A full year after the Cambridge Analytica scandal pushed Facebook's data-gathering practices into the spotlight, the social network is still struggling to show it can take users' privacy seriously while maintaining substantial profits -- $22 billion on $56 billion in revenue last year -- that rely on selling user access to advertisers. Investigations that started in the wake of Cambridge continue, and legal challenges have multiplied, accusing Facebook of ignoring its most controversial impacts on society in a push to boost its bottom line.
Here is a running update of Facebook's status on matters of data privacy and its various legal dealings with state, federal and private parties.
Cracking down on hate speech
April 8 -- Facebook has banned a handful of Canadian far-right activists from its platform, including Faith Goldy, Kevin Goudreau and a handful of others who have been described as white supremacists. Canadian government officials praised the move.
Immigration Minister Ahmed Hussen drew a line between Facebook-enabled hate speech and the shootings in Pittsburgh and in Christchurch, New Zealand, which were carried out by white terrorists.
"We've seen hate speech fuel the attack against Pittsburgh, at the synagogue. We've seen more recently in Christchurch worshipers gunned down. This is real and it has consequences. And we're very glad that Facebook has taken the actions that it has," he said at a press conference.
March 27 -- Facebook is banning white separatism and white nationalism from its network, the company said. It's the most sweeping move against supremacist ideologies the company has taken.
"Today we're announcing a ban on praise, support and representation of white nationalism and separatism on Facebook and Instagram, which we'll start enforcing next week. It's clear that these concepts are deeply linked to organized hate groups and have no place on our services," Facebook announced in a blog post.
The announcement comes two weeks after a white nationalist sympathizer in New Zealand carried out a mass shooting that killed more than 50 people, which he live-streamed on the platform. The social media giant has come under fire for enabling the spread of hate speech and Nazi and separatist ideologies.
While Facebook has long banned what it calls white supremacy, it has long put "white nationalism" and "white separatism" in a different bucket, Vice reported earlier this year. Civil rights historians say those ideologies are identical to white supremacy.
Critics have "raised these issues to the highest levels at Facebook (and held) a number of working meetings with their staff as we've tried to get them to the right place," Kristen Clarke, president and executive director of the Lawyers' Committee for Civil Rights Under Law, told the Associated Press.
"This is long overdue as the country continues to deal with the grip of hate and the increase in violent white supremacy," she said. "We need the tech sector to do its part to combat these efforts."
Facebook said it changed its policies after speaking with academics and experts in "race relations" and reviewing what it knew about hate groups.
"Our policies have long prohibited hateful treatment of people based on characteristics such as race, ethnicity or religion - and that has always included white supremacy. We didn't originally apply the same rationale to expressions of white nationalism and separatism because we were thinking about broader concepts of nationalism and separatism - things like American pride and Basque separatism, which are an important part of people's identity," the company said. "Going forward, while people will still be able to demonstrate pride in their ethnic heritage, we will not tolerate praise or support for white nationalism and separatism."
Enforcement is key to effectively suppressing these ideologies, and in that area, Facebook's record has been inconsistent, internet experts say. After the New Zealand shooter's live-stream, more than a million copies of the video were uploaded to the platform en masse, and some of those evaded the company's screening tools. Facebook has also allowed advertisers to target anti-Semites and neo-Nazis on its platform as late as last month.
U.K. to Facebook: Regulations are coming
April 8 -- Britain's government announced a plan to create the world's first independent regulator to protect users from "online harms." In a more than 100-page white paper outlining the plan, which must first be approved by Parliament, the government said the new agency will impose a "duty of care" on social media, search, messaging and even file-sharing platforms, requiring them to ensure a range of illegal or abusive content can't be shared.
It would be the world's first such agency, and internet giants could face enormous fines if they fail to prevent the spread of harmful material, and senior management could face legal consequences if found to be negligent.
In a statement to CBS News, Facebook seemed open to increased regulation.
"We have responsibilities to keep people safe on our services and we share the government's commitment to tackling harmful content online," said Rebecca Stimson, Facebook's Head of U.K. Public Policy. "As Mark Zuckerberg said last month, new regulations are needed so that we have a standardized approach across platforms and private companies aren't making so many important decisions alone."
However, other social media and tech behemoths may be less amenable to the new agency. A spokesperson for an industry lobbying group founded in 2012 by Google, Amazon, eBay, and Facebook, criticized the announcement as vague in a statement to CBS News.
"The scope of the recommendations is extremely wide, and decisions about how we regulate what is and is not allowed online should be made by parliament." said Daniel Dyball, the Internet Association's U.K. executive director.
Still not good with data
April 3 -- As many as one-quarter of Facebook's users likely had their information exposed on an Amazon server, a cybersecurity research firm said.
More than 540 million records about Facebook users were publicly exposed on Amazon's cloud computing service, according to a report out April 3 from UpGuard. The report said that two third-party Facebook app developers posted the records in plain sight, causing yet another major data breach for the world's biggest social network.
UpGuard said that it alerted the two companies responsible, but no action was taken until the report's release.
March 25 -- Facebook admitted that it had stored millions of user passwords in plain text for years. The announcement comes after security researcher Brian Krebs posted about the issue online.
The company said that it discovered the flub "as part of a routine security review" last month. The un-encrypted passwords were stored on internal company servers and not accessible to outsiders, the company said. It also said there is no evidence that employees "abused or improperly accessed" the data. But the incident reveals a huge oversight for the company amid a slew of bruises and stumbles in the last couple of years.
The security blog KrebsOnSecurity said some 600 million Facebook users may have had their passwords stored in plain text. Facebook said it would likely notify "hundreds of millions" of Facebook Lite users, millions of Facebook users and tens of thousands of Instagram users.
At least one thing is settled
March 20 -- Facebook settled a lawsuit this week that accused the company of enabling discrimination in housing, job and credit ads, which is against the law. The settlement involves the largest overhaul of Facebook's advertising system since its inception.
That targeted advertising system is the company's major revenue driver. Under the settlement, which took 18 month to reach, Facebook will no longer allow ads for jobs, housing or credit to target users by their gender, ZIP code or age, and will include other protections for characteristics including race, national origin and sexual orientation.
Zuckerberg: Please regulate me
April 1 -- After years of resisting regulation of the tech industry and his company, Facebook CEO Mark Zuckerberg has penned an op-ed asking for more government oversight. In a Washington Post piece on Saturday titled "The Internet needs new rules," Zuckerberg called for government oversight in the areas of harmful speech, election interference, privacy and control over users' data.
Facebook's global scale means "we have a responsibility to keep people safe on our services. That means deciding what counts as terrorist propaganda, hate speech and more," he wrote, "but at our scale we'll always make mistakes and decisions that people disagree with." Referencing Facebook's struggles with disclosing political advertisers, he called for laws creating "common standards for verifying political actors."
"And there are also important questions about how political campaigns use data and targeting. We believe legislation should be updated to reflect the reality of the threats and set standards for the whole industry," he wrote. Zuckerberg also called for expanding Europe's privacy law, known as GDPR, around the world and making it easier for users to move their data from one online platform to another.
"Facebook isn't the only one doing it. Most of these big tech companies understand that regulation is coming and they want to take part in shaping how that regulation actually looks," CNET executive editor Roger Cheng told CBS News. Democratic senators and state attorneys general have been calling for regulations on Facebook since well before the Cambridge Analytica scandal, Cheng said, but the split control of Congress has hampered any actual law-making.
Housing discrimination through ads alleged
March 28 -- Facebook settled job-discrimination charges, but so far it hasn't been able to reach a similar settlement over housing. Last August, the U.S. Department of Housing and Urban Development filed an administrative complaint over Facebook's housing ads. On March 28, HUD charged Facebook with violating the Fair Housing Act, which prohibits discrimination in housing based on race, sex, color, national origin, disability, religion or family status.
HUD said the social media giant sold targeted ads that allowed landlords and other advertisers to exclude certain groups, such as parents and immigrants. HUD also claims Facebook allowed advertisers to exclude people who live in certain neighborhoods as well as display ads only to women or to men.
"Using a computer to limit a person's housing choices can be just as discriminatory as slamming a door in someone's face," HUD Secretary Ben Carson in a statement.
Fake accounts purged – again
April 1, 2019: 1,100 fakes removed
Ahead of the Indian elections starting April 11, Facebook said it took down more than 1,100 fake pages and accounts based in India and Pakistan. About 100 of these accounts were on both Facebook and Instagram, with a combined follower count of 2.8 million, Facebook said. The accounts posted about Pakistani general interest topics, Kashmir community issues and local and political news, according to Facebook. "Although the people behind this activity attempted to conceal their identities, our investigation found that it was linked to employees of the ISPR (Inter-Service Public Relations) of the Pakistani military," Facebook said.
The company removed 687 accounts linked to Indian IT firm Silver Touch. A "majority" of these accounts had already been suspended by Facebook's AI systems, the company said. More than 300 other pages and accounts were taken down for spamming, Facebook said.
March 27, 2019: 2,600 fakes removed
Facebook said it took down more than 2,600 items on Tuesday, March 27, the latest salvo in the social media giant's efforts to quash "inauthentic behavior" on its platform. That term can encompass a range of activities from spam to trolling.
The 2,632 items included accounts, pages and groups active on Facebook and Instagram, the company said. More than 1,900 were Russian accounts that posted spam, such as ads for remote work, as well as some articles on the conflict in Eastern Ukraine. About 500 accounts were tied to Iran and posted content that looked like media or news reports, while about 200 accounts run from Macedonia and Kosovo posted astrology news, celebrity content and beauty tips.
In its post, Facebook said it was cracking down on this type of activity "because we don't want our services to be used to manipulate people." The company emphasized that it was taking issue with the "behavior" of the accounts--coordinating with each other and misrepresenting who they were--rather than the content they posted.
So far this year, Facebook has taken down accounts linked to the U.K., Romania, Moldova and Indonesia. The social-media giant has come under fire for allowing rampant misinformation and spam on its platform in 2016, a year when the U.K. was voting whether to leave the European Union and Americans were electing a new president.
Someone at Facebook knew about Cambridge
March 22 -- Court documents cast into doubt Facebook's narrative that the company was just as much a victim of Cambridge Analytica's unsavory data practices as the 50 million user who the company manipulated. At least some Facebook employees were aware of Cambridge's data practices and warned Facebook about them, court documents filed last week reveal.
The warning supposedly happened in September 2015, whereas Facebook executives maintain that they first learned about Cambridge's data scraping months later, in December 2015. Facebook spokespeople acknowledged the September warning to CBS News, but dismissed it as "speculation."
Company consolidates while others talk breakups
Some early supporters of Facebook are now speaking out against the company. Roger McNamee, an early backer who says the investment has earned him millions, now holds that the social network is "terrible for America." In his book "Zucked," published in January, McNamee calls for breaking up the company (a position that's been echoed up by several 2020 presidential contenders).
At the same time, Facebook is making moves that would make a breakup of the company more difficult, according to privacy advocates. The company announced it would consolidate Facebook Messenger, WhatsApp and Instagram under one messaging system, in what it describes as a pivot to one-on-one and private messaging. However, privacy advocates are skeptical of the company's motivations.
"I think they're doing it to try to fend off regulation in both the competition and privacy areas," Christine Bannan, consumer protection counsel at the Electronic Privacy Information Center, previously told CBS News.
Facebook also faces an executive brain drain as part of the pivot. Its chief product officer, Chris Cox, and the head of WhatsApp, Chris Daniels, both announced their departure in the wake of Facebook's refocus on private messaging.
Federal probes and penalties
It's not just Cambridge Analytica. In addition to that scandal, many of Facebook's data-collection practices have come under scrutiny.
The New York Times reported this month that federal prosecutors are looking into Facebook's data-sharing deals with technology companies. In those agreements, which the Times revealed in December, Facebook gave developers deeper access to users' data than it publicly said it did. The full scope of the investigation is unknown, but a New York grand jury subpoenaed records from two smartphone makers, according to the Times.
Meanwhile, the criminal and civil investigations launched in the wake of Cambridge Analytica remain unresolved. The Department of Justice, Securities and Exchange Commission and Federal Trade Commission are all investigating Facebook's agreements.
In a statement, Facebook confirmed "that there are ongoing federal investigations, including by the Department of Justice. As we've said before, we are cooperating with investigators and take those probes seriously. We've provided public testimony, answered questions, and pledged that we will continue to do so," the company said.
Separately from its potential criminal liabilities, Facebook is reportedly discussing a multibillion-dollar settlement with the Federal Trade Commission over its Cambridge Analytica deals. The FTC reached an agreement with Facebook in 2012 under which Facebook promised to take safeguards with its users' personal data. Revelations that it had sold millions of users' data without their consent to a purported research, however, put in question whether it was abiding by those terms.
The Washington Post reported last month that the two parties are discussing a fine of several billion, which would be the largest the FTC ever imposed on a tech company. The biggest payment the FTC has ever demanded from a company was $22.5 million, from a 2012 settlement with Google over alleged privacy violations in the Safari browser.