Facebook has finally come to an agreement with the United States government over charges of misinformation around users’ privacy agreements.
The Federal Trade Commission (FTC), accused the world’s largest social network of a series of complaints over its inability to fullfil its agreement with users.
The charges were lodged in December 2009 by privacy groups who claimed that Facebook engaged in a deceptive behaviour when changing its privacy settings. The groups are against settings which make aspects of a user’s profile — such as their name, picture, gender and list of friends — public by default. The complaints also include the sharing of user information without consent, as well as holes in Facebook’s security when verifying apps.
Following the settlement the social network has undertaken to be a lot more careful with users’ information. “The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future,” the FTC said in a statement.
“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” said Jon Leibowitz, Chairman of the FTC. “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.”
This also includes giving users a “clear and prominent notice and obtaining consumers’ express consent before their information is shared beyond the privacy settings they have established.”
Furthermore the agreement requires Facebook to submit to regular assessments from privacy auditors for no less than 20 years.
In a blog post, Facebook founder, Mark Zuckerburg, admitted that there have been some mistakes with the social networks inner workings.
“I’m the first to admit that we’ve made a bunch of mistakes,” he wrote. “I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using any one service.”
He also emphasised that the agreement meant a “clear and formal long-term commitment to do the things we’ve always tried to do and planned to keep doing — giving you tools to control who can see your information and then making sure only those people you intend can see it.”
It’s just as well Facebook’s been brought to task. The FTC complaint lists several concerning instances in which Facebook allegedly made promises that it did not keep:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
- Facebook led users to believe that third-party apps would only have access to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a “Verified Apps” program and claimed it certified the security of participating apps. It didn’t.
Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.
Specifically, under the proposed settlement, Facebook is:
- barred from making misrepresentations about the privacy or security of consumers’ personal information;
required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;
- required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;
- required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and
- required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.
This agreement is in similar accordance to agreements made with other online corporation such as Google and Twitter, and is likely to go a long way in satisfying privacy rights groups.