The United States Federal Trade Commission (FTC) and Facebook have announced their proposed privacy settlement over complaints brought against Facebook that it deceived its users. In the complaint the FTC says that Facebook told its users that they could keep their information on Facebook private, and then repeatedly allowed it to be made public.
The FTC launched an investigation into Facebook as part of its ongoing effort to made sure that online giants like Facebook, Twitter and Google honor the privacy promises they make to American consumers. The original complaint outlined eight counts against Facebook saying that the social networking site’s privacy claims were unfair, deceptive, and violated federal law.
The FTC complaint listed a whole number of examples when Facebook made promises that it did not keep:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.
As a result of these complaints the FTC put together a strongly worded proposal which Facebook has accepted: “IT IS ORDERED that Facebook and its representatives, in connection with any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which it maintains the privacy or security of covered information.”
Under the proposed settlement Facebook must get approval from its users before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.
The settlement also states that Facebook must establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information.
In response to the settlement Facebook’s founder Mark Zuckerberg wrote “I’m the first to admit that we’ve made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done.”
He also points out that it is normal to be skeptical about Facebook’s role in how hundreds of millions of people share their personal information online. “Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected,” he said.