Facebook privacy engineers warn that the company would have a hard time committing to privacy laws as it largely has no idea how its system uses the data it collects.
As global regulators begin to crack down on how companies collect and handle user data, many are now figuring out how to operate under more restrictive policies. Facebook, however, will have a much harder time than most. As it turns out, the company can't actually tell where its user data comes from or where the data is stored.
A leaked internal document, seen by Engadget, sheds some light on the situation.
Facebook privacy engineers wrote that the company has no real way to keep track of the data it collects. Instead, the social media platform's "open border" systems gather and consolidate user data from a wide range of first- and third-party sources.
Once the data is consolidated, there is no way to tell whether or not it came explicitly from Facebook. The report goes on to state how this would make committing to policy changes nearly impossible.
"We do not have an adequate level of control and explainability over how our systems use data, and thus we can't confidently make controlled policy changes or external commitments such as "we will not use X data for Y purpose." And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation."
The company's privacy team has submitted a plan to annotate data with Purpose Policy Framework (PPF) -- that is to say, tag it as being created on Facebook -- to keep track of first-party data.
To do so, the company will need to funnel "tens-of-thousands" of uncontrolled data ingestion points into a "choke point." Once in the choke point, the data will be annotated with PPF policy, allowing Facebook to accurately track the user data it would be responsible for.
In August, Facebook announced that it would be pivoting toward "privacy-enhancing" technology for creating targeted advertising. Allegedly, the company was working to create a system that delivers personalized ads without needing data about individual users.