Intersections’ Consumer Security Adviser Neal O’Farrell provides his comments and analysis of the recent privacy settlement between Facebook and the Federal Trade Commission (FTC). A must read!
As a result of numerous complaints from a number of privacy advocates and organizations, the FTC finally launched its own investigation into Facebook's privacy claims and failings. According to the FTC's own statement, which announced the settlement on November 29, 2011, Facebook allegedly made many promises that it did not keep:
- In December 2009, Facebook changed its website so certain information that users may have designated as private — such as their Friends List — was made public. They didn’t warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data — data the apps didn’t need.
- Facebook told users they could restrict sharing of data to limited audiences — for example, with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a “Verified Apps” program and claimed it certified the security of participating apps. It didn’t.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.-EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.
Speaking about the issue on his Facebook page the very same day, Facebook founder Mark Zuckerberg insisted that "Overall, I think we have a good history of providing transparency and control over who can see your information. That said, I’m the first to admit that we’ve made a bunch of mistakes."
At the same time he announced the appointment of two privacy officers — reminds me of Sony's announcement that after more than half a century in business it finally decided it would be a good idea to hire a head of security, only after hackers stole nearly 100 million user accounts. Better late than never, I suppose.
The settlement requires that Facebook can no longer conduct business as usual when it comes to privacy, cannot make any further deceptive privacy claims, and must get users' approval before it changes the way it shares their data.
Specifically, under the proposed settlement, Facebook is:
- barred from making misrepresentations about the privacy or security of consumers’ personal information;
- required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.
It doesn't look like Facebook has to pay any fines or suffered any other punishments. It's simply on privacy probation for at least the next 20 years.
Read the full statement from the FTC.
To keep up to date on Facebook privacy issues, Facebook has its own team and page dedicated to all things security