Federal Trade Commission officials spent the day touting a new, with FTC Chairman Jon Leibowitz saying the company now will be "obligated" to keep its privacy promises.
But in reality, the agreement is likely to have little, if any, actual impact on Facebook users.
One reason is that Facebook won't have to roll back any changes to its default privacy settings, which have grown more permissive over the last few years. Photos, wall posts, and lists of friends were once visible by default only to people you were associated with; now the default settings include everyone on the Internet.
The proposed settlement "does not rectify the original problem," Marc Rotenberg, executive director of the Electronic Privacy Information Center, told CNET this afternoon. "Our concern was with the change in the default settings--that's the part that was clearly unfair" and therefore unlawful, he said.
Rotenberg, whose groupto the FTC about Facebook in late 2009, says he'll ask the FTC to order a rollback to previous default settings before the settlement becomes final. If that happens, of course, Facebook could withdraw its agreement and the entire deal would be off.
Another reason for the limited impact--in other words, the difference between what Facebook could do yesterday and what it can do once the agreement is finalized--is that the deal largely formalizes what are already viewed in the industry as best practices.
"It doesn't create any new or unusual obligation," says Jules Polonetsky, director of the Future of Privacy Forum think tank. Polonetsky says that "any reasonable lawyer advising a client" already would have told them to follow what the settlement specifies.
EPIC's letter (PDF) to the FTC noted that Facebook previously defined a user's name and network as "publicly available information." That changed in late 2009 to also include lists of friends, pages users are "fans" of, gender, and geographic regions. (Here's a visualization of how the defaults have changed since 2005.)
In a Twitter post today, FTC attorney Laura Berger indicated it would be infeasible to restore the default settings from late 2009 because the "current site no longer maps" to the previous one. But, she said, Facebook has implemented privacy controls since.
Those privacy changes, including ones that gave users more control over how information was shared, happened inand .
And that was sufficient to appease the FTC.
When asked what Facebook will be newly prohibited from doing under the proposed settlement, Justin Brookman at the Center for Democracy and Technology said: "I don't think there's any difference. The order is very consistent with what the FTC has done for a number of years."
The proposed agreement does specify that biennial audit will be performed by an "independent third-party professional" to evaluate Facebook's "privacy controls."
That's "not going to substantively change much," said Brookman, who heads CDT's Project on Consumer Privacy. "At the margins it might help."
While Facebook does have to pay for the cost of an annual audit, one benefit is reputational. It now can tell users: "Trust us with your data--we're government approved!"
"Their No. 1 asset is their reputation," says Berin Szoka, president of TechFreedom, a technology think tank. "They work very hard to preserve that."
All of which explains why the only change that Facebook CEO Mark Zuckerberg announced today was that his company would now have two chief privacy officers, Erin Egan and Michael Richter. There was no mention of restoring defaults to make Facebook user information as private as it was before.
Update 7:45 p.m. PT: EPIC's Marc Rotenberg sent me e-mail a moment ago saying he thinks the FTC's order is flawed but nevertheless important: "My objection was not to the obligations placed on Facebook going forward; they are sweeping and comprehensive. My objection is that the FTC failed to require Facebook to restore the original privacy settings."