Facebook nears settlement with FTC on privacy opt-in

Facebook logoFacebook is nearing a settlement with the FTC over charges that it misled users about how it uses their personal information, according to a report published on Friday by the Wall Street Journal (WSJ).

Those familiar with the talks told the WSJ that the settlement would require Facebook to obtain users’ consent before making “material retroactive changes” to its privacy policies.

That means that Facebook would have to get consent to share data in any way that’s different from what the user originally agreed to. At this point, the agreement is only awaiting approval by the Federal Trade Commission.

As the WSJ indicated, the FTC’s focus on privacy is rising to meet consumers’ concerns. Just in the past three days, online advertiser ScanScout settled FTC charges that it deceptively claimed that consumers could opt out of receiving targeted ads by changing their computer’s browser settings to block cookies.

COPPA logoThe operator of skidekids.com — a site that bills itself as the “Facebook and Myspace for Kids,” settled charges that he collected personal information from 5,600 children without parental consent, in violation of the Commission’s Children’s Online Privacy Protection Act (COPPA) Rule.

The Obama administration has led the charge, coming out in support of an Internet privacy bill in March.

The Facebook charges were filed as a result of Facebook’s December 2009 privacy setting changes, which made elements of users’ profiles—including name, picture, city, gender, and friends list—public by default.

At the time, Facebook founder Mark Zuckerberg described the changes as a “simpler model for privacy control.”

Users did not agree. The Electronic Privacy Information Center led a group of privacy advocates who filed a complaint with the FTC, alleging the changes were unfair and deceptive.

The proposed settlement includes a requirement that Facebook will submit to independent privacy audits for 20 years, according to the WSJ — a far longer term than the five years that Facebook would have preferred.

Those familiar with the negotiations said that a vote on the settlement would likely be forthcoming in the next few weeks.

Facebook manifesto T-ShirtThe Sophos security team has been concerned about Facebook safety and privacy for years. In April, Graham Cluley posted an open letter to Facebook that outlined three simple steps that the social media giant could take to better protect users.

The steps include vetting application developers to clean up the large number of rogue applications and viral scams now allowed to lurk on the service, as well as turning HTTPS on by default at all times (not just “when possible”).

But the No. 1 step on the list was this simple, privacy-crucial requirement: Opt-in by default. No more sharing of information without users’ express agreement.

David Cohen, writing on All Facebook, suggests that the possible settlement is “much ado about nothing.”

Yes, absolutely, Mr. Cohen is right. It is much ado about nothing, depending on how you define “nothing.”

“Facebook made privacy controls more prominent on its users’ pages in August, and those changes have been very noticeable from a user perspective,” Cohen writes.

Europe Vs. FacebookBut more prominent controls haven’t brought about greater control over privacy. As highlighted in the Europe vs. Facebook privacy skirmish, users can’t even trust that Facebook isn’t retaining supposedly deleted data.

Rather, the reason it’s much ado about nothing is that the possible settlement, if the WSJ’s sources are correct and if the terms don’t change before the final signing, simply doesn’t provide true opt-in-only privacy.

For that to occur, Facebook would have to retroactively require opt-in for sharing of previously collected data.

Unfortunately, that’s not what’s being proposed. Instead, the settlement would require Facebook to obtain users’ consent before making “material retroactive changes.”

In other words, Facebook would only need to get user consent to share data in a way that differs from how the user originally agreed the data could be used.

Because the proposed settlement with the FTC lacks opt-in by default, it doesn’t go far enough. It doesn’t rein in the company and hold it responsible for protecting privacy on the enormous ocean of data it has already stockpiled and upon which it is making what we can assume are healthy profits.

Nobody can say for sure how much money the private company is making. But as ZDNet’s Emil Protalinski writes, Facebook’s revenue passed $1.6 billion in the first half of 2011 and saw around $800 million in operating income. Comparisons with public companies’ revenues would suggest it’s pretty profitable.

And as reported by the WSJ, Facebook’s move to resolve privacy concerns comes amidst growing speculation over a possible initial public offering next year, which could value the company at up to $100 billion.

Facebook’s been mute about the possible IPO, but the April 2012 deadline for filing is fast upon them.

Private signWill Facebook ever willingly let go of the data off of which it’s making this kind of money? The laws of profit make that an unlikely scenario.

Here’s hoping the FTC ultimately gets the company to better protect users privacy. But this settlement hardly seems like it will go far in doing so.

If you’re on Facebook and want to keep informed about privacy issues, scams and internet attacks, join the Sophos page on Facebook, where over 140,000 people regularly share information on threats and discuss the latest security news.