The Federal Trade Commission announced today that Facebook has settled charges that it deceived consumers by failing to keep privacy promises.
Under the proposed settlement, Facebook is required to give consumers clear and prominent notice and obtain consent before information is shared beyond the privacy settings that have been established.
"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said FTC Chairman Jon Leibowitz. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."
The FTC lists the following examples where Facebook did not keep its promises:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.
Now, under the settlement, the FTC says Facebook is:
- barred from making misrepresentations about the privacy or security of consumers' personal information;
- required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user's material no more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.
Facebook CEO Mark Zuckerberg took to the company blog to weigh in on the whole thing himself. “Overall, I think we have a good history of providing transparency and control over who can see your information,” he writes. “That said, I'm the first to admit that we've made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done.”
Here’s a famous video where he’s being grilled by All Things D about privacy, and sweating profusely:
“I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using any one service,” he continues in the blog post. “Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected. It's important for people to think about this, and not one day goes by when I don't think about what it means for us to be the stewards of this community and their trust.”
Zuckerberg says that in the last 18 months, Facebook has announced over 20 new tools and resources for users to have more control over their Facebook experience. He lists things like selecting your audience, inline privacy controls, the ability to review tags, friend lists, a new groups product, the tool that lets you view your profile like others would see it, double log-in approval,
“Even before the agreement announced by the FTC today, Facebook had already proactively addressed many of the concerns the FTC raised,” he says. “For example, their complaint to us mentioned our Verified Apps Program, which we canceled almost two years ago in December 2009. The same complaint also mentions cases where advertisers inadvertently received the ID numbers of some users in referrer URLs. We fixed that problem over a year ago in May 2010.”
Facebook has agreed to biannual independent audits by third-party auditors of its privacy practices for the next 20 years to ensure it’s living up to its commitments. The company has also created two new privacy executive roles, naming Erin Egan Chief Privacy Officer, Policy and Michael Richter Chief Privacy Officer, Products.
The first comment on Zuckerberg’s post is, “Can we get a dislike button?”