Audit Approved of Facebook Policies, Even After Cambridge Analytica Leak

Nicholas Confessore reports via The New York Times: An auditing firm responsible for monitoring Facebook for federal regulators told them last year that the company had sufficient privacy protections in place, even after the social media giant lost control of a huge trove of user data that was improperly obtained by the political consulting firm Cambridge Analytica. The assertion, by PwC, came in a report submitted to the Federal Trade Commission in early 2017. The report, a redacted copy of which is available on the commission's website, is one of several periodic reviews of Facebook's compliance with a 2011 federal consent decree, which required Facebook to take wide-ranging steps to prevent the abuse of users' information and to inform them how it was being shared with other companies. The accounting firm, formerly known as PricewaterhouseCoopers, effectively gave Facebook a clean bill of health. "Facebook's privacy controls were operating with sufficient effectiveness to provide reasonable assurance to protect the privacy" of users, said the assessment, which stretched from February 2015 to February 2017. But during that period, Facebook was aware that a researcher based in Britain, Aleksandr Kogan, had provided Cambridge Analytica with private Facebook data from millions of users.

Re:The system is broken

[ShanghaiBill]

The Cambridge Analytica leak was the result of technical incompetence, and poor code review, not bad policy at the level an auditor would see. It is not reasonable to expect a financial auditor to discover bad code.

Re:They do their job

Yep, posting anonymously for obvious reasons, but I work for a financial services firm, and we had an issue that meant people unfairly getting rejected for mortgages because the analytics team had completely fucked up some scoring calculations. This was reported to the regulator as we had a legal obligation to do so, and we had to get auditors in to confirm the validity of our fix and processes, and to prevent this happening again.

The auditor was also PwC, and I had to work closely with them to help provide them the information they need.

Make no mistake, when people pay a company like PwC to "audit" them and "hold them to account", they're not paying for that at all. What they're paying for is for a company with a big legal department backing it's auditors to come in and help them evade any legal ramifications stemming from their mistake. The auditors don't for example remotely report back to anyone independent any failings, so there's no holding to account off the back of these audits. All they do is linger around, charging by the day to help try and spot any mistakes you've made and help you cover them up, when you've done that they sign the audit off as having passed.

So let's be clear here, you could be guilty of gross incompetence, abject illegality, and you can call in a company like PwC, you can ask them to help you make everything legal for as long as it takes, then at the end of it they sign off as "audit passed". That is, they're not auditing the company that made the mistake, they're auditing the company that they spent weeks, or even months plastering over the mistake.

You could argue this is sufficient in itself, because at least the company being audited has made up for it's mistakes, but again, we're talking about what is sometimes absolute illegality here in some cases, with some companies, and if companies are allowed to cover that up with no transparency over how bad things were and what went wrong, and no legal punishment for something that by law, should have legal punishment such as a fine, or even penalties against execs, then there's absolutely zero incentive for companies to ever improve, so once the auditors have gone, odds are, they'll just slip back into their ways if it's financially beneficial to do so. In our case for example, it was "good job everyone in passing the audit", when in reality it should've been "analysts, you need to improve your processes and start ensuring your calculations are accompanied with mathematical proofs where appropriate and sufficient test cases as to allow automated validation and regression testing".

What PwC offers isn't an audit per-se, it's a cover up service, no one should be surprised when a paid cover up service declares everything a-ok.

Honestly, given that PwC is also the prime culprit for "tax efficiency" which too many times has turned out to actually be outright tax evasion, rather than just avoidance too, then this company should be shut down. It's entire existence is built around supporting corporate criminality. It's not the only one, but it's definitely the most prominent one.