Facebook has reached a settlement with the Federal Trade Commission over charges of deceptive behavior when it changed its privacy settings.
Facebook and the Federal Trade Commission have reached a
settlement over charges the social networking giant engaged in deceptive
behavior when it changed its users' privacy settings without permission.
The FTC settlement
bars the social networking site from making any "further deceptive privacy
claims" and requires Facebook to get explicit approval from users before
changing how data is shared, the FTC announced Nov. 29. Facebook must provide
"clear and prominent notice" before data is shared, and establish a
comprehensive privacy program that is subject to a third-party audit within 180
days and every two years for the next 20 years. While Facebook doesn't have to
pay any penalities at the moment, it faces fines of up to $16,000 per day for
violating the terms, going forward.
This means users are likely to see more announcements and
notifications from Facebook regarding privacy issues. The settlement also
requires Facebook to offer all changes that could potentially override existing
settings as an opt-in decision. This is a dramatic departure for a company that
has long been accused of requiring users to opt-out to maintain their privacy.
"Facebook is obligated to keep the promises about
privacy that it makes to its hundreds of millions of users," said FTC
Chairman Jon Leibowitz.
The FTC voted to accept the proposed settlement
in a 4-0
vote. The agreement is subject to public comment for 30 days, after which the
commission would vote to finalize the settlement. The settlement is also a
"consent agreement" and does not "constitute an admission by the
respondent that the law has been violated," according to the FTC.
Most of the concerns presented to the FTC in this inquiry have long
since been resolved satisfactorily, acording to Daniel Castro, senior
analyst at the Information Technology and Innovation Foundation.
"Rather than impose heavy-handed regulations or engage in expensive and
unproductive litigation, policymakers should continue to work in
partnership with the private sector to balance privacy with
innovation," Castro said.
The FTC charged Facebook after investigating the company in
response to a complaint filed by the Electronic Privacy Information Center
(EPIC), a Washington-based advocacy group on Dec. 17, 2009. Facebook had
changed its default privacy settings in order to provide users with a
"simpler model for privacy control," Mark Zuckerberg, Facebook
founder and CEO, said at the time. However, EPIC alleged in its complaint that
consumers were harmed when it turned out the changes had resulted Facebook's disclosing
"personal information to third parties that was previously not available," such
as making accessible the profiles of users who had deactivated or deleted their
Privacy advocates have long insisted that consumer privacy was at
risk because companies could change their privacy policies "at a whim,"
according to Berin Szoka, president of advocacy group TechFreedom. The
settlement "makes clear that changes to what a company may do with
information already collected require informed user consent," Szoka
The FTC listed eight instances where Facebook did opposite
of what it promised, such as claiming that it wouldn't share personal
information with advertisers or with third-party developers and not retaining
data that users had deleted. Facebook also allowed third-party applications to
see data that users had shared only with friends. The FTC charged Facebook with
not complying with the U.S.-European Union Safe Harbor framework on privacy.
Under the new settlement, Facebook is now required to make
all content from a deleted account inaccessible 30 days after the user deletes
the account, unlike the current situation where some data can still live on.
Facebook has already addressed some of these complaints, Zuckerberg
in a blog post posted on Nov. 29 following the FTC announcement. The
company has made a "bunch of mistakes" around user privacy, and since
then has rectified those mistakes, such as canceling its Verified Apps program which
claimed to verify the security of certain apps, and fixing the problem that
gave advertisers access to users' ID numbers, which resulted in user
information being shared with third-parties.
"I think that a small number of high profile mistakes,
like Beacon four years ago and poor execution as we transitioned our privacy
model two years ago, have often overshadowed much of the good work we've
done," Zuckerberg wrote. Beacon was a program in which Facebook users'
Internet activities were shared with friends.
Zuckerberg also announced that Facebook will be adding two
new executives to oversee privacy. Erin Egan has been named chief privacy
officer of policy and Michael Richter, the current lead privacy counsel, has
been promoted to chief privacy officer of products.
Overall, Facebook has a "good history of providing
transparency and control over who can see your information," Zuckerberg
said, adding, "we have led the Internet in building tools to give people
the ability to see and control what they share."
The new privacy officers weren't enough for Jeff Chester, excutive
director at the Center for Digital Democracy. "We call on Mark
Zuckerberg and the Facebook board of directors to accept responsibility
for this breach of conduct. They should resign and be replaced by
officials that have strong pro-privacy credentials," Chester said.
Google agreed to similar audits in March, when it settled FTC
charges of falsely representing how it would use personal information as part
of now-dead Buzz micro-blogging site