IE 11 is not supported. For an optimal experience visit our site on another browser.

A timeline of Facebook's privacy issues — and its responses

Facebook’s recent crisis is just one of many privacy issues that company has had to deal with in its relatively short existence.
Image: Mark Zuckerberg
Facebook CEO Mark Zuckerberg speaks at the F8 summit on March 25, 2015 in San Francisco, California.Josh Edelson / AFP - Getty Images file

SAN FRANCISCO — Facebook’s recent crisis is just one of many privacy issues that company has had to deal with in its relatively short existence.

Barely two years old in 2006, the company faced user outrage when it introduced its News Feed. A year later it had to apologize for telling people what their friends had bought. Years after that, the Federal Trade Commission stepped in — and is now looking at the company again. Facebook has a history of running afoul of regulators and weathering user anger, all the while collecting record profits and racking up more than 2 billion users.

Those privacy issues are now front and center. Facebook's loose handling of how its data was acquired by app developers has plunged the company into the biggest crisis of its 14-year existence. The revelation that a data analytics company used by Donald Trump’s presidential campaign was able to surreptitiously collect data on 50 million people through a seemingly innocuous quiz app has forced CEO Mark Zuckerberg to issue a public apology — and promise changes.

Taking a step back to look at Facebook’s pattern of privacy issues provides an important perspective on just how many times the company has faced serious criticism. What follows is a rundown of the biggest privacy issues Facebook has faced to date:

When: September 2006

What: Facebook debuts News Feed

Facebook’s response: Tells users to relax

Facebook was only two years old when it introduced News Feed on Sept. 5, 2006. The curated feed was intended as a central destination so users didn't have to browse through friends' profiles to see what they had changed.

Facebook had about 8 million users at the time, and not all of them were happy about every move of their personal life being blasted into a daily feed for their friends.

An estimated 1 million users joined "Facebook News Feed protest groups," arguing the feature was too intrusive. But Facebook stayed the course.

“One of the things I'm most proud of about Facebook is that we believe things can always be better, and we're willing to make big bets if we think it will help our community over the long term,” Zuckerberg said in a post reflecting on the 10th anniversary of News Feed.

The outrage died down, and News Feed became a major part of Facebook’s success.

When: December 2007

What: Beacon, Facebook’s first big brush with advertising privacy issues

Facebook’s response: Zuckerberg apologizes, gives users choice to opt out

There was once a time when companies could track purchases by Facebook users and then notify their Facebook friends of what had been bought -- many times without any user consent.

USA - Technology Facebook Creator Mark Zuckerberg
Facebook creator Mark Zuckerberg poses at Harvard University on May 14, 2004.Rick Friedman / Corbis via Getty Images

In an apology on Dec. 6, 2007, Zuckerberg explained his thought process behind the program, called Beacon, and announced that users would be given the option to opt out of it.

“We were excited about Beacon because we believe a lot of information people want to share isn’t on Facebook, and if we found the right balance, Beacon would give people an easy and controlled way to share more of that information with their friends,” he said.

At the time, Facebook was also talking to the Federal Trade Commission (FTC) about online privacy and advertising.

When: November 2011

What: Facebook settles FTC privacy charges

Facebook’s response: Facebook agrees to undergo an independent privacy evaluation every other year for the next 20 years.

Facebook settled with the Federal Trade Commission in 2011 over charges that it didn't keep its privacy promise to users by allowing private information to be made public without warning.

Regulators said Facebook falsely claimed that third-party apps were able to access only the data they needed to operate. In fact, the apps could access nearly all of a user’s personal data. Facebook users that never authenticated a third-party app could even have private posts collected if their friends used apps. Facebook was also charged with sharing user information with advertisers, despite a promise they wouldn’t.

"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," Jon Leibowitz, then chairman of the FTC, said at the time. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."

As part of the agreement in 2011, Facebook remains liable for a $16,000-per-day penalty for violating each count of the settlement.

When: June 2013

What: Facebook bug exposes private contact info

Facebook’s response: Facebook fixes bug, notifies people whose info may have been exposed.

A bug exposed the email addresses and phone numbers of 6 million Facebook users to anyone who had some connection to the person or knew at least one piece of their contact information.

The bug was discovered by a White Hat hacker — someone who hacks with the intention of helping companies find bugs and build better security practices.

When people joined Facebook and uploaded their contact lists, Facebook explained it would match that data to other people on Facebook in order to create friend recommendations.

“For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook,” Facebook’s team explained in a June 2013 message.

That information was “inadvertently stored in association with people’s contact information,” Facebook said. That meant that when a Facebook user chose to download their information through Facebook’s DYI tool, they were provided with a list of additional contact information for people they knew or with whom they may have had some association.

Facebook said it pulled the tool offline and fixed it. The company also said it had notified regulators and pledged to tell affected users.

When: July 2014

What: Mood-manipulation experiment on thousands of Facebook users

Facebook’s response: Facebook data scientist apologizes

Facebook's mood-manipulation experiment in 2014 included more than half a million randomly selected users. Facebook altered their news feeds to show more positive or negative posts. The purpose of the study was to show how emotions could spread on social media. The results were published in the Proceedings of the National Academy of Sciences, kicking off a firestorm of backlash over whether the study was ethical.

Adam D.I. Kramer, the Facebook data scientist who led the experiment, ultimately posted an apology on Facebook. Four years later, the experiment no longer appears to be online.

“I can understand why some people have concerns about it, and my co-authors and I are very sorry for the way the paper described the research and any anxiety it caused,” he wrote, according to The New York Times.

When: April 2015

What: Facebook cuts off apps from taking basically all the data they want

Facebook’s response: Please keep building apps

If Person A downloads an app, that app shouldn’t be able to suck data from Person B just because they’re friends, right? In 2014, Facebook cited privacy concerns and promised it would limit access to developers. But by the time the policy took effect the next year, Facebook had one big issue: It still couldn’t keep track of how many developers were using previously downloaded data, according to current and former employees who spoke with The Wall Street Journal.

Image: Chris Wylie
Chris Wylie, from Canada, who once worked for the UK-based political consulting firm Cambridge Analytica, gives a talk entitled "The Most Important Whistleblower Since Snowden: The Mind Behind Cambridge Analytica" at the Frontline Club in London on March 20, 2018.Matt Dunham / AP

When Paul Grewal, Facebook vice president and deputy general counsel announced Cambridge Analytica’s ban from Facebook last week, he said Facebook has a policy of doing ongoing manual and automated checks to ensure apps are complying with Facebook policies.

“These include steps such as random audits of existing apps along with the regular and proactive monitoring of the fastest growing apps,” he said.

When: January 2018

What: Europe’s data protection law

Facebook’s response: Facebook complies

Facebook has also began preparing for the start of a strict European data protection law that takes effect in May. Called the General Data Protection Regulation, the law governs how companies store user information and requires them to disclose a breach within 72 hours.

In January, Facebook released a set of privacy principles explaining how users can take more control of their data.

One particularly notable principle many will be watching to see if Facebook upholds is accountability.

"In addition to comprehensive privacy reviews, we put products through rigorous data security testing. We also meet with regulators, legislators and privacy experts around the world to get input on our data practices and policies," Facebook's team said in January.

When: February 2018

What: Belgian court tells Facebook to stop tracking people across the entire internet

Facebook’s response: Appeal the court’s ruling

In February, Facebook was ordered to stop collecting private information about Belgian users on third-party sites through the use of cookies. Facebook was also ordered to delete all data it collected illegally from Belgians, including those who aren't Facebook users but may have still landed on a Facebook page, or risk being fined up to 100 million euros.

Facebook said it has complied with European data protection laws and gives people the choice to opt out of data collection on third-party websites and applications. The company said it would appeal the ruling.

When: March 2018

What: Revealed that Facebook knew about massive data theft and did nothing

Facebook’s response: An apology tour and policy changes

The world finally got the answer to the question “Where’s Zuck?” on Wednesday when the Facebook CEO and co-founder broke his silence on the data harvesting allegations. In a statement posted on his Facebook wall, Zuckerberg avoided the word “sorry” but did express partial blame for Facebook’s role in not doing enough to protect user privacy.

Image: Facebook holds annual F8 developers conference in San Jose, California
Facebook Founder and CEO Mark Zuckerberg speaks at the annual Facebook developers conference in San Jose, California, in 2017.Stephen Lam / Reuters file

He laid out three steps Facebook will take now, including investigating all apps that were able to access user data before 2014, when the company began changing its permissions for developers. Facebook will put restrictions on the data apps can access, limiting them to a person’s name, photo and email. Finally, Zuckerberg said Facebook will make an easy tool that lets everyone see which apps have access to their data and allow them to revoke access.

"I've been working to understand exactly what happened and how to make sure this doesn't happen again,” he wrote. “The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there's more to do, and we need to step up and do it."