Facebook can’t explicitly guarantee how data gathered about its users is re-purposed and processed because of how intertwined data has become over the years, a leaked internal document shows.

“We do not have an adequate level of control and explainability over how our systems use data,” reads the executive summary of a Facebook document published in full by Vice Motherboard.

“Thus we can’t confidently make controlled policy changes or external commitment such as ‘we will not use X data for Y purpose’.

“And yet, this is exactly what regulators expect us to do, increasing our risk of mistakes and misrepresentation.”

The document was written in 2021 and is a warning that Facebook’s existing data governance could be a threat for the company in the face of stricter regulatory scrutiny around data.

Specifically, the document’s authors lament Facebook’s lack of “closed form systems” for data infrastructure.

These are systems in which all data types, uses, and outputs “can be enumerated and controlled” – a fundamentally useful infrastructure feature, the authors note, because: “if we can’t enumerate all the data we have – where it is; where it goes; how it’s used – then how can we make commitments about it to the outside world?”

It seems Facebook can’t make these commitments to regulators, their customers, and the general public about what personal information about them is being used for because Facebook’s systems have been built “with open borders,” the document states, which makes it impossible to bring data to heel in the way regulators are increasingly calling for.

“Imagine you hold a bottle of ink in your hand,” the document’s authors write.

“This bottle of ink is a mixture of all kinds of user data (3PD [third party], 1PD [first party], SCD [sensitive categories data], Europe, etc.)

“You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere.

“How do you put that ink back in the bottle? How do you organise it again, such that it only flows to the allowed places in the lake?”

In an emailed statement to Information Age a spokesperson for Facebook parent company Meta disagreed with the lake analogy as a characterisation of Meta's inability to conform to data regulations.

“This analogy lacks the context that we do, in fact, have extensive processes and controls to manage data and comply with privacy regulations,” the spokesperson said.

“Considering this document does not describe our extensive processes and controls to comply with privacy regulations, it's simply inaccurate to conclude that it demonstrates non-compliance.

“New privacy regulations across the globe introduce different requirements and this document reflects the technical solutions we’re building to scale the current measures we have in place to manage data and meet our obligations.”

Regulations like the EU’s General Data Protection Regulation (GDPR) require Facebook to only use and process data for the specific purpose for which it was collected.

Facebook has been assuming that it could solve this problem by granularly annotating user data with persistent policies that would follow the data as it is processed across different systems.

But the engineers behind the leaked document don’t think this data policy framework will go far enough to meet regulatory expectations and proposed building a single choke point for data moving into Facebook products’ Ads systems.