The FTC has just announced its eight-count deception charge against Facebook has been settled, with the world's largest social network submitting to a wide array of remedies that include 20 years of privacy auditing and strict controls on how the company deals with your personal data in the future. In this post I will explain some of the implications, for Facebook users, and for consumer privacy in general.
Although this settlement was predicted--by the Threat Blog and others--it may take a while before all the ramifications of this case are fully realized, at Facebook, across the Internet, and around the world. For a start, this settlement instantly tops the charts as the most far-reaching privacy protection action that any government anywhere has ever taken. Remember, Facebook has 800 million users, more than the entire Internet 7 years ago, and Facebook now encompasses 28% of the current Internet population worldwide. And Facebook just agreed that it has made mistakes and will mend its ways.
America has often been criticized--from within and without--for its lack of explicit privacy rights, but the U.S. Federal Trade Commission has just made the case for saying America is doing more than any other country to punish companies that don't respect consumer privacy. Facebook joins a long line of world famous brand names that have agreed to mend their ways at the insistence of the FTC, names like Eli Lilly, Google, Disney, and Microsoft. Based on my own past experience with companies upon whom the FTC has imposed privacy settlements, it is no exaggeration to say Facebook will be a different company from this day forward.
So let's get to the meat of this case. The FTC complaint lists a number of instances in which Facebook allegedly made promises that it did not keep (and I'm quoting from the FTC announcement here):
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.
Remember, the FTC is the federal agency responsible for deterring, detecting, prosecuting, and punishing consumer deception. So the first point to make is this: If you had the feeling Facebook was deceiving you about the privacy matters listed here, that feeling has just been validated, by the highest authority in the land. But what will this settlement mean for the future of your relationship with Facebook? The remedies in this case, as laid out in today's FTC announcement, mean that Facebook is:
- barred from making misrepresentations about the privacy or security of consumers' personal information;
- required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user's material no more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.
The first three bullets speak directly to the concerns of the Facebook user. No more unannounced or unapproved changes to how your personal data is handled. No more life after death for your deleted account. And no more false promises concerning the privacy and security of information about you that finds its way into Facebook.
What a lot of people may overlook, because it is hidden in the denser text of those last two bullet points, is that the way in which Facebook develops from now on, as a product and a company, everything from the user interface you see and the features you are offered, all the way to the vast array of Facebook servers and systems around the world that you don't see, will be shaped by this settlement.
If you can get executives at companies that have agreed to an FTC settlement like this one to talk about it, they will tell you that the way you do business changes dramatically when you are legally bound by "a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services." For a start, things move more slowly and more deliberately when you know you are being watched, and when you have to think through all the ramifications of any changes you make to your systems or your product. This settlement doesn't mean privacy-related problems at Facebook have all gone away, and it won't stop Facebook scams dead in their tracks, but it is a big step in the right direction.