Facebook privacy practices get FTC shakeup

To settle charges of deception, Facebook agrees to get consumers' permission before it changes the way it shares their information.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
6 min read

Facebook settled a federal complaint about its privacy practices, making major changes to the way it handles user information in order to clear away an issue that could have overshadowed its expected--and long awaited--IPO.

As part of the settlement, Facebook agreed to let users "opt into" changes that alter how their personal information is shared with advertisers and other users, to disclose the information it shares with third parties and to submit to two decades of annual "privacy audits" to ensure its compliance.

The settlement ends a Federal Trade Commission investigation into Facebook's handling of personal information, which kicked off after several privacy groups filed a complaint with the commission in late 2009. The commission's settlement order outlined eight counts in which it claimed Facebook had "deceived" its users by altering its privacy practices without warning.

"The FTC alleges numerous violations of the FTC Act, which prohibits deceptive or unfair acts or practices," Jon Leibowitz, chairman of the FTC, said in a conference call. "The most important thing is to ensure consumer privacy going forward, and we believe this order does that."

A seemingly contrite Facebook CEO Mark Zuckerberg admitted making mistakes. "Overall, I think we have a good history of providing transparency and control over who can see your information," wrote in a blog post. "That said, I'm the first to admit that we've made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done."

Although Facebook has agreed to change its privacy practices, it did not acknowledge that it violated any law and the settlement notes that the company "expressly denies" the FTC's allegations.

The eight-count complaint alleges that Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public," the agency said in a statement.

For instance, the complaint says Facebook made changes in December 2009 that exposed to the public information users previously set to private, such as "Friends List," without warning users that the change was coming or getting their approval in advance. Facebook also represented that third-party apps would have access only to user information that the app needed to operate when in fact the apps could access nearly all of the users' personal data, the FTC said. Also, Facebook told users they could restrict data sharing to certain groups of people, such as "Friends Only," but then allowed the information to be shared with third-party apps friends used, according to the complaint.

In addition: Facebook claimed to have a "Verified Apps" program to certify the security of certain apps, when it did not; Facebook promised not to share personal information with advertisers but did anyway; Facebook claimed that photos and videos could not be accessed when an account was deactivated or deleted when the content could still be accessed; and Facebook claimed it complied with the U.S.-EU Safe Harbor Framework governing data transfer when it didn't, according to the FTC.

Of particular concern was the sharing of user information with advertisers, according to Maneesha Mithal, associate director in the FTC's division of privacy and identity protection. "When a user clicked on an ad (Facebook) was sharing the user ID about that user and it was a specific identify and could be combined with browsing history," she said. This ad-related violation dates back to at least September 2008, according to Laura Berger, staff attorney at the FTC's division of privacy and identity protection.

The settlement bars Facebook from making any deceptive privacy claims, such as misrepresentations about the privacy or security of user personal information. It requires Facebook to get user approval before changing the way it shares user data, including getting express consent before making changes that override their privacy preferences. Facebook must prevent anyone from accessing content on a user's account after the account has been deleted.

The settlement does not adopt a recommendation proposed by the Electronic Privacy Information Center, which filed the initial complaint. EPIC had requested that Facebook restore users' privacy settings to pre-2009 levels.

The settlement also requires Facebook to establish a comprehensive privacy program to address risks associated with development of new products and to get biannual independent audits of its privacy practices for the next 20 years. The audits are subject to Freedom of Information Act rules and may be made public on a case-by-case basis, said Mithal.

Facebook must adopt a "privacy-by-design" concept, according to Liebowitz.

Facebook has agreed to improve and formalize its privacy review and will create a biannual independent audit of its privacy practices, In addition, Facebook is creating two new corporate officer roles--chief privacy officer of policy and chief privacy officer of products.

The FTC does not have the authority to fine a company for violations of the FTC Act, but Facebook will be subject to fines if it violates provisions of the settlement, Leibowitz said. The fine will be $16,000 per violation per day.

In response to questions about privacy issues related to facial recognition technology, which Facebook quietly rolled out earlier this year, the FTC staffers said they are concerned and are holding a workshop next week on the subject, but that facial recognition is not specifically covered in the settlement. "If they unveil a new product that uses facial recognition technology they would have to address the privacy concerns," Mithal said.

The settlement is similar to one announced in March between the FTC and Google over its Buzz service, that also called for privacy audits.

"Recently, the U.S. Federal Trade Commission established agreements with Google and Twitter that are helping to shape new privacy standards for our industry," Zuckerberg noted in his blog post.

"For Facebook, this means we're making a clear and formal long-term commitment to do the things we've always tried to do and planned to keep doing--giving you tools to control who can see your information and then making sure only those people you intend can see it," he said. "I'm committed to making Facebook the leader in transparency and control around privacy."

Zuckerberg and FTC staffers said Facebook has already addressed the problems specified in the complaint. "The violations have stopped," Liebowitz said. And Zuckerberg noted that the company has announced more than 20 new tools and resources in the last 18 months that are designed to give users more control over their data and activities on Facebook.

The FTC voted 4-to-0 to accept the consent agreement, which will be subject to public comment for 30 days. The commission will make a final decision after that on the settlement, which will affect Facebook and its 800 million users.

Over all, the settlement was greeted with praise from consumer groups and lawmakers. "Companies should not be able to alter privacy settings after the fact, exposing private information to the public at large and to third party marketers," said Ioana Rusu, regulatory counsel for Consumers Union. "This settlement upholds that principle. It sends a strong message to companies that they must live up to the privacy promises made to consumers."

"Today's Facebook settlement is an important step, making it clear that companies can't simply change the rules without asking users' permission," said Chris Conley, policy attorney with the ACLU of Northern California. "But to keep pace with new technology, we also need new laws and tools like Do Not Track and comprehensive privacy legislation to help us safeguard our own personal information."

To find out how the settlement is expected to affect Facebook users, read my colleague Declan McCullagh's article here.

Updated 12:36 p.m. PT with background and reaction and 11:30 a.m. PT with details and quotes from conference call.

CNET's Declan McCullagh contributed to this report.