Facebook Settles with FTC Over Privacy Concerns, Agrees to 20 Years of Audits

The U.S. Federal Trade Commission (FTC) today announced that Facebook has agreed to settle the FTC’s charges that “it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” As part of this settlement, Facebook has agreed to biennial third-party privacy audits for the next 20 years. The settlement also requires the social network to “prevent anyone from accessing a user’s material no more than 30 days after the user has deleted his or her account.” In addition, Facebook also has to establish a “comprehensive privacy program” and is barred from making misrepresentations about the privacy of its users’ personal information.

Here is the basic outline of the FCC’s complaint against Facebook: [list]

  • In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public.  They didn’t warn users that this change was coming, or get their approval in advance.
  • Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate.  In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
  • Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.”  In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
  • Facebook claimed it had a “Verified Apps” program it used to certify the security of certain apps.  It didn’t.
  • Facebook promised users that it would not share their personal information with advertisers.  It did.
  • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible.  But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
  • Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union.  It didn’t. [/list]

Settlements that include privacy audits are nothing new for an FTC settlement, by the way. Google, too, recently submitted itself to 20 years of privacy audits.

Zuckerberg: “We’ve Made a Bunch of Mistakes”

In a reaction to this settlement, Facebook’s founder and CEO Mark Zuckerberg acknowledges that the company has made “a bunch of mistakes” in the past. He also notes that he is aware that “many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using any one service.” In the end, though, he also argues that “that Facebook is the leader when it comes to offering people control over the information they share online.”

As for Facebook’s own users, it’s not clear that they really care about this settlement. If the comments on Zuckerberg’s post are any indication, they are far more interested in seeing a dislike button on the site…