NEW YORK — An audit of Facebook's privacy practices between 2015 and 2017 found no problems — even though the company knew during that time that Cambridge Analytica improperly obtained private data from millions of users.
The audit by PricewaterhouseCoopers is posted on the FTC's website, though it is heavily redacted. The audit was conducted for the Federal Trade Commission, after the agency and Facebook reached a settlement over its privacy practices. As part of the settlement, agreed to in 2011, Facebook would undergo outside audits every two years.
The report covers February 12, 2015, to February 11, 2017. In December 2015, Facebook executives became aware that Cambridge Analytica misappropriated information, CEO Mark Zuckerberg has testified. Facebook did not inform the affected users at the time, and it is not clear from the report whether the company informed PwC of the issue.
PwC essentially said that Facebook was operating an effective privacy program during that time period. "Facebook's privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of covered information," the report says.
Here is how Facebook described its privacy program in the report:
"Facebook protects covered information of users against unauthorized access," the company said. It stated that it had conducted assessments "verify[ing] that the technical, physical, and administrative security controls designed to protect covered information from unauthorized access ... are functioning properly."
"Facebook discloses covered information to third party developers only .... with the implicit or explicit consent of the individual," the company said.
The fact that PwC found no issues raises questions about whether such audits are useful.
The FTC has launched aninto whether Facebook's actions violated the consent decree.
Representatives for Facebook and PwC did not immediately respond to messages for comment early Friday.