Facebook and FTC reach landmark privacy settlement

29 Nov 2011

Facebook CEO Mark Zuckerberg admitted today that mistakes had been made

Facebook has settled charges with the US Federal Trade Commission over changes it made to privacy policy in 2009. The settlement requires Facebook to warn users about privacy changers and get permission before sharing their information.

Facebook has also agreed to undergo 20 years of privacy audits as part of the settlement.

The eight counts of charges allege Facebook deceived users into believing their information on Facebook would be kept private.

The FTC’s eight-count complaint against Facebook is part of the agency’s ongoing effort to make sure companies live up to the privacy promises they make to consumers. It charges that the claims that Facebook made were unfair and deceptive, and violated federal law.

“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” said Jon Leibowitz, chairman of the FTC.

“Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not,” Leibowitz said.

Zuckerberg admits mistakes had been made

Facebook CEO Mark Zuckerberg admitted today that “a bunch of mistakes” had been made.

“This idea has been the core of Facebook since day one. When I built the first version of Facebook, almost nobody I knew wanted a public page on the internet. That seemed scary. But as long as they could make their page private, they felt safe sharing with their friends online. Control was key. With Facebook, for the first time, people had the tools they needed to do this. That’s how Facebook became the world’s biggest community online.  We made it easy for people to feel comfortable sharing things about their real lives.

“We’ve added many new tools since then: sharing photos, creating groups, commenting on and liking your friends’ posts and recently even listening to music or watching videos together. With each new tool, we’ve added new privacy controls to ensure that you continue to have complete control over who sees everything you share. Because of these tools and controls, most people share many more things today than they did a few years ago.

“Overall, I think we have a good history of providing transparency and control over who can see your information.

“That said, I’m the first to admit that we’ve made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done.

“I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using any one service.  Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected. It’s important for people to think about this, and not one day goes by when I don’t think about what it means for us to be the stewards of this community and their trust.

“Facebook has always been committed to being transparent about the information you have stored with us – and we have led the internet in building tools to give people the ability to see and control what they share.  

“But we can also always do better. I’m committed to making Facebook the leader in transparency and control around privacy,” Zuckerberg said.

Privacy needs to keep pace with technological change

Berin Szoka, president of advocacy group Tech Freedom said that today’s judgement enshrines the rights of consumers to protect their data.

“For years, many privacy advocates have insisted that holding companies to their own privacy policies won’t protect consumers because companies can change those policies at a whim.

“Today’s settlement makes clear that changes to what a company may do with information already collected require informed user consent—provided the changes are material. This builds on a similar settlement with Google last month over the use of Gmail information in the Buzz social network without consent, among earlier FTC actions, such as preventing the transfer of sensitive information when a company goes into bankruptcy.

“Thus, while Congress struggles to craft ‘comprehensive baseline privacy’ legislation in the European model, the FTC is using its existing 1938 authority over unfair or deceptive trade practices to build a common law of privacy. This is a process of discovery: what’s the right balance between protecting privacy and the consumer benefits of encouraging the development of new services?

“That process won’t be perfect or easy, but it’s much more likely to keep up with technological change than legislation or prophylactic regulation would be, and less likely to fall prey to regulatory capture by incumbents as a barrier to competition.

“Case-by-case adjudication is a venerable American tradition—one that’s more, not less, vital in the rapidly changing field of consumer privacy. Rather than rushing to write new laws, Congress should focus on ensuring the FTC has the resources it needs to use its existing authority effectively. That means, most of all, having a larger core of technologists on staff to guide what is supposed to be our expert agency on privacy,” Szoka said.

The settlement

Specifically, under the proposed settlement, Facebook is:

  • barred from making misrepresentations about the privacy or security of consumers’ personal information;
  • required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
  • required to prevent anyone from accessing a user’s material no more than 30 days after the user has deleted his or her account;
  • required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
  • required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years