Users were deceived by Facebook, and now the social media giant is paying the price.
Following an eight-count complaint by the Federal Trade Commission (FTC) that it deceived its users – by informing them their information was protected, while at the same time enabling the data to be shared – a newly issued proposed settlement requires Facebook to put several processes in place to make certain it delivers what it promises.
The FTC charges that the claims that Facebook made were "unfair and deceptive," and violated federal law. Primarily, under the agreement, the site is required to give its users "clear" and "prominent" disclosures, and obtain opt-in consent before any personal information is shared beyond the established privacy settings.
"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," Jon Leibowitz, chairman of the FTC, said in a statement. "Facebook's innovation does not have to come at the expense of consumer privacy."
The FTC charges chronicle a number of misleading or untrue assertions about privacy that Facebook made, but did not keep, including: not warning users when a change to its "Friend List" allowed private information to be exposed; stating that third-party apps would not access personal information beyond what they needed to operate; claiming that the "Verified Apps" program certified the security of participating apps; promising users it would not share personal data with advertisers; and insisting that it complied with the U.S.-European Union Safe Harbor Framework that governs data transfer between the United States and certain European nations.
Under the proposed settlement, Facebook is forbidden to issue any further misleading privacy claims, and it is required to obtain users' approval before changing settings that affect personal data sharing. Facebook also must conduct periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years and, further, must allow the FTC to monitor compliance with its order.
Clearly anticipating the FTC announcement, Facebook CEO Mark Zuckerberg said on Tuesday that the site he founded while a Harvard undergraduate in February 2004, and which now claims 800 million users worldwide, is aiming to evolve its privacy controls.
According to a personal statement, "Our Commitment to the Facebook Community," Zuckerberg lists a number of tools and policies put in place to improve privacy over the past 18 months. While admitting that mistakes were made in the learning process, he wrote that "privacy principles are written very deeply into our code."
Zuckerberg promised a biannual independent audit of Facebook's privacy practices "to ensure we're living up to the commitments we make."
In addition, he announced the appointment of two new positions: Erin Egan was tapped as chief privacy officer of policy. A former partner and co-chair of the global privacy and data security practice of San Francisco law firm Covington & Burling, Egan will work with regulators, legislators, experts and academics to lead Facebook's online privacy practices and policies.
In addition, Michael Richter has been named chief privacy officer of products. Richter, currently Facebook's chief privacy counsel, will lead internal privacy review.
Facebook's privacy practices have come under fire from the Electronic Privacy Information Center and an alliance of consumer groups.