The United States Federal Trade Commission announced a proposed settlement with Facebook Inc. over their alleged deceptive practices regarding privacy.
The FTC launched an investigation into Facebook after a complaint was filed by the Electonic Privacy Information Center (EPIC) and a coalition of other privacy groups.
The FTC’s investigation resulted in an eight-count complaint against the social media giant. The complaint lists several cases where “Facebook allegedly made promises it did not keep.”
The FTC’s press release lists the most prominent of the issues that got Facebook into trouble:
- In December 2009 Facebook changed things that were private (friends list, etc) to public without warning or consent.
- Facebook told users third-party applications would only have limited access to information, when they could access nearly all of a users information.
- Facebook presented misleading privacy settings like “Friends Only” which in reality means your friends and any applications it might choose to use.
- Facebook claimed to have a “Verified Apps” program that certified these apps were secure, it didn’t.
- Facebook promised it would not share their information with advertisers, but it did.
- Facebook claimed to delete users photos and videos when they deactivated/deleted their accounts, but didn’t.
- Facebook claimed to comply with the US-EU Safe Harbor Framework for data transfer across borders, but didn’t.
If the settlement proceeds the FTC would require Facebook to agree to the following conditions:
- Stop misrepresenting security and privacy policies regarding users’ personal information.
- Obtain express consent when changing the handling of existing personal information.
- Prevent people from accessing information from deleted/deactivated accounts after 30 days.
- Establish and maintain a comprehensive privacy program addressing both new and existing products.
- Undergo third-party privacy audits certifying that it meets or exceeds the FTC’s requirements for the next 20 years.
The settlement now enters into a public comment period where residents of the United States can provide feedback to the FTC on the fairness of the settlement.
I think the measures the FTC suggests in the settlement will go a long way to ensuring Facebook users are aware of how their data is being handled and provide necessary oversight to be sure policies are followed.
What concerns me is that this is a “consent agreement” and therefore “does not constitute an admission by the respondent that the law has been violated.”
What the FTC is alleging is an enormous abuse of power by a multi-billion dollar company. No fines? No admission of guilt? Where is the punishment for abusing our privacy rights for the last 5 years?
This settlement doesn’t address all of the suggestions Naked Security has made to Facebook about security on their platform, but it may result in more respect for their users’ privacy.