‘You can't leave companies to police themselves’: Lessons from Facebook's civil rights audit

Before the Facebook Papers, Facebook's audit made the case for transparency.

Facebook logo

A new report released Wednesday lays out how companies can successfully conduct their own civil rights audit.

Photo: Kirill Kudryavtsev/AFP via Getty Images

Before Frances Haugen, before the Facebook Papers, before The Wall Street Journal's Facebook Files, Facebook had a chance to correct some of its algorithmic bias issues through an internal "civil rights audit" that concluded last year. According to people who contributed to the audit at the time, the company's response fell short.

That audit was conducted by Laura W. Murphy, a former director at the ACLU who has experience running similar audits for companies like Airbnb and Starbucks.

Murphy worked with Facebook for two years, collecting data from users, executives and employees, interviewing over a hundred civil rights organizations and ultimately putting out an 89-page audit that did not hold back in its indictment of the company's handling of everything from discriminatory ads to hate speech.

Today, Murphy released a new report in collaboration with The Leadership Conference on Civil and Human Rights and The Ford Foundation on how other companies can successfully conduct their own civil rights audit. She spoke with Protocol about general best practices and her response to the whistleblower allegations against Facebook, as well as how other companies could make good faith efforts at internal reform — before the dam bursts.

Facebook needs "more controls over content," and it needs to "invest more in human review," said Murphy, who recommended that the company invest in more resources to study and address hate. She said the company didn't go far enough toward moderating content, but she also acknowledged that the platform will always require algorithms as part of content moderation simply due to its sheer size. "I don't know what the solution is," she said.

The most important thing when conducting an audit like this, Murphy cautioned, is that there must be buy-in from senior leadership, pointing to Sheryl Sandberg's support for the Facebook audit.

But according to some who worked with Murphy on the audit at the time, one key person was not supportive, and it was the one person who mattered most: Zuckerberg. "Facebook answers to one person, and I don't think that one person bought in," said David Brody, senior counsel and senior fellow for privacy and technology at the Lawyers' Committee for Civil Rights Under Law, an organization that Murphy consulted with during the two-year audit process.

Still, Murphy believes that the reforms Facebook made on the recommendation of her audit were significant. She points to the company's historic settlement of civil rights lawsuits challenging its advertising policies as well as the formation of a civil rights task force. But in Brody's estimation, Facebook likely would have reached that settlement anyway, with or without the audit's recommendation. "The plaintiffs' claims were very strong," he pointed out.

In a statement to Protocol, Facebook's vice president of civil rights and deputy general counsel, Roy L. Austin, Jr., wrote: "To my knowledge, Facebook is the only company in the world to hire a Vice President of Civil Rights…There are no quick fixes to the issues and recommendations the auditors surfaced. Becoming a better company requires a deep analysis of how we can strengthen and advance civil rights at every level of our company, and we remain committed to doing that industry-leading work."

According to Galen Sherwin, senior staff attorney at the ACLU, which was involved in litigating the ad cases against Facebook, civil rights audits are "necessary but not sufficient." Yes, companies ought to be looking at equity concerns, but ongoing issues like the ones Facebook is experiencing reveal that "you can't leave companies to police themselves." The answer instead lies in legislation and litigation.

In the case of Facebook, while the audit was an additional pressure point, the automated ad delivery systems that Murphy called attention to "were not resolved," said Sherwin, pointing to studies that have shown that the platform continues to deliver ads in a manner that's racially discriminatory.

Ultimately, there is no enforcement mechanism compelling companies to take forceful action — particularly actions that are potentially damaging to the bottom line — post-audit. Yet, Murphy is still bullish on the merits of civil rights audits, and the nearly 40-page report she authored lays out specific ways other companies can conduct one themselves.

She called on more companies to join Facebook, Starbucks and Airbnb in conducting this type of audit, specifically the companies that members of Congress have called on, which include Amazon, Google and Twitter. Brody also cited YouTube specifically as a company that could benefit from a civil rights audit due to its issues with election and COVID-19 disinformation, as well as Uber for its practices that "skirt around labor protections" for drivers.

"The problems are going to be there whether you find them or not," said Brody, who views audits as a valuable tool for advocates when the cost of litigation is prohibitive, and valuable for companies when conducting an audit helps them "avoid a bigger hammer coming down from somewhere else."

Companies that undergo a civil rights audit should do so with full awareness of what it requires. Organizations need leadership buy-in. They need to bring in an independent auditor with civil rights expertise and existing relationships with stakeholder organizations. They need to be prepared to disclose sensitive data and information to that auditor, and they need to be prepared to disclose the results of the audit publicly, according to Murphy and others who have gone through the process. Most importantly, they need to be prepared to reckon with what they uncover, even if it's painful.

Companies that have gone through the audit process have advice too. "Understand that it's a long-term process," and be prepared to continue to reform on the audit's recommendations long after it's completed, said Clark Stevens, director of stakeholder initiatives at Airbnb, which completed its audit with Murphy in 2019. In other words, companies should go in with their eyes wide open.


We’ll be here again: How tech companies fail to prevent terrorism

Social media platforms are playing defense to stop mass shootings. Without cooperation and legislation, it’s not working.

The Buffalo attack showed that tech’s best defenses against online hate aren’t sophisticated enough to fight the algorithms designed by those same companies to promote content.

Photo: Kent Nishimura / Los Angeles Times via Getty Images

Tech platforms' patchwork approach to content moderation has made them a hotbed for hate speech that can turn deadly, as it did this weekend in Buffalo. The alleged shooter that killed 10 in a historically Black neighborhood used Discord to plan his rampage for months and livestreamed it on Twitch.

The move mirrors what happened in Christchurch, New Zealand, when a white supremacist murdered 51 people in a mosque in 2019. He viewed the killings as a meme. To disseminate that meme, he turned to the same place more than 1 billion other users do: Facebook. This pattern is destined to repeat itself as long as tech companies continue to play defense instead of offense against online hate and fail to work together.

Keep Reading Show less
Sarah Roach

Sarah Roach is a news writer at Protocol (@sarahroach_) and contributes to Source Code. She is a recent graduate of George Washington University, where she studied journalism and mass communication and criminal justice. She previously worked for two years as editor in chief of her school's independent newspaper, The GW Hatchet.

Sponsored Content

Foursquare data story: leveraging location data for site selection

We take a closer look at points of interest and foot traffic patterns to demonstrate how location data can be leveraged to inform better site selecti­on strategies.

Imagine: You’re the leader of a real estate team at a restaurant brand looking to open a new location in Manhattan. You have two options you’re evaluating: one site in SoHo, and another site in the Flatiron neighborhood. Which do you choose?

Keep Reading Show less

SAP’s leadership vacuum on display with Hasso Plattner’s last stand

Conflict of interest questions, blowback to the Ukraine response and a sinking stock price hang in the backdrop of Plattner’s last election to the SAP supervisory board.

Plattner will run for a final two-year transition term atop SAP’s supervisory board.

Photo: Soeren Stache/picture alliance via Getty Images

Just one man has been with SAP over its entire 50-year history: co-founder Hasso Plattner. Now, the 78-year-old software visionary is making his last stand.

On Wednesday, Plattner will run for a final two-year transition term atop SAP’s supervisory board, an entity mandated by law in Germany that basically oversees the executive team. Leaders at SAP, for example, report to the supervisory board, not the CEO.

Keep Reading Show less
Joe Williams

Joe Williams is a writer-at-large at Protocol. He previously covered enterprise software for Protocol, Bloomberg and Business Insider. Joe can be reached at To share information confidentially, he can also be contacted on a non-work device via Signal (+1-309-265-6120) or


Why Google Cloud is providing security for AWS and Azure users too

“To just focus on Google Cloud, we wouldn't be serving our customers,” Google Cloud security chief Phil Venables told Protocol.

Google Cloud announced the newest addition to its menu of security offerings.

Photo: G/Unsplash

In August, Google Cloud pledged to invest $10 billion over five years in cybersecurity — a target that looks like it will be easily achieved, thanks to the $5.4 billion deal to acquire Mandiant and reported $500 million acquisition of Siemplify in the first few months of 2022 alone.

But the moves raise questions about Google Cloud’s main goal for its security operation. Does Google want to offer the most secure cloud platform in order to inspire more businesses to run on it — or build a major enterprise cybersecurity products and services business, in whatever environment it’s chosen?

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at


The tools that make you pay for not getting stuff done

Some tools let you put your money on the line for productivity. Should you bite?

Commitment contracts are popular in a niche corner of the internet, and the tools have built up loyal followings of people who find the extra motivation effective.

Photoillustration: Anna Shvets/Pexels; Protocol

Danny Reeves, CEO and co-founder of Beeminder, is used to defending his product.

“When people first hear about it, they’re kind of appalled,” Reeves said. “Making money off of people’s failure is how they view it.”

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at

Latest Stories