Zuckerberg flubs details of Facebook privacy commitments

Over two days of questioning in Congress, Facebook CEO Mark Zuckerberg chief revealed that he didn't know key details of a 2011 consent decree with the Federal Trade Commission that requires Facebook to protect user privacy.

With congressional hearings over and no immediate momentum behind calls for regulation, the biggest hammer still hanging over Facebook in the U.S. is a fresh FTC investigation . The probe follows revelations that pro-Trump data-mining firm Cambridge Analytica acquired data from the profiles of millions of Facebook users. Facebook also faces inquiries in Europe.

The 2011 agreement bound Facebook to a 20-year privacy commitment , and any violations of that pact could cost Facebook a ton of money, even by its flush-with-cash standards. If Zuckerberg's testimony before Congress is any indication, the company might have something to worry about.

Zuckerberg repeatedly assured lawmakers Tuesday and Wednesday that he believed Facebook is in compliance with that 2011 agreement. But he also flubbed simple factual questions about the consent decree.

"Congresswoman, I don't remember if we had a financial penalty," Zuckerberg said under questioning by Colorado Rep. Diana DeGette on Wednesday.

"You're the CEO of the company, you entered into a consent decree and you don't remember if you had a financial penalty?" she asked. She then pointed out that the FTC doesn't have the authority to issue fines for first-time violations.

In response to questioning by Rep. Mike Doyle of Pennsylvania, Zuckerberg acknowledged: "I'm not familiar with all of the things the FTC said."

Zuckerberg also faced several questions from lawmakers about how long it takes for Facebook to delete user data from its systems. He didn't know.

The 2011 consent decree capped years of Facebook privacy mishaps, many of which revolved around its early attempts to follow users and their friends around the web. Any violations of the 2011 agreement could subject Facebook to fines of $41,484 per violation per user per day. To put that in context, Facebook could theoretically owe $8 billion for one single day of a violation affecting all of its American users.

The current FTC investigation will look at whether Facebook engaged in "unfair acts" that cause "substantial injury" to consumers.

David Vladeck, a Georgetown University law professor who headed the FTC's bureau of consumer protection when Facebook signed the deal, said in a blog post this month that Facebook's argument that it didn't violate the deal are "far-fetched." Two days of testimony didn't change his mind.

"Most of the reforms Facebook has talked about in the past couple of weeks proposed safeguards that should have been in place years ago," he said by email on Wednesday following 10 hours of Zuckerberg's testimony.

At issue are at least three sections of the decree .

The first requires that users give "affirmative express consent" any time that data they haven't made public is shared with a third party. Facebook also has to tell users what data will be shared, who the third parties are, and explicitly note that the sharing exceeds their privacy-setting restrictions.

"In my view, these requirements were not met," Vladeck said. Sen. Catherine Cortez Masto of Nevada made a similar point Tuesday, arguing that user consent couldn't have been buried in their privacy settings.

"It had to be something very specific. Something very simple," she said. "And that did not occur. Had that occurred, we wouldn't be here today talking about Cambridge Analytica."

A second portion of the decree forbids Facebook to share user-deleted data with third parties after 30 days, assuming the information was stored on servers under Facebook's control.

The third and broadest part binds Facebook to a "comprehensive privacy program" vetted by an outside auditor. The question raised there is whether Facebook acted reasonably and quickly when it found out there may have been breaches of the deal, according to law professor William Kovacic of George Washington University, who served as an FTC commissioner when Facebook was being investigated but left before the settlement was announced.

Facebook has argued that it only shared data that was made public by users, or permitted by their privacy settings. Zuckerberg said Wednesday that audits it committed to never turned up problems.

"Was it deliberate? Was it inadvertent? Was there a dramatic lack of care?" Kovacic said. "Everything depends on how they go through this painstaking process of looking at what Facebook promised and what it actually did."

The largest fine the FTC has ever imposed in a privacy case was a $22.5 million award in a settlement with Google in 2012. Kovacic said the investigation could take several months. If a case is brought, it would be prosecuted by the Justice Department.

___

Follow AP Technology Writer Ryan Nakashima at https://twitter.com/rnakashi