Facebook has to give the state information on possible privacy-invading apps it found after Cambridge Analytica scandal, court rules

The Supreme Judicial Court ruled today that Facebook has to comply with requests from the Massachusetts Attorney General's office on specific applications and companies that may have sucked out more personal information from user than they should have - but also said a judge will have to review hundreds, if not thousands, of documents to make sure none of the information could reveal any of the discussions by Facebook employees and lawyers on how to collect the data.

Maura Healey's office began an investigation in 2019 into the privacy implications of all the apps Facebook had banned for sucking down personal data from Facebook in the wake of the Cambridge Analytica scandal and, after Facebook had turned numerous documents related to its own internal probe, sought more specific information on roughly 6,000 apps that Facebook had banned, along with internal communications on how Facebook had decided to ban those specific apps.

Facebook had argued that all the information sought by the AG's office was "work product," or information developed by its lawyers in preparation for litigation, which companies don't have to turn over to prosecutors.

But the state's highest court ruled there's factual work product and opinion work product and that facts, such as the names and details of the suspicious apps Facebook found in combing through millions of them, are not covered by the work-product prohibition. That goes double for an investigation that Facebook itself discussed prominently and repeatedly in public, up to congressional testimony by Mark Zuckerberg himself.

Also, the state proved it would be impossible to uncover the details of those apps and the companies that built them and so met the "substantial need" and "undue hardship" legal conditions to get the information, the court continued.

The app information is certainly relevant and important; it is central to the Attorney General's investigation, as it identifies apps that may have misused user data on the prior version of the Platform. ... The Attorney General has a mandate to investigate such potential misuse of Massachusetts users' data as well as potential misrepresentations by Facebook, and considerable authority with which to do so. ...

This is not a case where the internal investigation involved simply interviewing key employees and other witnesses or reviewing a manageable number of documents, tasks that can be easily replicated by third parties or government investigators. ... Rather, it is an enormously complex effort in which counsel and [Facebook's own investigation] team analyzed millions of apps and enormous amounts of data. This analysis was also enabled in large part by Facebook's prior expertise in developing and policing the Platform. Facebook is not only in a far better position than the Attorney General, but also essentially uniquely positioned to identify which apps potentially misused user data. Therefore, we are persuaded that the Attorney General would be unable to otherwise obtain the substantial equivalent of the factual app information, even with an extraordinary expenditure of time and resources. ...

There is no other way for the Attorney General to try to obtain this information other than to essentially recreate and duplicate the work of [Facebook's internal investigation]. ... To seek to obtain the app information, therefore, the Attorney General would have to expend an exorbitant amount of public resources and conduct a multi year investigation to obtain information that Facebook already has in its possession. Such effort and expense is sufficient to demonstrate undue hardship.

At the same time, however, the court continued that the way data is collected or presented could reveal the thinking that went into the investigation - which would be covered under the bar against releasing information that could reveal one side's thinking in preparing for potential litigation.

For example, the court said Facebook fully answering one of six specific questions posed by the AG's office - to identify apps that based on the company's "past investigative experience" might be suspicious - could reveal hints of the company's and its attorneys' legal thinking.

This reference to past investigatory experience and evaluation of elevated risk of violations appears to seek to reveal undisclosed aspects of the ADI process that may divulge counsel's investigatory practices, legal risk assessment, and other thought processes and impressions. This is quite different from some of the more straightforward factual requests, seeking for example the names and details concerning the 6,000 apps that Facebook has targeted for having a large number of users or the groups of apps that were reported to Facebook outside the [company investigation] process.

The court added that another one of the specific questions posed by Healey's office was particularly troublesome in the whole "facts" consideration, because it asked for "internal communications about the apps," which might include opinions and thoughts by both Facebook employees and the company's lawyers, which would be covered by attorney/client privilege.

So the court sent the whole case back to Superior Court Judge Brian Davis to wade through all the data sought by the state to determine what could be released and to go through a "privilege log" of the specific communications sought in the internal-communications request to determine which ones Facebook would have to hand over to the state.