Facebook Inc.’s FB -2.56% loose approach to policing how app creators and others deployed its user data persisted for years, including after a 2015 effort by the social network to restrict access, according to court documents and people familiar with Facebook. The social-media giant is now dealing with the fallout.
The Federal Trade Commission is investigating whether Facebook violated terms of a 2011 settlement when data of up to 50 million users was transferred to an analytics firm tied to President Donald Trump’s campaign, a person familiar with the matter said on Tuesday. If the FTC finds that Facebook violated the settlement terms, the company could face millions of dollars in fines.
That firm, Cambridge Analytica, said Tuesday it is launching its own investigation to determine if the company engaged in any wrongdoing. In addition, it said it was suspending its chief executive, Alexander Nix, after a video released Monday depicted Mr. Nix touting campaign tactics such as entrapping political opponents with bribes and sex. A spokesman said the comments by Mr. Nix in the video “do not represent the values or operations of the firm, and his suspension reflects the seriousness with which we view this violation.”
Meanwhile, Canada’s privacy commissioner said Tuesday it had formally opened its own investigation into alleged unauthorized access and use of Facebook user profiles, focusing on the company’s compliance with Canada’s privacy law.
The user-data controversy, which knocked another 2.6% off Facebook’s stock price Tuesday, after it fell 6.8% Monday, underscores the broad challenge for Facebook: how to balance the pursuit of digital advertising dollars, which depend on selling access to user data, with protecting the privacy and personal data of its more than two billion monthly users.
The Cambridge Analytica crisis has its roots in a 2007 decision by Facebook to open access to its so-called social graph — the web of friend connections, “likes” and other Facebook activity that knit users together.
While advertisers pay to reach Facebook’s users, developers were for years able to tap that data by creating an app that plugged into Facebook’s platform. Tens of thousands of app developers and others used the data, giving birth to a new crop of dating and job-search apps, as well a new form of political campaigning.
Although Facebook had rules stating the terms under which developers could accumulate data, it appeared not to be able to ensure its rules were being followed, developers and former employees said. In interviews, developers said Facebook was sometimes unclear about how they could use the data they gathered from the platform.
“Their enforcement mechanism is, if they notice it, they tell you to stop,” says Nick Soman, founder and chief executive of the health-care company Decent, who has accessed Facebook’s data in the past.
In 2010, The Wall Street Journal reported that online tracking firm RapLeaf Inc. was using Facebook data to build databases of personal user information and selling the data to political advertisers and others, in some cases transmitting users’ ID numbers. At the time, RapLeaf said the transmission of the data was inadvertent and stopped.
The episode prompted Facebook to build a way to tag a developers’ data so that if it leaked, the company could trace it back to the source, according to a person familiar with the matter. This analysis could only be done after Facebook was alerted to a potential violation, the person said.
In 2011, Facebook users started complaining to the social network that some of their old profile data was inexplicably posted for anyone to view on a little-known search site called Profile Engine, court records allege. Facebook sued the developer two years later, saying it had violated its agreement, but not before the details of about 420 million user profiles were collected, according to the court records.
Early on, almost anyone could create a Facebook app and access a trove of data about the site’s users. President Barack Obama’s 2012 re-election campaign, for example, created a voter-outreach app that found other potential supporters among its users’ connections on Facebook by plugging directly into the company’s platform.
In 2014, Facebook said it would restrict developers’ access to many data points about app users’ friends, citing privacy concerns. But even after the policy went into effect in 2015, Facebook couldn’t proactively keep track of how developers used previously downloaded data, according to current and former employees. By 2016, Facebook had changed its platform rules, making it impossible for other campaigns to do the same.
“On an ongoing basis, we also do a variety of manual and automated checks to ensure compliance with our policies and a positive experience for users,” a Facebook spokesman said.
The Facebook data allegedly used by Cambridge Analytica was provided by an academic who wasn’t authorized to share the user data under Facebook’s policies. Cambridge Analytica has said it didn’t break Facebook’s rules.
On Friday, Facebook said it learned about the academic sharing the data in 2015 and demanded the parties delete the data. Facebook said it learned this month the parties kept those records despite saying the information had been destroyed.
Sandy Parakilas, a former Facebook platform-operations manager from 2011 to 2012, said in an interview that Facebook was primarily alerted to data-policy violations from media reports or companies that said competing apps were breaking Facebook’s rules.
According to Mr. Parakilas, a media report in 2011 said the social-media startup Klout Inc. had created profiles for minors without their knowledge using Facebook data. Klout quickly stopped the practice after the report, Mr. Parakilas said.
Soon after, Mr. Parakilas said, he called Klout’s management team to ask if the startup was violating Facebook’s data policies. Klout officials denied it violated the policies, Mr. Parakilas said, and he asked the company to make it sure it wasn’t violating the policies in the future.
“And that was it. They continued to access the platform,” Mr. Parakilas said in an interview. “We never got to the answer of what happened.”
He added: “The main enforcement mechanism was call them and yell at them.”
Klout couldn’t be immediately reached for comment.
Facebook in 2015 rolled out new restrictions to the type of data outside parties could access, making it harder for them in particular to get data on a user’s friend base. Developers and other parties were informed of the change through an email.
But Facebook didn’t instruct developers to delete the data they had already captured, nor did it follow up to see if developers were still using it, according to some developers.
—Jim Oberman and John D. McKinnon contributed to this article.
Write to Deepa Seetharaman at Deepa.Seetharaman@wsj.com and Kirsten Grind at firstname.lastname@example.org
Appeared in the March 21, 2018, print edition as ‘Lax Data Policies Haunt Facebook.’