be a cloud infrastructure solution, since identity information had to be processed on the device.

Furthermore, given the quality of hardware available, data had to be extremely compressed to be useful, and the machine learning algorithms couldn’t use too much compute power since a low-powered Android device wouldn’t be able to execute an identity match quickly enough to provide a good user experience.

That’s where LeCun’s deep expertise in neural nets, and particularly in areas like optical character recognition, came in handy. The Element team managed to reduce the amount of data required to store the identity of a single person down to about two kilobytes, according to the company.

The next challenge the company faced in building out its platform was security. Identity data, particularly biometrics, is a major security challenge, but it was exacerbated by the fact that devices would often be shared between users. A single device at a bank, for instance, might service thousands of users, all of which need independent, secured data. The company said that these security challenges have been designed into the core of the system.

Ultimately, the company’s platform lives as an SDK behind the mobile apps of its partners. It provides not only the identity layer itself, but also a secure data infrastructure that allows records such as bank accounts and medical files to be connected to the underlying identity.

Element is targeting the developing world, and Perold tole me he spends more than half of his time traveling to Southeast Asia and Africa building partnerships and doing research on how the company’s technology can improve critical social services. Among the company’s signed partnerships is Telekom Indonesia, which as the service provider for 180 million subscribers, is one of the key connections between people and their identity in that fast-growing economy.

Another partnership formed by the company is with the Global Good Fund, a joint venture of the Gates Foundation and Intellectual Ventures. That project works to create better biometric identities for newborns and infants, which is critical for health outcomes. The company is working with icddr,b and the Angkor Hospital for Children in Cambodia to build out the program.

In addition to the lead investors, the company received strategic venture capital investments from Bank BCA (via Central Capital Ventura), Bank BRI, Telkom Indonesia (via MDI Ventures), and Maloekoe Ventures.

Tenor is now going to exclusively power GIF searches in LinkedIn messaging after Google a few weeks ago, adding yet another service to its already pretty large portfolio of messaging platforms.

Tenor has long positioned itself as a GIF search tool working across a number of different platforms, ranging from its own keyboard to Facebook Messenger. As such, it wasn’t a huge surprise that Google — a search platform — decided to acquire the company toward the end of march. Tenor at the time said it powered more than 12 billion GIF searches every month, and that kind of search volume fits pretty neatly with Google’s quest to index the world’s information in a way that’s easily searchable. LinkedIn adds another component to that Swiss army knife, and it also gives Google another entry point to a different platform when it comes to some variation of GIF search.

The new engine is available for 50% of users today, and will be rolling out to more users over time. This gives LinkedIn messenger a robust GIF search platform, as well as ways to find trending GIFs, as well as a custom trending stream based on GIFs most often found in their network.

GIFs are increasingly popular in messaging apps, and Tenor is one example of how it’s become almost table stakes for any messenger platform. While LinkedIn is mostly a place where you’d expect to be closing deals and acquiring customers — or searching for a job — it doesn’t really change the core value proposition of what a GIF provides. Companies like Tenor seek to position GIFs as a way to compress more information (or some kind of emotion) into a compact form factor that has very little friction inside a messenger platform.

Tenor is going to exclusively power the GIF search engine, which is going to be another pretty substantial win for Google as it looks to expand its search capabilities into other areas of the Internet — even if it’s just a consumer-oriented GIF format. Tenor can places sponsored GIFs inside its quick search interface, offering brands a unique opportunity to capture the attention of users as well as creating a new advertising category that could be very appealing for larger marketers. Google, at its heart, is an advertising business and finding these new use cases (even if it doesn’t plan to get started on them right away) is something that would fit neatly inside its model.

This also gives Google a unique entry point into different platforms, including even Facebook Messenger, which may seek to find GIF search platforms and use them indiscriminately. Google already has its own keyboard with GBoard. As Google looks to further integrate with a typical user’s lifestyle, tapping the popularity (and potential) of GIFs is something that will be important down the line.

Messages on LinkedIn have grown 60% year-over-year, the company said as part of the announcement, as messaging increasingly becomes a core component of any platform that has any kind of sticky human communication component. That’s especially important for trying to explain the nuance behind a connection while building that relationship through a faux-warm intro as well as finding ways to appeal to customer acquisition. Microsoft acquired LinkedIn in mid 2016 for $26.2 billion, essentially picking up one of the largest customer acquisition channels in the world.

Chalk up a sharp political point in support for privacy legislation with actual teeth: In today’s testimony in front of the House Energy & Commerce committee, Facebook CEO Mark Zuckerberg was asked about the outcomes of a string of legal actions against the company — most of which he claimed not be aware of.

One which he at last said he could remember was Facebook’s 2011 FTC consent decree — when the company settled over deceptive privacy practices by agreeing to make product changes opt-in and pledging to gain express consent from users to any changes going forward.

As part of that decree it also agreed to submit to privacy audits every two years for the next 20 years; bar access to content on deactivated accounts; and avoid misrepresenting the privacy or security of user data.

But congresswoman Diana DeGette pressed the Facebook CEO on whether the company paid a financial penalty as a result of the FTC action. A confused looking Zuckerberg finally replied: “I don’t remember if we had a financial penalty.”

“You’re the CEO of the company, you entered into a consent decree and you don’t remember if you had a financial penalty,” she responded, tone set to sarcastic incredulity.

“I remember the consent decree,” said Zuckerberg hastily. “The consent decree is extremely important to how we operate the company.”

“Yes I would think a financial penalty would be too,” interjected DeGette, leaving her point hanging in Zuckerberg’s silence.

“The reason you probably don’t remember it is because the FTC doesn’t have the authority to issue financial penalties for first time violations,” she picked up. “The reason I’m asking these questions, sir, is because we continue to have these abuses and these data breaches but at the same time it doesn’t seem like future activities are prevented. So I think one of the things that we need to look at in the future… is putting really robust penalties in place — in case of improper actions.”

A little later in the session, congressman Mike Doyle also raised the 20-year FTC consent decree, listing several of the practices it had deemed “unfair and deceptive” — namely: Facebook making users private information public “without sufficient notice or consent”; claiming to certify the security and integrity of certain apps “when in fact it did not”; and enabling developers to access “excessive information about a user and their friends”.

When he asked Zuckerberg whether the list was correct, the Facebook CEO again claimed not to know — saying: “I’m not familiar with all of the things that the FTC said,” before adding hastily: “Although I am very familiar with the FTC consent order itself.”

“But these were part of the consent decree,” interjected Doyle, adding: “I’m just concerned that despite this consent decree Facebook allowed developers access to an unknown number of user profiles on Facebook for years — potentially hundreds of millions, potentially more! And not only allowed but partnered with individuals and app developers such as Aleksandr Kogan who turned around and sold that data on the open market into companies like Cambridge Analytica.”

The congressman went on to ask Zuckerberg why Facebook users should trust the company to follow through on its “promises” to safeguard their information when — as he put it — “you have demonstrated repeatedly that you’re willing to flout both your own internal policies and government oversight when the need suits you”.

Zuckerberg said he “respectfully disagreed” with Doyle’s characterization, saying Facebook has had an app review process for “a number of years”, reviewing “tens of thousands” of apps per year and taking action “against a number of them”.

“Our process was not enough to catch a developer who sold data and had the data on their systems outside our systems,” he finished.

“To my mind the only way we’re going to close this trust gap is through legislation that creates and empowers a sufficiently resourced expert oversight agency with rule-making authority to protect the digital privacy and ensure that companies protect their users’ data,” replied Doyle, capping out his four minutes.

Since fresh revelations about the Cambridge Analytica scandal broke last month the FTC has opened a new investigation into Facebook’s practices.  And now at least the company could face a financial penalty if it’s deemed to have violated the earlier consent decree.

The FTC can apply a fine of $40,000 per privacy violation — so with up to 87 million Facebook users’ data leaked to Cambridge Analytica there is at least a chance Facebook will end up with a sanction that Zuckerberg is able to remember in future.