Illustration: Rebecca Zisser/Axios
This year Facebook made a habit of waiting to disclose privacy issues to the public or, after damaging stories broke, failing to get ahead of questions it would inevitably face.
Why it matters: Experts advise institutions facing public crises to respond fully and fast, make potentially damaging revelations all at once, and avoid drip-drip-drip scenarios that erode credibility. Facebook has often taken the opposite path, multiplying the damage its controversies have dealt to its reputation and its business.
- The latest instance came Friday, when the company revealed a bug exposing unposted photos of millions of users — one that it had identified and fixed back in September.
- The Cambridge Analytica scandal in March: The data leak linked to Cambridge Analytica happened in 2015, but wasn't made public until last spring, when reporters at newspapers on both sides of the Atlantic found out about it. The company then went silent for days, allowing the crisis to fester.
- The opposition research scandal in November: Last month news broke that a right-leaning consulting firm employed by Facebook had pitched opposition research trying to tie Facebook's critics to the liberal billionaire George Soros — but it was another week before it disclosed key details. That included the fact that COO Sheryl Sandberg had received emails that mentioned the consulting firms, despite initially saying she wasn't aware of the firm's hiring.
Be smart: A new sweeping privacy law in Europe has been forcing Facebook to be more forthcoming about privacy-related scandals.
- Facebook reported the latest incident, made public on Friday, to Ireland's data protection regulator on November 22, once the company realized the breach met a reporting threshold in European privacy law.
Yes, but: Facebook says it waited more than three weeks to tell the public, citing the work it took to notify users of the incident and translate notifications into different languages.
- In the past, the company has also cited work with law enforcement as a reason for delays in disclosing information surrounding breaches and leaks.
- "We notified the IDPC as soon as we established it was considered a reportable breach under GDPR," said a spokesperson for Facebook. "We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72-hour timeframe.”
The company's critics have highlighted Facebook's attempts to avoid public scrutiny — and its tactic of releasing bad news late on Fridays or holidays.
The bottom line: Facebook's halting responses to crisis or controversy has been a defining quality of the company this year, and often made bad situations worse.