After Facebook went public in 2012, the company was praised for its honesty about the risks facing potential investors. When any corporation makes an initial public filing with the Securities and Exchange Commission (SEC), it is required by law to disclose all the known risks to shareholders. But Facebook, it seemed, had gone above and beyond.
”Facebook,” a group of lawyers wrote in Bloomberg, “has set the bar for … disclosures in the areas of cybersecurity and privacy risks.”
However, after whistleblower Edward Snowden leaked the National Security Agency’s controversial Internet surveillance program last month, it became clear there was one significant risk the company didn’t disclose: its participation in PRISM, the NSA operation that secretly gathers Americans’ emails, photos, messages and videos from major Silicon Valley technology companies.
Which raises the question: Is Facebook legally accountable to its investors for the deception?
Under the Securities Act of 1933, public companies are required to file a Registration Statement disclosing vital facts about the company—including performance, executive compensation, and business risks—so investors know what they are buying into. The rule for disclosures is this: “[P]rovide under the caption ‘Risk Factors’ a discussion of the most significant factors that make the offering speculative or risky. … Explain how the risk affects the issuer or the securities being offered.”
In the “Risk Factors” section of Facebook’s initial filing with the SEC, the company warned investors, “if people do not perceive our products to be useful, reliable, and trustworthy, we may not be able to attract or retain users or otherwise maintain … their engagement.”
Certainly, this is true. Since Facebook’s participation in PRISM was revealed in early June, its stock has traded at a significantly lower value than in the previous months. Of course, one can’t say for sure that the NSA leak is to blame. The company’s stock had been on the decline for weeks beforehand. But a month out, the lack of recovery is worth noting.
For a corporation relying on its customers’ faith that their personal information will be protected, there is good reason to believe the revelations about NSA surveillance—the extent of which has still yet to be disclosed—were bad for business. That is, bad for shareholders.
To be fair, Facebook’s hands were tied. Legally, the company couldn’t disclose that it was participating in PRISM (which it claims not to have known by name before the Snowden leak). Facebook was under a gag order by the Foreign Intelligence Surveillance Court that issued the secret warrants for user data. The closest the company came in its initial filing with the SEC to acknowledging its compliance with PRISM was to warn investors of “developments in new legislation and pending lawsuits or regulatory actions, including interim or final rulings by judicial or regulatory bodies; and other events or factors, including those resulting from war or incidents of terrorism, or responses to these events.”
This all presents something of a legal gray area for the company. Does this mention of “judicial bodies” and “responses” to “terrorism”—made necessarily vague in compliance with the FISC gag order—adequately satisfy the SEC’s requirements for disclosure? Certainly, it doesn’t satisfy the spirit of the regulation, which is to protect investors from purchasing stocks with hidden risk. “Facebook feels caught,” said David Fidler, a law professor at Indiana University. “They have to provide this information.”
“It’s not clear that they could have been more transparent,” said University of Southern California law professor Jack Lerner. “On the one hand, one could think they were covered by the disclosure. The question is about the sheer volume that they were turning over.”
At this point, Facebook has disclosed that it has received about 10,000 U.S. government requests for user data on more than 18,000 accounts in the second half of 2012 alone (though this includes requests from law enforcement outside of the FISC). How many it complied with isn’t known. “Given the massive scope,” Lerner said, “it might be an area for litigation.”
Companies that manage Americans’ private communications have always found themselves on precarious legal footing when complying with NSA requests. Throughout the Cold War, the country’s major telegraph companies all participated in a secret surveillance operation called SHAMROCK, which gave the NSA access to telegrams sent to and from the United States. The companies battled for decades for explicit legal protection but never received more than under-the-table assurances from the White House that they wouldn’t be prosecuted. More recently, telephone companies like AT&T have participated in metadata collection programs requiring them to turn over call logs of millions of Americans. When their participation was leaked to the public in 2006, the American Civil Liberties Union sued them for disclosing over private information in “collusion with the NSA.”
The basis for the ACLU lawsuit, and all similar litigation, dates back to the Communications Act of 1934, which prohibits telecom companies from disclosing their customer’s private communications. Such protections were bolstered in 1967, when the Supreme Court ruled that the Fourth Amendment—which protects against unreasonable search and seizure—did apply to telecommunications (though it did not address issues of national security).
“The companies were between a rock and a hard place,” Fidler said. It was only with a 2008 amendment to the Foreign Intelligence Surveillance Act, which had created and empowered the FISC in 1978, that companies were finally given retroactive immunity from prosecution for helping intelligence-gathering operations. After the amendment was enacted, the ACLU’s case against AT&T was dismissed.
With Facebook, however, the question is not about the act of disclosing information or complying with government requests for data. In that sense the company is covered by the FISA 2008 amendment. But as Lerner put it, “should they have said that they complied a lot?” Did investors have a legal right to know that large amounts of customer data presumed private was in fact not?
According to the Guardian, some 850,000 NSA employees and U.S. private contractors had access to information obtained by the PRISM program. The U.S. Census Bureau estimated that in 2012, 197 million citizens are of working age. By an admittedly rough calculation, that means almost one in 200 adults in the country have access to PRISM data presumed private by Facebook consumers and investors.
Ultimately, Fidler said Facebook is likely still protected by the FISA amendment. “I read it as immunity under securities law,” he said. Similarly, Lerner called the chance of a successful prosecution “remote.” In addition, it may be the case that Facebook negotiated an explicit deal for immunity from the Securities Act before the company went public. According to Donald Langevoort, a law professor at Georgetown University, “there is a long history of SEC negotiations with the Department of Defense and State over national security issues, so this is by no means novel.” Facebook did not respond to request for comment on whether such a deal was struck.
In the end, whether Facebook or any other Silicon Valley company will ever find itself in legal trouble over its compliance with PRISM is almost beside the point. The legal ambiguities under which they are forced to operate betray a fundamental way in which they are at odds with the U.S. government. “The companies have business interests the NSA doesn’t have,” Fidler said.
There is a reason, after all, that the SEC created the mandatory disclosure of certain risk factors. The risk factors reflect the best interest of investors. And PRISM runs counter to those interests.
Illustration by Fernando Alfonso III