Facebook Inc. FB -1.72% uncovered emails that appear to connect Chief Executive Mark Zuckerberg to potentially problematic privacy practices at the company, according to people familiar with the matter.
Within the company, the unearthing of the emails in the process of responding to a continuing federal privacy investigation has raised concerns that they would be harmful to Facebook—at least from a public-relations standpoint—if they were to become public, one of the people said.
The potential impact of the internal emails has been a factor in the tech giant’s desire to reach a speedy settlement of the investigation by the Federal Trade Commission, one of the people said. Facebook is operating under a 2012 consent decree with the agency related to privacy, and the emails sent around that time suggest that Mr. Zuckerberg and other senior executives didn’t make compliance with the FTC order a priority, the people said.
It couldn’t be determined exactly what emails the agency has requested and how many of them relate to Mr. Zuckerberg.
The FTC investigation began more than a year ago after reports that personal data of tens of millions of Facebook users improperly wound up in the hands of Cambridge Analytica, a data firm that worked on President Trump’s 2016 campaign. The FTC is investigating whether that lapse violated the 2012 consent decree with the agency in which Facebook agreed to better protect user privacy. Since the Cambridge Analytica affair, other privacy missteps have come to light, adding to Facebook’s headaches.
Facebook has been eager to strike a deal with the FTC and put the Cambridge Analytica scandal behind it. The firm said in April it was expecting to pay up to $5 billion as part of an accord with the agency.
“We have fully cooperated with the FTC’s investigation to date and provided tens of thousands of documents, emails and files. We are continuing to work with them and hope to bring this matter to an appropriate resolution,” a Facebook spokesperson said on Tuesday in a statement. On Wednesday, after publication of this article, the company sent an additional statement, saying: “At no point did Mark or any other Facebook employee knowingly violate the company’s obligations under the FTC consent order nor do any emails exist that indicate they did.”
It couldn’t be determined whether any of the emails—which have been described by people familiar with them but not reviewed by The Wall Street Journal—reveal practices that violated the 2012 accord. Any evidence that Mr. Zuckerberg was directly involved in a potential failure on Facebook’s part to honor the terms of its consent decree with the FTC could complicate efforts on both sides to resolve the matter.
At least some internal emails already provided to the agency show Facebook grappling with gray areas in how it should address privacy under the consent order, with Mr. Zuckerberg closely involved, according to people familiar with the messages.
In one email exchange from April 2012 that has caught regulators’ attention, according to a person familiar with the matter, Mr. Zuckerberg asked employees about an app that claimed to have built a database stocked with information about tens of millions of Facebook users. The developer had the ability to display that user information to others on its own site, regardless of those users’ privacy settings on Facebook, the person said.
Mr. Zuckerberg wanted to know if such extensive data collection was possible and if Facebook should do anything to stop developers from displaying that data, the person said.
Another employee responded to Mr. Zuckerberg’s question, saying it was possible and many developers do the same thing but adding it was a complicated issue, the person said.
Share Your Thoughts
Do you think Facebook is committed to protecting user privacy? Why or why not? Join the conversation below.
The discussion continued without Mr. Zuckerberg or anyone else suggesting by email that the company investigate how many other apps were stockpiling user data, the person said. Eventually Facebook suspended the app in question, the person said, adding that it didn’t move aggressively to address the broader problem.
At the time, Facebook executives were largely focused on increasing the company’s user base and adding advertisers, and appeared to be less diligent about enforcing its data-use rules, developers and former employees have said. The company had repeatedly said it was too slow to react to privacy and security issues.
That email exchange occurred after the FTC’s consent decree had been announced but before it went into effect. The decree says Facebook must honor a user’s privacy settings and not share data without a user’s explicit permission. If it had been in effect at the time, the stockpiling of such user data would potentially have violated it. Mr. Zuckerberg’s message seemed to indicate he was aware of that, according to the person who was familiar with the exchange.
FTC staffers have been exploring the episode as part of the investigation, the person said.
A multibillion-dollar civil penalty would be a record for the FTC, but the agency is under pressure from some lawmakers to extract more punitive terms or litigate the matter, since even such a large financial penalty would inflict little pain on the tech giant.