Facebook faced new calls for regulation from within U.S. Congress and was hit with questions about personal data safeguards on Saturday after reports a political consultant gained inappropriate access to 50 million users' data starting in 2014.
Facebook disclosed the issue in a blog post on Friday, hours before media reports that conservative-leaning Cambridge Analytica, a data company known for its work on Donald Trump's 2016 presidential campaign, was given access to the data and may not have deleted it.
The social media giant said on Sunday it would conduct a "comprehensive internal and external review" to determine if the personal data of 50 million users that was reported to be misused by a political consultant still existed.
The scrutiny presented a new threat to Facebook's reputation, which was already under attack over Russians' alleged use of Facebook tools to sway American voters before and after the 2016 U.S. elections.
"It's clear these platforms can't police themselves," Democratic U.S. Senator Amy Klobuchar tweeted.
"They say 'trust us.' Mark Zuckerberg needs to testify before Senate Judiciary," she added, referring to Facebook's CEO and a committee she sits on.
Facebook said the root of the problem was that researchers and Cambridge Analytica lied to it and abused its policies, but critics on Saturday threw blame at Facebook as well, demanding answers on behalf of users and calling for new regulation.
Facebook insisted the data was misused but not stolen, because users gave permission, sparking a debate about what constitutes a hack that must be disclosed to customers.
"The lid is being opened on the black box of Facebook's data practices, and the picture is not pretty," said Frank Pasquale, a University of Maryland law professor who has written about Silicon Valley's use of data.
Pasquale said Facebook's response that data had not technically been stolen seemed to obfuscate the central issue that data was apparently used in a way contrary to the expectations of users.
"It amazes me that they are trying to make this about nomenclature. I guess that's all they have left," he said.
Democratic U.S. Senator Mark Warner said the episode bolstered the need for new regulations about internet advertising, describing the industry as the "Wild West."
"Whether it's allowing Russians to purchase political ads, or extensive micro-targeting based on ill-gotten user data, it's clear that, left unregulated, this market will continue to be prone to deception and lacking in transparency," he said.
With Republicans controlling the Senate's majority, though, it was not clear if Klobuchar and Warner would prevail.
The New York Times and London's Observer reported on Saturday that private information from more than 50 million Facebook users improperly ended up in the hands of Cambridge Analytica, and the information has not been deleted despite Facebook's demands beginning in 2015.
Some 270,000 people allowed use of their data by a researcher, who scraped the data of all their friends as well, a move allowed by Facebook until 2015. The researcher sold the data to Cambridge, which was against Facebook rules, the newspapers said.
Cambridge Analytica worked on Trump's 2016 campaign. A Trump campaign official said, though, that it used Republican data sources, not Cambridge Analytica, for its voter information.
Facebook, in a series of written statements beginning late on Friday, said its policies had been broken by Cambridge Analytica and researchers and that it was exploring legal action.
Cambridge Analytica in turn said it had deleted all the data and that the company supplying it had been responsible for obtaining it.
Andrew Bosworth, a Facebook vice president, hinted the company could make more changes to demonstrate it values privacy. "We must do better and will," he wrote on Twitter, adding that "our business depends on it at every level."
Facebook said it asked for the data to be deleted in 2015 and then relied on written certifications by those involved that they had complied.
Nuala O'Connor, president of the Center for Democracy & Technology, an advocacy group in Washington, D.C., said Facebook was relying on the good will of decent people rather than preparing for intentional misuse.
Moreover, she found it puzzling that Facebook knew about the abuse in 2015 but did not disclose it until Friday.
"That's a long time," she said.
Britain's data protection authority and the Massachusetts attorney general on Saturday said they were launching investigations into the use of Facebook data.
"It is important that the public are fully aware of how information is used and shared in modern political campaigns and the potential impact on their privacy," UK Information Commissioner Elizabeth Denham said in a statement.
Massachusetts Attorney General Maura Healey's office said she wants to understand how the data was used, what policies if any were violated and what the legal implications are.
Reporting by David Ingram; Editing by Peter Henderson and Chris Reese.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.