Facebook settles with FTC over default privacy settings

Facebook today settled with the US Federal Trade Commission (FTC) over charges that date back to December 2009, when the company radically changed its privacy settings without warning its users. At the time, the changes made parts of users' Facebook accounts public, including their profile picture, birthday, friends lists, and other personal information. From now on, changes to privacy settings must be opt-in.

See also: Facebook CEO Mark Zuckerberg makes a commitment to privacy

The FTC had charged that Facebook told its users they could keep the information they share private, and then repeatedly allowing it to be shared and made public. In other words, the FTC claimed Facebook had been unfair and deceptive, and violated federal law.

The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, and also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order. More specifically, Facebook is barred from making any further deceptive privacy claims, is required to get consumers' approval before it changes the way it shares their data, and is required to obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.

"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," FTC Chairman Jon Leibowitz said in a statement. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."

The FTC says consumers must be given clear and prominent notice in advance, if such changes are to occur again (and knowing Facebook, they likely will). Facebook must obtain consumers' express consent before their information is shared beyond the privacy settings they have established.

The FTC complaint lists seven instances in which Facebook allegedly made promises that it did not keep. These are worth publishing in full, even though not all of them are still applicable as Facebook has since rectified the issues:

• In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance.
• Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need.
• Facebook told users they could restrict sharing of data to limited audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
• Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't.
• Facebook promised users that it would not share their personal information with advertisers. It did.
• Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
• Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the US and the European Union. It didn't.

Under the proposed settlement, Facebook is:

• Barred from making misrepresentations about the privacy or security of consumers' personal information.
• Required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences.
• Required to prevent anyone from accessing a user's material no more than 30 days after the user has deleted his or her account.
• Required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information.
• Required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.

The FTC also revealed today that the vote to accept this settlement with Facebook was 4-0. A description of the consent agreement package will be published in the Federal Register shortly, and the agreement will be subject to public comment for 30 days, beginning today and continuing through December 30, 2011. You can make your own submission here: Comment Form. Next year, the FTC will decide whether to make the proposed consent order final.

Last but not least, it's worth noting that the FTC considers consent agreements, such as this one, are for settlement purposes only; it does not constitute an admission by the respondent that the law has been violated. That being said, when the FTC issues a consent order on a final basis, it carries the force of law with respect to future actions: each violation may result in a civil penalty of up to $16,000.

This is not the end of Facebook's privacy woes: in fact, it's just the beginning. The social networking giant is facing increasing scrutiny from various government bodies regarding its various practices, as you can see in the links below.

See also:

• Facebook to make all sharing privacy settings 'opt-in'
• US congressmen ask FTC to investigate Facebook cookies
• Privacy groups ask FTC for Facebook investigation too
• Irish Data Protection Commissioner to begin Facebook audit
• Senate to hold hearing on Facebook tracking cookies
• Congresswoman to probe Facebook over coordinated spam attack