Mashable: Facebook has always been embroiled in privacy debates, owing to the company's explicit business model of selling user data. However, a newly leaked document suggests that the situation there may be far worse than we assumed. According to a leaked internal report to Motherboard(VICE), Facebook is reportedly unable to account for much of the personal data it owns, including what it is used for and where it is located.

The report was written last year by Facebook's Ad and Business Product privacy engineers for company executives. It explained how Facebook could deal with new privacy laws in India, South Africa, and other countries. In their report, the authors described a platform that was often unaware of its 1.9 billion users' personal data.

They projected that Facebook would struggle to make guarantees to governments about how it would treat the personal data of its inhabitants. Because we lack control and explanation over how our systems use data, we cannot reliably make controlled policy changes or external pledges such as "we will not use [X] data for Y purpose," noted the report's authors. However, regulators require us to do so, which increases the likelihood of errors and misrepresentation.

The lack of "closed-form" solutions appears to be the key issue, according to the paper. Open borders mean the company's data systems allow for the mixing of data from first-party users, third-party data, and sensitive data. The report's writers came up with the following analogy to depict the difficulties of finding specific Facebook data: to put it back in the bottle.

“This bottle of ink is a mixture of all kinds of user data (3PD, 1PD, SCD, Europe, etc.) You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere. How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?”

Motherboard spoke to a former Facebook employee who described the company's internal data flow as "broadly speaking, a complete shitshow."

It used to be possible for Facebook to address new privacy regulations one at a time—like the EU's GDPR(General Data Protection Regulation) and the California Consumer Privacy Act—without having to deal with all of them at once, according to the authors. Data protection laws from countries around the world, such as India, Thailand, South Africa, and South Korea were introduced in subsequent years.

However, it questions whether Facebook is ready to withstand the "tsunami" of new laws that place similar restrictions on its services, as suggested by the document. One of the company's representatives disputed to Motherboard that the company does not now comply with privacy rules.

"Considering that this document does not describe our extensive processes and controls to comply with privacy regulations, it's simply inaccurate to conclude that it demonstrates non-compliance," the spokesperson told Motherboard. It's important to note that new privacy regulations around the world have brought with them a variety of new requirements, and this document shows how we're working to meet those obligations through new technology.