The Federal Trade Commission and Facebook have reached a settlement on charges that Facebook deceived consumers "by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public."
The settlement will require that Facebook must:
- Not make misrepresentations about the privacy or security of consumers' personal information.
- Obtain consumers' affirmative express consent before enacting changes that override their privacy preferences.
- Prevent anyone from accessing a user's material no more than 30 days after the user has deleted his or her account.
- Establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information.
- Every two years after that for the next 20 years, obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.
The FTC alleged that Facebook:
- Changed its website so certain information that users may have designated as private -- such as their Friends List -- was made public. They didn't warn users that this change was coming, or get their approval in advance.
- Represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data -- data the apps didn't need.
- Told users they could restrict sharing of data to limited audiences -- for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
- Promised users that it would not share their personal information with advertisers. It did.
- Claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
In its 19-page complaint, the FTC pointed to numerous examples of Facebook's claims that it never shares user data with advertisers. Yet, according to the federal agency, "Facebook has shared information about users with Platform Advertisers by identifying to them the users who clicked on their ads and to whom those ads were targeted."
In its press release about the settlement, the FTC noted "The complaint is not a finding or ruling that the respondent has actually violated the law. A consent agreement is for settlement purposes only and does not constitute an admission by the respondent that the law has been violated."
In a blog post, Facebook CEO Mark Zuckerberg didn't respond directly to the FTC's allegations, but admitted that "we've made a bunch of mistakes," and said that he has appointed two privacy officers to "further strengthen the processes that ensure that privacy control is built into our products and policies." Zuckerberg also pointed out that the settlement with the FTC has conditions that similar to those established between the FTC and both Google and Twitter.
In an interview, Facebook's spokesperson Barry Schnitt pointed out that some of the charges leveled by the FTC were incidents that were rare and inconsequential. "It is our policy and our intent not to share personal information with advertisers," he said. When it happened it was a result of what's called a 'referer,' that passes on the URL of the the page a user is on when they click on a link. That passes on a user ID which, in theory, could be used by an advertiser to look up the name of the person. But, said Schnitt, "They would have to go to the Web log and figure it out and then they would see public info from the user. And we fixed it a year and a half ago on our own." He said there is no evidence that any advertisers actually went and did this."
What this should mean to consumers:
In theory, what this should mean to consumers is that they can rely on information about privacy from Facebook as being accurate and complete. It should also mean that the information will be presented clearly and in language that the average person can easily understand.
Facebook must also be very clear about information shared with third parties, including app developers and advertisers.
It further means that whatever privacy protections are in place when you sign up for Facebook will remain in place unless you specifically agree to accept the changes.
What I'm hoping this means is that Facebook can do this without further complicating its privacy policies or settings.
Users still have to be vigilant
Even assuming Facebook keeps its promises to the FTC, users will still have to be vigilant about what they post on Facebook and what they agree to share with other users and third parties, including advertisers and the thousands of Facebook app developers. This includes learning about Facebook's default privacy settings, knowing how to change those settings if necessary and understanding it new simplified "inline privacy" tool that allows users to select the audience each time they post content. It also requires that users understand how third party apps work and what information Facebook passes on to those app developers.
Hopefully, Facebook will clarify its privacy policies and settings and better enforce them with third parties, but even if it does, there remains a strong possibility that information you share with third parties could be used to deliver targeted ads or be shared with others or that some of Facebook's developers or partners could misuse your information.
And, as with any digital information, what's posted online can always be copied and pasted so, regardless of what privacy settings are in place, never post anything that could get you into trouble or embarrass you now or in the future.
Anne Collier's NetFamilyNews post, Facebook"s agreement with the FTC: What it means for users.
CNET News: Facebook privacy practices get FTC Shakeup.
Disclosure: Larry Magid is co-director of ConnectSafely.org which receives financial support from Facebook.