Proposed Facebook Privacy Complaint Settlement Under FTC Review

The Federal Trade Commission has proposed a settlement with Facebook over claims that the site violated user privacy when it changed default privacy settings without warning.

Under a proposed 20-year settlement, Facebook would be required to obtain express consent from users before sharing material that was posted under earlier terms, The Wall Street Journal reported.

The U.S. Federal Trade Commission has proposed a 20-year settlement with Facebook over charges that the social networking giant changed default user settings that resulted in more information being disclosed than was previously public, a source told The Wall Street Journal on Nov. 10. The source declined to be identified because the settlement hasn't been finalized.

The proposed settlement would require Facebook to get consent to share the pieces of data if it is different from how the user originally agreed the data could be used, when it was initially posted. The settlement would not cover new features or how consent is obtained for those features. It's not clear whether there will be any monetary damages.

According to the WSJ report, if the settlement is approved, Facebook will also be subject to an annual, independent review of the site's privacy practices. The FTC and Facebook did not comment.

The FTC began investigating Facebook after the Electronic Privacy Information Center (EPIC), a Washington-based advocacy group, filed a complaint Dec. 17, 2009. The complaint alleged consumers were harmed when Facebook changed its default privacy settings and requested that the site be required to give users "meaningful control over personal information." Nine other consumer advocacy groups, including the American Library Association, Consumer Federation of America and The Privacy Rights Clearinghouse, signed the complaint.

The complaint included changes in Facebook settings in November and December 2009 that encouraged users to reveal their names, profile photos, lists of friends, pages they are fans of, gender, geographic regions and networks to which they belong. The FTC should compel Facebook to allow users to choose whether to disclose personal information and to choose whether to fully opt out of revealing information to third-party developers, according to the EPIC complaint.

At the time of the change, Facebook founder and CEO Mark Zuckerberg said the changes were a "simpler model for privacy control."

Facebook has long been criticized for its privacy practices, where it changed settings without warning, and its byzantine maze of privacy controls. It has made some attempts recently to improve site privacy, such as making privacy controls more prominent on a user's profile page and letting users directly control just who can see each post.

However, the site is also under investigation in the European Union for possible privacy rule violations over the use of personal data and has clashed with German authorities repeatedly.

Facebook isn't the only social networking site with privacy issues, "but it gets the most attention because it's the largest," Charles Pfleeger, a security consultant at Pfleeger Consulting, said at a security conference in New York City Nov. 10.

Online services and companies are developing tools that allow them to observe user behavior online and target advertisements and customize user experience. The FTC has signaled that privacy is a priority and has recently increased its enforcement of privacy requirements against online companies.

The federal regulatory body has already settled with Google and Twitter this year. Google agreed to a similar settlement to pay $8.5 million into an independent fund and develop a "comprehensive privacy program" that it will submit to independent review every other year. The FTC had accused Google of telling Gmail users the information would only be used for email, but then using it as part of Buzz, its short-lived microblogging service.

Twitter has also agreed to outside audits for 10 years after the FTC charged the site with "serious lapses" in its data security after hackers broke into several high-profile accounts.

The federal government has also stepped up efforts to hold companies accountable for the data they are collecting, storing and selling to other companies. There are more than a dozen privacy bills in Congress this year addressing the concept of a "do not track" system that would allow Internet users to opt out of having their browsing activity tracked and a "privacy bill of rights" to regulate what is being collected.