Will FTC Scrutiny Prompt Facebook to Pull an Onstar?

Facebook's latest round of changes has prompted privacy concerns in many circles, including Capitol Hill. As reported by Byron Acohido in USA TODAY, numerous consumer groups have joined with several members of congress to call on the Federal Trade Commission–the FTC--to investigate "new sharing mechanisms designed to accelerate the collection and dispersal of information about Facebook users' Internet activities."

Any company executive who thinks that FTC scrutiny is just another empty political gesture should have a chat with compliance officers and corporate attorneys at pharmaceutical giant Eli Lilly or technology giant Microsoft. Alternatively, talk to automotive giant General Motors, whose OnStar subsidiary last month executed a significant privacy U-turn in the face of congressional calls for an FTC investigation of its plans to keep connecting to, and collecting data from, in-car communication devices, even after customers had stopped paying for the OnStar service.

Having seen an FTC investigation up close, I know why GM acted so quickly to reverse course. Believe me, your company does not want to be on the receiving end of FTC scrutiny (fortunately, I was on the investigative end, but that's another story). The FTC is a powerful agency, enjoying bipartisan support, an agency that is able to get a multi-billion dollar industry giant like Microsoft to submit to independent, outside auditing of its internal security and privacy practices, not once, but annually. How about mandated security and privacy training and retraining for all employees? The FTC can make you do that, and check that you are doing it, every year, for ten years.

In my opinion, the FTC is one federal agency that works, regardless of who is in the White House or controlling Congress. My opinion is shared by experienced privacy and compliance officers at America's largest companies, companies like GM. When GM's OnStar subsidiary started informing customers that their in-car communication units would continue sending data, even if they, the car owners and drivers, canceled the contract and stopped paying for the service, Sen. Charles Schumer called on the FTC to investigate. Within days, OnStar quickly made a U-turn, as reported by Computerworld's Jaikumar Vijayan. 

That U-turn had to be painful for some OnStar executives. I have no data on what the company really planned to do with the information it proposed to collect at no cost to the owners of the vehicles from which the canceled service would continue to transmit. The company said that keeping the two-way communication active for former customers could "someday allow for emergency messages to be sent even to ex-customers about severe weather or evacuations." As my colleague Cameron Camp pointed out on the ESET blog that was too altruistic for some consumers to believe.

So what about Facebook, a company that has again pushed the boundaries of data sharing? How will the social media giant react to the prospect of FTC scrutiny? If they are smart they will read up on past FTC actions around privacy and security and heed these words from Timothy J. Muris, Chairman of the commission when it imposed a 10 year settlement on Microsoft:

"Good security is fundamental to protecting consumer privacy. Companies that promise to keep personal information secure must follow reasonable and appropriate measures to do so. It's not only good business, it's the law. Even absent known security breaches, we will not wait to act."