Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.
“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” said Jon Leibowitz, Chairman of the FTC. “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.”
The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers’ express consent before their information is shared beyond the privacy settings they have established.
The FTC complaint lists a number of instances in which Facebook allegedly made promises that it did not keep:
- Facebook didn’t warn user that Friend Lists and other data would become public when it transitioned to a new privacy model in December 2009
- Apps can request access to almost any piece of user data, though Facebook said they could only access data they need to operate.
- The “Friends Only” privacy setting still allowed data to be accessed by third-party apps used by friends.
- The “Verified Apps” program didn’t actually verify the security of apps.
- A security bug caused Facebook to accidentally share personal data with advertisers when it promised it wouldn’t.
- Content on deactivated and deleted accounts could still be accessed despite claims to the contrary.
- Data of users in the European Union was transferred in violation of the US-EU Safe Harbor Framework.
Specifically, under the proposed settlement, Facebook is:
- barred from making misrepresentations about the privacy or security of consumers’ personal information;
- required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user’s material no more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.
In a blog post Facebook CEO Mark Zuckerberg stated, “Facebook has always been committed to being transparent about the information you have stored with us – and we have led the internet in building tools to give people the ability to see and control what they share.”
Zuckerberg’s statement explains that the world’s privacy weighs heavy on him,”not one day goes by when I don’t think about what it means for us to be the stewards of this community and their trust.” He also says that Facebook code deeply integrates privacy protection, “We do privacy access checks literally tens of billions of times each day to ensure we’re enforcing that only the people you want see your content.”
He said “we’ve added many new tools since then: sharing photos, creating groups, commenting on and liking your friends’ posts and recently even listening to music or watching videos together. With each new tool, we’ve added new privacy controls to ensure that you continue to have complete control over who sees everything you share. Because of these tools and controls, most people share many more things today than they did a few years ago.”
Adding he said in the last 18 months, we’ve announced more than 20 new tools and resources designed to give you more control over your Facebook experience, including:
- An easier way to select your audience when making a new post
- Inline privacy controls on all your existing posts
- The ability to review tags made by others before they appear on your profile
- Friend lists that are easier to create and that maintain themselves automatically
- A new groups product for sharing with smaller sets of people
- A tool to view your profile as someone else would see it
- Tools to ensure your information stays secure like double login approval
- Mobile versions of your privacy controls
- An easy way to download all your Facebook data
- A new apps dashboard to control what your apps can access
- A new app permission dialog that gives you clear control over what an app can do anytime you add one
- Many more privacy education resources
Leibowitz, said “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users.”. “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.”
The FTC voted 4-0 to accept Facebook’s package of changes and open it for 30 days of public comment starting today. The Commission will then decide whether to finalize the proposed consent order. The restrictions could negatively impact the $100 billion IPO Facebook is said to be planning for summer 2012.