Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Facebook Government Privacy

Audit Approved of Facebook Policies, Even After Cambridge Analytica Leak (nytimes.com) 73

Nicholas Confessore reports via The New York Times: An auditing firm responsible for monitoring Facebook for federal regulators told them last year that the company had sufficient privacy protections in place, even after the social media giant lost control of a huge trove of user data that was improperly obtained by the political consulting firm Cambridge Analytica. The assertion, by PwC, came in a report submitted to the Federal Trade Commission in early 2017. The report, a redacted copy of which is available on the commission's website, is one of several periodic reviews of Facebook's compliance with a 2011 federal consent decree, which required Facebook to take wide-ranging steps to prevent the abuse of users' information and to inform them how it was being shared with other companies. The accounting firm, formerly known as PricewaterhouseCoopers, effectively gave Facebook a clean bill of health. "Facebook's privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy" of users, said the assessment, which stretched from February 2015 to February 2017. But during that period, Facebook was aware that a researcher based in Britain, Aleksandr Kogan, had provided Cambridge Analytica with private Facebook data from millions of users.
This discussion has been archived. No new comments can be posted.

Audit Approved of Facebook Policies, Even After Cambridge Analytica Leak

Comments Filter:
  • by Anonymous Coward

    how do we regulate the regulators?

    • by ShanghaiBill ( 739463 ) on Friday April 20, 2018 @02:27AM (#56469787)

      The Cambridge Analytica leak was the result of technical incompetence, and poor code review, not bad policy at the level an auditor would see. It is not reasonable to expect a financial auditor to discover bad code.

      • Re: (Score:1, Interesting)

        by arbiter1 ( 1204146 )
        Just about any app can do what they are butt hurt at cambridge and guess what Clinton campaign used the same thing and so did Obama camp in 2012 that PIONEERED the practice to use it like it was.
        • Just about any app can do what they are butt hurt at cambridge and guess what Clinton campaign used the same thing and so did Obama camp in 2012 that PIONEERED the practice to use it like it was.

          Citations that The Clinton campaign and the Kenyan Terror baby used Cambridge Analytica needed.

          • This is the first time I've seen that splendid sobriquet so I apologize for being picky but shouldn't "baby" in "Kenyan Terror baby" have a capital B because we are referring not to a random baby suffering from Kenyan Terror but a specific, indeed The, Kenyan Terror Baby? Is there more than one?

            • This is the first time I've seen that splendid sobriquet so I apologize for being picky but shouldn't "baby" in "Kenyan Terror baby" have a capital B because we are referring not to a random baby suffering from Kenyan Terror but a specific, indeed The, Kenyan Terror Baby? Is there more than one?

              Good point and agreed. It shall now be The Kenyan Terror Baby.

      • Re: (Score:2, Insightful)

        by Rockoon ( 1252108 )
        Funny that as a matter of public policy they approved of the Democrats doing it years earlier.
      • by Anonymous Coward

        ... if it not comprehensive

        I used to work with Moody, an international recognize firm which stresses its independence

        The audits that we had carried out must not do favor for any party, and must be comprehensive, over and beyond what has been described in the jobscope

        Often we dug through many outside sources about the real nature of the client we were about to audit, before we even accepted them as a client

      • The Cambridge Analytica leak shows us that Facebook has surprisingly no clue or hold on their assets. If user data is the product, that product is freely harvested by third parties outside the control of Facebook.
      • Truth be told, CA was likely Facebook giving one customer everything they give all of their customers. The Clinton campaign probably hired at least 4 equivalents to CA themselves, and there's probably dozens, if not hundreds more, using that same kind of data for non-political purposes..
      • The Cambridge Analytica leak was the result of technical incompetence, and poor code review, not bad policy at the level an auditor would see. It is not reasonable to expect a financial auditor to discover bad code.

        Nothing short of hilarious that while giving Cambridge Analytica and gawd knows who else people's personal data to be weaponized, they present a redacted copy of the audit to the public. Gotta protect privacy yaknow

    • The real problem is we are expecting some mythical set of pure perfection, anything less then then perfect will be punished.

      You could be the best driver in the world, and still get into a car accident. Your automobile may fail even after a properly performed inspection.

      Regulators and only look for issues they know about. With a rapidly growing company like Facebook there are new issues that appear and happen before regulators or Facebook even know where to look, and often risks are identified, but no pract

  • They do their job (Score:5, Insightful)

    by hcs_$reboot ( 1536101 ) on Friday April 20, 2018 @02:54AM (#56469861)
    Problems: 1) auditors are paid by the auditees, 2) they do their job, what they were asked for, and not more. Why do you think these audit / consultancy firms are that expensive? An audit, done to reveal the kind of recent leaks, would only truly work if done by a public institution.
    • Re:They do their job (Score:5, Informative)

      by Anonymous Coward on Friday April 20, 2018 @03:45AM (#56469965)

      Yep, posting anonymously for obvious reasons, but I work for a financial services firm, and we had an issue that meant people unfairly getting rejected for mortgages because the analytics team had completely fucked up some scoring calculations. This was reported to the regulator as we had a legal obligation to do so, and we had to get auditors in to confirm the validity of our fix and processes, and to prevent this happening again.

      The auditor was also PwC, and I had to work closely with them to help provide them the information they need.

      Make no mistake, when people pay a company like PwC to "audit" them and "hold them to account", they're not paying for that at all. What they're paying for is for a company with a big legal department backing it's auditors to come in and help them evade any legal ramifications stemming from their mistake. The auditors don't for example remotely report back to anyone independent any failings, so there's no holding to account off the back of these audits. All they do is linger around, charging by the day to help try and spot any mistakes you've made and help you cover them up, when you've done that they sign the audit off as having passed.

      So let's be clear here, you could be guilty of gross incompetence, abject illegality, and you can call in a company like PwC, you can ask them to help you make everything legal for as long as it takes, then at the end of it they sign off as "audit passed". That is, they're not auditing the company that made the mistake, they're auditing the company that they spent weeks, or even months plastering over the mistake.

      You could argue this is sufficient in itself, because at least the company being audited has made up for it's mistakes, but again, we're talking about what is sometimes absolute illegality here in some cases, with some companies, and if companies are allowed to cover that up with no transparency over how bad things were and what went wrong, and no legal punishment for something that by law, should have legal punishment such as a fine, or even penalties against execs, then there's absolutely zero incentive for companies to ever improve, so once the auditors have gone, odds are, they'll just slip back into their ways if it's financially beneficial to do so. In our case for example, it was "good job everyone in passing the audit", when in reality it should've been "analysts, you need to improve your processes and start ensuring your calculations are accompanied with mathematical proofs where appropriate and sufficient test cases as to allow automated validation and regression testing".

      What PwC offers isn't an audit per-se, it's a cover up service, no one should be surprised when a paid cover up service declares everything a-ok.

      Honestly, given that PwC is also the prime culprit for "tax efficiency" which too many times has turned out to actually be outright tax evasion, rather than just avoidance too, then this company should be shut down. It's entire existence is built around supporting corporate criminality. It's not the only one, but it's definitely the most prominent one.

      • by Anonymous Coward

        It's not an auditors job to air your dirty laundry (the levels of NDAs they're under would prohibit it anyway). They are there to make sure you use soap. Granted they likely would try to argue you showed them a box that looked like soap, it's their job - their bond - to prove that it was. They will become liable if it comes out later that you in fact did not use soap.

      • It's the same with consultants (though perhaps less legally questionable). e.g. CEO wants to outsource to somewhere, but doesn't want responsibility for the decision. Calls in management consultants. After paying them lots of money they write a report recommending outsourcing to somewhere. If outsourcing program works out, CEO claims responsibility. If it crashes and burns CEO blames the consultants.

        I think of them as professional fall guys.

      • Nothing of what you said is considered external auditing. That's closer to "IT consultation" or at best internal auditing.

        Internal Auditiors report directly to the CFO. External Auditors report to the auditing firm's partners and clients shareholders.

      • When people hear the word "audit" what most think of is "tax audit." I.E. someone is coming in to verify that you have documentation to back up the claims made when the taxes were filed. Don't have the documentation? You're in BIG TROUBLE with the law: Jail time + fines.

        The type of audit Facebook had is not this. These types of audits do something else:

        They make sure that controls are in place -- that the company being audited has working internal methods (internal audits) to catch things -- things li

      • One of the most interesting and insightful testimony on /..
  • Right. So this is like how Carillion (a big construction conglomerate in the UK) became insolvent just months after KPMG had given them the green light in an audit (for which they took millions in fees). Or how the various ratings agencies gave CDOs investment grade ratings despite them being based on total junk.

    I mean, it is just a sort of formalised corruption at this point. In south east asian they do it with brown paper bags under the table, over here they just buy the politicians so that what they are

  • Security audits and privacy audits are utterly useless for this case....Is the data secure? Is it private? The answer is no, and an audit like this is merely saying "we tried" even though in reality they weren't trying, they just wanted cya ability in court.
  • by orlanz ( 882574 ) on Friday April 20, 2018 @07:06AM (#56470423)

    The article and post play into the usual misunderstandings of what a true external audit is. A auditor NEVER gives a clean bill of health to ANYONE.

    It would be the equivalent of saying "My 14 year old daughter is incapable of lying!" Or to hit closer to this group "This networked system is totally secure for the next 10 years!" No, those are stupid! Any competent IT guy would say "This system has all the latest patches and best industry practices to remain secure." They would check a few patches and see if they were applied quickly enough to come to that conclusion.

    An auditor collects enough information from a client for an owner of the firm to provide a SECONDARY agreeing or decenting OPINION of the company's financial or security or operational position. The company can say "We are going bankrupt." and the auditor will say "I think they are right!"

    operating with sufficient effectiveness to provide reasonable assurance

    The key words that you will find in almost all audit work is "sufficient effectiveness" and "reasonable assurance". Which is complete true in this situation. Facebook doesn't have policies that give your data out to anyone. They don't violate their policies by doing such. A partner did really go above and beyond what they should have. Facebook failed to regulate such partner but may have had reasonable measures to prevent abuse.

    Also, keep in mind that auditors are not here to catch the client in lies, nor catch collusion between people (reportee buys a car, mgr approves, they sell & split profits).

    Basically the article is "Auditors did their job but it wasn't enough to prevent this."

  • The audit began in February 2015. In 2014, Facebook changed their API to remove the feature Cambridge exploited. In late 2015, Facebook realized what Cambridge had done.

    So it doesn't look to me like the auditors weren't doing their job, it looks like they did their job, helped uncover what happened, and were still able to give Facebook the thumbs up because they had already fixed the problem months before the audit began.

  • This is the same PWC that theoretically audited AIG before they went belly up with the financial crash. They also "audited" JPMC and then was fined for basically not doing their job. Seriously, PWC is who you hire when you want to report results without actually doing an audit. https://en.wikipedia.org/wiki/... [wikipedia.org]
  • by OneHundredAndTen ( 1523865 ) on Friday April 20, 2018 @08:21AM (#56470715)
    Those of us old enough remember the Arthur Andersen debacle only too well. The modus operandi is always the same: the companies carrying out the audit, usually requested by the companies being audited, simply do like the proverbial $25 whore.
  • Do none of these NYTimes twats know the word "scraping"? They seem Hell bent on trying to make what occurred appear like some l33t hacking operation.

  • If you've hired a "Big Accounting Firm", you've already failed. Alll those sleazeballs that advertise on the Sunday political shows? Do not hire them. Not ever. For anything. People who know, don't hire BDO. Or PWC, or any of the other "Big 4" Sleaze Firms.

  • by argStyopa ( 232550 ) on Friday April 20, 2018 @02:30PM (#56473313) Journal

    It didn't audit as a "leak" because it WASN'T A LEAK?

    This was the facebook API working essentially as intended. To a malign purpose (ie helping Trump) and to a degree in excess of what the researcher was expected to pull, but this was in no sense someone 'hacking' fb's systems to get information that wasn't intended to be collected somehow.

Don't get suckered in by the comments -- they can be terribly misleading. Debug only code. -- Dave Storer

Working...