SOCIAL NETWORKING WEB SITE Facebook has settled with the US Federal Trade Commission (FTC) over charges that it failed to keep privacy promises and deceived its customers.
In a statement put out last night the FTC said that Facebook promised that it would protect its users' information by keeping it private, while "repeatedly allowing it to be shared and made public". It added that these actions were unfair and deceptive and violated federal law.
The FTC has given Facebook settlement requirements that include steps to ensure that it does not expose its users' information without giving them prior notice and obtaining their consent.
"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said Jon Leibowitz, chairman of the FTC. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."
The FTC has listed a raft of complaints about Facebook, specifically that allegedly it made promises that it did not keep. We reproduce that list here:
- In December 2009, Facebook changed its web site so certain information that users might have designated as private - such as their Friends List - was made public. It didn't warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data - data the apps didn't need.
- Facebook told users they could restrict sharing of data to limited audiences - for example with "Friends Only". In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a "Verified Apps" program and claimed it certified the security of participating apps. It didn't.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the US- EU Safe Harbour Framework that governs data transfer between the United States and the European Union. It didn't.
Under the terms of the proposed settlement Facebook is banned from making anymore deceptive claims about the privacy that it does, or does not, offer. It will also have to submit to regular audits every 24 months for the next 20 years, and get its users' approval before it shares their data.
At Facebook, founder and CEO Mark Zuckerberg was contrite and apologised for the mistakes that his firm made, continued to make, or made again.
"I think we have a good history of providing transparency and control over who can see your information. That said, I'm the first to admit that we've made a bunch of mistakes," he said.
He added that in fact Facebook is already doing a lot of things that the FTC has told it to do, and threw up a list of things that the firm has done over the last 18 months to improve user privacy.
"Privacy principles are written very deeply into our code," he added. "Even before the agreement announced by the FTC today, Facebook had already proactively addressed many of the concerns the FTC raised." µ
Facebook has more influence than meets the eye
Attackers could 'easily compromise' an entire company by exploiting AV security flaws
Nobody knows it, but you've got a secret smiley
Plummeting pound forces firm's hand