Business, Cloud Computing, Technology Security

FTC Settlement: Facebook has Egg on its Face


When parts of your Facebook profile were made public by default, the government didn’t like it any more than you did. The Federal Trade Commission (FTC) backed Facebook into a settlement because, in part, they said the changes "exposed potentially sensitive affiliations" of the user. CEO Mark Zuckerberg admitted that his company made "a small number of high-profile mistakes," but he parried that they were responding to users’ requests for simplicity.

No, I don't like this - The Unlike ButtonFacebook will now be audited every other year for the next two decades. If violations are found it can cost them $16,000 per day. The current settlement charged the company with eight different counts based on unfair and deceptive behavior. To sidestep further infractions, Zuckerberg has put two attorneys in charge of privacy: one for product privacy, the other for the social network’s privacy policies.

What Facebook was claiming in regards to privacy versus what it had actually been doing was called into question. A major area of concern was information made available to third parties [can you say advertisers? Ed.]. The FTC said apps, many of which did not have verified security, had unrestricted access to users’ personal data. Additionally, users’ unique browsing history was tapped. That piece of data gives others a picture of your habits, interests, and vices.

Facebook begrudgingly agreed to obtain users’ consent before making changes that would override their privacy preferences. The company fudged a bit by obtaining the ok to be able to address "technological changes" that would affect how they obtained that consent. However, the change to your settings that went into effect in 2009 exposing your information, and requiring you to opt out instead of opting in, will remain in place. Your data has already been "out there" for everyone to grab. Opting out now is like closing the barn door after the horse has gone. As a concession, future automated changes to those settings will require your permission.

Per the FTC, too much could be found on Facebook
Per the FTC, too much could be found on Facebook

Looking back, in 2007 the FTC put forth principles for a self-regulatory program. As they relate to the current Facebook agreement, back then the FTC advised websites to:

  • Obtain affirmative express consent before using sensitive consumer data.
  • Provide security for consumer data and retain it only as long as necessary.

That last point was flagrantly overlooked by Facebook procedures. One of the points in the new agreement between the FTC and Facebook is that your stuff must become inaccessible no more than 30 days after you delete your Facebook account. In other words, when you delete your Facebook account, all associated images, videos, information should be deleted also. To date, that has not always been the case.

Egg on Face, but no punishments for Facebook in the recent FTC settlementWhy did Facebook ignore the 2007 FTC guidelines? Self-regulatory is a description that does not suit mischievous hackers nor companies with a teenager’s mentality. Still, how did Facebook get off so easily for ignoring those FTC suggestions? Strange bedfellows perhaps. It is reported in InformationWeek that former FTC chair Timothy Muris is a lobbyist speaking up for Facebook, and a previous commissioner on the FTC, Mozelle Thompson is Facebook’s chief privacy adviser.

Facebook’s privacy practices also came under scrutiny in 2009 in Canada. It was accused of violating the country’s Personal Information Protection and Electronic Documents Act (PIPEDA) law because it let users deactivate their accounts, but didn’t show how to delete them to remove personal information from the site.

The recent FTC agreement in the US requires that "disclosures are presented in an understandable language and syntax." It also requires that Facebook "shall not misrepresent in any manner, expressly or by implication, the extent to which it maintains the privacy or security of covered information." In other words, speak the truth, the whole truth, clearly and try to fool your customer.

We have yet to see the results of the current proposed understanding drafted by the FTC and Facebook. The FTC is holding off finalizing the agreement for 30 days while it solicits public comment.

Check out the Wall Street Journal’s video on the terms of Facebook’s settlement.