Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Proposed settlement bars Facebook from making further deceptive privacy claims, requires that the company get consumers’ approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years. 

According to the Federal Trade Commission, Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.  The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers’ express consent before their information is shared beyond the privacy settings they have established.

Facebook Settles Privacy ChargesThe FTC’s eight-count complaint (PDF) against Facebook charges that the claims that Facebook made were unfair and deceptive, and violated federal law.

“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” said Jon Leibowitz, Chairman of the FTC. “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.”

“I’m the first to admit that we’ve made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done,” Facebook founder Mark Zuckerberg wrote in a blog post this afternoon.

The FTC complaint lists a number of instances in which Facebook allegedly made promises that it did not keep:

  • In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public.  They didn’t warn users that this change was coming, or get their approval in advance.
  • Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate.  In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
  • Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.”  In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
  • Facebook claimed it had a “Verified Apps” program it used to certify the security of certain apps.  It didn’t.
  • Facebook promised users that it would not share their personal information with advertisers.  It did.
  • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible.  But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
  • Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union.  It didn’t.

The proposed settlement bars Facebook from making any further deceptive privacy claims, requires that the company get consumers’ approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years. 

“Today’s announcement formalizes our commitment to providing you with control over your privacy and sharing — and it also provides protection to ensure that your information is only shared in the way you intend,” Zuckerberg noted. “As the founder and CEO of Facebook, I look forward to working with the Commission as we implement this agreement. It is my hope that this agreement makes it clear that Facebook is the leader when it comes to offering people control over the information they share online.”

Specifically, under the proposed settlement, Facebook is:

  • barred from making misrepresentations about the privacy or security of consumers’ personal information;
  • required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
  • required to prevent anyone from accessing a user’s material no more than 30 days after the user has deleted his or her account;
  • required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
  • required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected. 

The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.  

The Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 4-0.  The FTC said it will publish a description of the consent agreement package in the Federal Register shortly.  The agreement will be subject to public comment for 30 days, beginning today and continuing through December 30, 2011, after which the Commission will decide whether to make the proposed consent order final.  

The FTC issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest.  The complaint is not a finding or ruling that the respondent has actually violated the law. 

Related Reading: Facebook vs. Privacy – What You Can do to Protect Your Privacy

Related Reading: Is Facebook Good for your Health?

Related Reading: A Day in the Life of Privacy

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cyberwarfare

The U.S. is tracking a suspected Chinese spy balloon spotted over U.S. airspace, officials said on Feb. 2, 2023.

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Cyberwarfare

U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.