FTC accuses Facebook of misleading developers over security

FTC accuses Facebook of misleading developers over security

Summary: An investigation by the FTC has suggested that the social networking site fell short in reviewing and verifying applications.

SHARE:
TOPICS: Security
2

An investigation by the U.S. Federal Trade Commission (FTC) has suggested that the social networking site fell short in reviewing and verifying applications, and therefore "deceived" developers over security ratings.

ftc facebook accuses developers decieved

When developers passed along an application into the now-closed verified apps scheme, it is reported that the social networking site was paid up to $95,000 in order to give software green 'ticks' of approval. By doing so, individual applications were given a "test for trustworthy user experiences" by Facebook.

However, an in-depth investigation into Facebook's practices, conducted by Commissioners Jon Leibowitz, J. Thomas Rosch, Edith Ramirez and Julie Brill, has found that the social networking giant did not take the steps to review applications that it promoted.

According to the FTC's report, under the title "Facebook's deceptive verified apps program", the program which ran from approximately May 2009 to December 2009 awarded 254 applications a green 'verified' badge.

Each developer paid a fee of $375, or $175 for a student or nonprofit organization.

Every verified application was given preferential treatment through a visible badge, tick and higher rankings in search results, on Facebook and within the social network's directory.

The FTC says that whereas Facebook conveyed to consumers it had taken steps to verify the security of these applications in comparison to other non-verified apps, the program fell short of its professed offerings.

The press release that coincided with the launch of the scheme stated:

"Application Verification Facebook is introducing the Application Verification program which is designed to offer extra assurances to help users identify applications they can trust -- applications that are secure, respectful and transparent, and have demonstrated commitment to compliance with Platform policies."

Therefore, these applications should have been tested thoroughly for any security flaws that could expose users, right? Apparently not. Within the 19-page report, which is littered with words including "unfair" and "deceptive", the FTC accuses Facebook in the following manner:

"Facebook took no steps to verify either the security of a Verified Application's website or the security the Application provided for the user information it collected, beyond such steps as it may have taken regarding any other Platform Application."

It continues (emphasis mine):

"In many instances Facebook has permitted a Platform Application to display its Verified Apps badge when its review of the application's security has not exceeded its review of other Platform Applications. Therefore, the representation set forth [..] constitutes a false or misleading representation. "

Due to this, consumers may have been deceived and lulled into a false sense of security due to 'verified' tickmarks on applications that were no more or less secure than standard third-party applications -- which could suggest that Facebook profited through the scheme without completing their part of the bargain. 

Not only this, of course, but if the verification was not completed, then developers shelled out for worthless verification badges. 

Facebook has agreed to undergo privacy vetting over 20 years by an independent watchdog. The report comes days after Google was fined a record $22.5m by the commission for circumventing privacy settings on the Apple Safari browser.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Meanwhile ...

    .. that share price keeps dropping.
    Scarface Claw
  • Security Innovation - Facebook

    Facebook allegedly did nothing to verify the security of applications that it was paid tens of thousands of dollars to review. Putting Facebook’s deceptive and ethically-questionable behavior aside, the core problem remains that we shouldn't accept or use applications that haven't been tested or built by a team that can demonstrate its ability to write secure code. I applaud the statement Facebook made regarding its idea of verifying all of the applications on the Facebook platform; however, now there is lack of trust that they'll actually do it. Find more opinions about this topic: http://blog.securityinnovation.com/blog/2012/08/facebook-accused-of-deceiving-developers-over-security-assessments.html
    securityi