If you've ever felt that your information was never truly private on Facebook, the federal government agrees; and today the Palo Alto-based social network announced it would settle charges related to those very concerns.
The Federal Trade Commission announced a proposed settlement with Facebook, resolving its claims that the company repeatedly deceived members about just how private their personal information really is. At a glance it would seem that what Facebook told users it would not do, it did, and many of the things it promised to do, never happened. The FTC wants this settlement to send a strong message.
"To consumers, be assured that Facebook must seek your consent before overriding privacy settings," says FTC Chairman Jon Leibowitz. "To businesses looking to be part of the growing cyber-economy, be mindful that you must design privacy protections into every phase of your product development."
The federal complaint alleges several violations of the Federal Trade Commission Act, starting with changes to the site made in 2009. Here's the FTC's simplified description:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.
For his part, Facebook co-founder and CEO Mark Zuckerberg isn't fighting the settlement. In a blog post he admits that his company has "made a bunch of mistakes" that have come to dominate the conversation about the social network.
"I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online," Zuckerberg writes. "Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected. It's important for people to think about this, and not one day goes by when I don't think about what it means for us to be the stewards of this community and their trust."
The proposed settlement bans Facebook from further misrepresentations, requires it to beef up its privacy policies and requires 20 years of biennial audits. Among the changes: users must opt-in when privacy setting changes come up, not opt-out. Facebook would also have to be honest about what really happens to your member information, including your address, phone number, pictures and videos. And profiles that get deleted must actually become inaccessible within 30 days of deletion.
The FTC can't fine Facebook, but violating an FTC order can bring fines up to $16,000 per violation per day. Incurring each of the seven violations listed above for a full year, for example, could cost Facebook just under $41 million. That may well be chump change for a company rumored to be on the verge of going public for billions of dollars.
Lately the FTC has been aggressive in taking on Silicon Valley with regards to user privacy. Back in March came the first such privacy settlement involving Twitter accounts. Last month the agency finalized a very similar privacy settlement over the now-defunct social network Google Buzz.
Some privacy advocates say today's announcement doesn't go far enough. The Electronic Privacy Information Center, which pushed the FTC to investigate Facebook two years ago, also wants the social network to roll its privacy settings back to the way they were before the changes in 2009.
Plenty of questions also remain about exactly what Facebook was doing. The FTC says these violations at the social network have stopped, but it's unclear how long they went on. Facebook is required to submit a privacy audit, but because the document will be subject to Freedom of Information Act rules, it's unclear how much the public will be able to see of those audits.
The FTC also would not say, nor does the complaint clarify, whether Facebook misspoke or flat-out lied with its privacy promises. It's also unclear if Timeline and other new Facebook features unveiled at this year's F8 Developers Conference were included in the FTC probe. And although the government did not directly accuse Facebook of selling users' information to advertisers, officials would not say whether or not it happened.
Facebook's settlement with the FTC is now under a 30-day public comment period, after which the Commission will decide whether to finalize the deal. The company says it is complying with the FTC order, as well as promoting two executives to become Chief Privacy Officers. And the government says this deal is not about preventing Facebook, or any of Silicon Valley's innovators, from being innovative.
"To its enormous credit," Lebowitz says, "Facebook... has changed the way the world socializes, shops, markets, memorializes, protests, and engages in the political process. ... Facebook's innovation, though, does not have to come at the expense of consumer privacy. Under the FTC settlement, it will not."