Mark Zuckerberg held his own in a half-day of Senate grilling Tuesday, but lawmakers managed to throw the 33-year-old off-script a couple of times, and elicited a few nuggets of new information about Facebook’s role in the 2016 election.
In five hours of testimony before a joint hearing of the Senate’s Judiciary and Commerce committees, Zuckerberg replayed the line of defense he started airing last month after new details of the 2014 Cambridge Analytica data spill threw an intense spotlight on Facebook’s practices. More than once he apologized and accepted responsibility, outlined the company’s steps to improve, and gently resisted suggestions that Facebook acted in violation of an FTC consent decree or its own policies.
It was nearly two hours in before Zuckerberg appeared to be taken by surprise. That was when Sen. Richard Blumenthal (D-CT) interrogated Zuckerberg about the app at the center of Facebook’s current troubles. Called “This Is Your Digital Life,” that app was used by data researcher Aleksandr Kogan to gather profile information on as many as 87 million Facebook users.
Facebook’s position is that Kogan, through his firm GSR, violated Facebook’s rules when he transferred the harvested data to the shady campaign consulting firm Cambridge Analytica. But Blumenthal produced a poster board blow-up showing an excerpt from the app’s terms-of-service, which explicitly spelled out Kogan’s intentions.: “[Y]ou permit GSR to edit, copy, disseminate, publish, transfer, append or merge with other databases, sell, license (by whatever means and on whatever terms) and archive your contribution and data.”
According to Blumenthal, Kogan submitted that language to Facebook’s app review team as part of the approval process. “Facebook was on notice that he could sell that user information,” Blumenthal charged. “Have you see those terms of service before?”
“I have not,” Zuckerberg admitted, adding later, “It certainly appears that we should have been aware that this app developer submitted a term that was in conflict with the rules of the platform.”
The Kogan app isn’t the only time Facebook missed an opportunity to head off a privacy disaster. As The Daily Beast reported, the company separately ignored a security researcher’s 2013 report that a feature of Facebook’s search engine could be used to illicitly compile data on virtually all its users. In a written statement ahead of his testimony, Zuckerberg admitted the search engine loophole was later abused in exactly that way.
Elsewhere in his testimony, Zuckerberg laid out some of the behind-the-scenes work Facebook is doing to combat future Russian election interference operations. In addition to deleting about 550 accounts set up by the Internet Research Agency, Russia’s notorious troll farm, Facebook has purged an enormous number of accounts that appeared similar, but were hard to definitively link to Russia.
“There are many others that our systems catch that are more difficult to attribute to Russian intelligence,” Zuckerberg said. “But the number would be tens of thousands of accounts removed.”
“This is going to be an ongoing conflict,” Zuckerberg said later in the hearing. “I don’t think it would be a realistic expectation to assume that as long as there are people who are employed in Russia for whom this is their job, that we’re going to have zero amount of that, or that we’re going to be 100 percent successful at preventing that.”
While he faulted himself for acting too slow to counter the Internet Research Agency, Zuckerberg credited Facebook with acting early in the computer intrusion aspect of Russia’s election interference. In the heat of the 2016 campaign, he said, Facebook discovered that Russia’s hackers were targeting the candidates, and warned “the campaigns that they were trying to hack into them.”
That’s a new claim from Facebook, and one that was quickly challenged on Twitter by former Hillary Clinton campaign official Robby Mook. “This is not true. We were never notified.”
Facebook security chief Alex Stamos chimed in with a tweet clarifying Zuckerberg’s claim. According to Stamos, Facebook contacted the Democratic and Republican National Committees, rather than the candidates. “We contacted the DNC and RNC during this time to protect the accounts of key employees and to work together to spot potential additional malicious activity,” he wrote. “We also were in contact with the FBI.”