Human Rights First Human Rights First

FTC’s Facebook Settlement Leaves Gaping Holes in Privacy Protection

11-30-2011

By Betsy Walters and Meg Roggensack
Business and Human Rights

Facebook emerged Tuesday from a Federal Trade Commission investigation into its privacy policies with a settlement that is pivotal in addressing significant user privacy concerns, but also leaves significant gaps in user protection. The FTC’s investigation began in December 2009 following repeated complaints from users that Facebook made significant changes to its privacy settings without informing or soliciting consent from users. The changed settings made certain aspects of users’ profiles public by default, exposing information that many users thought was private and making it inordinately difficult and confusing to make such information private again. Following a firestorm of criticism online, a number of users and privacy advocates, led by the Electronic Privacy Information Center, filed a complaint with the FTC that alleged the changes were unfair and deceptive.

It is unclear what the FTC investigation revealed—no reports have been, or likely will be, made available to the public—but the settlement orders the following:

  • Facebook “shall not misrepresent in any manner…the extent to which it maintains the privacy or security of covered information” including user privacy controls and the extent of access to user information by third parties (generally these are advertisers and app developers)
  • Prior to sharing of a user’s nonpublic information with a third party, where the sharing “materially exceeds the restrictions imposed by a user’s privacy setting(s),” Facebook must “clearly and prominently disclose to the user” specific information about the sharing and obtain the user’s express consent.
  • Facebook must implement procedures designed to cut off third party access within 30 days to information that a user has deleted.
  • Facebook must maintain a “comprehensive privacy program” designed to address existing and reasonably foreseeable privacy risks related to Facebook’s products and services and to protect the privacy of user information.
  • Facebook will submit to assessments of its privacy policies by a qualified, objective, independent assessor every two years for 20 years.
  • Facebook must submit a report within 90 days detailing the manner and form of their compliance with the order.

This settlement is commendable in several areas, namely in its requirement that regular assessments be performed by independent monitors, and the requirement that Facebook maintain a privacy policy that both addresses current issues with its privacy and foreseeable future risks. There are significant gaps, though, where ambiguities and oversights leave room for lax enforcement of the agreement terms. If unaddressed, these gaps risk making the settlement essentially useless in the users’ fight for privacy protection online.

First, there are extensive requirements for transparency in Facebook’s dealings with “third parties,” which presumably are meant to address user complaints over the sharing of personal information with advertisers and applications developers. However, the settlement never explicitly refers to “advertisers” or “application developers,” instead defining “third party” in rather complicated legalese and with multiple exceptions. The third party provisions are no more than lip service if advertisers and application developers are not included; they should be explicitly referenced in the final settlement agreement, or, failing that, Facebook should itself make it clear that it will treat advertisers and application developers as restricted “third parties.”

Second, amongst the requirements that Facebook disclose various policies to users, there is no reference to the need for Facebook to make disclosures uncomplicated and understandable to users. Facebook disclosures have a reputation for being too long and complex; incomprehensible and unusable for users without a lawyer on speed-dial. Facebook must make important disclosures available in terms that can be grasped by the bulk of their 800 million users—perhaps a summary of the most salient privacy points at the beginning of the big legalese document that Facebook’s speed-dialable attorneys insist upon. Giving average users an opportunity to understand what they are consenting to is the only way to obtain real consent to the terms. Similarly, Facebook should make regular, clear statements regarding its implementation of this settlement agreement. When Facebook reports to the FTC on its implementation progress 90 days after the settlement goes into effect, it should also report its progress to users in an easily-grasped format; and it should continue to issue such reports to the public at least as often as the independent monitors complete their assessments, if not more often.

Third, while it is pivotal that an independent monitor will regularly assess Facebook’s privacy policies, there are crucial unresolved issues in the language calling for these assessments. The language regarding the assessments itself is somewhat odd: it calls for the monitor’s report to “explain how such privacy controls are appropriate…” and “explain how the privacy controls that have been implemented meet or exceed the protections required….” It might be more appropriate for the report to assess whether the controls are appropriate, and explain how the implemented controls meet, exceed, or fall short of the protections required. The settlement’s current terms sound more like the monitor will be head of Facebook’s booster club than an impartial assessor. To the same end, the terms give no guidance as to how assessments will be conducted. They do not call for the monitor to engage with users or other stakeholders in assessing Facebook’s policies, leaving open the likelihood that that the assessment will be based only on the words in the company’s policy handbook, rather than on the reality of how the policies play out. Also, there is no requirement that the Monitor’s report be made public in any form—even some reduced or redacted form—which further cuts users out of the process of holding Facebook accountable for its policy choices. The FTC has been accused repeatedly of being in bed with Facebook and other companies; the conduct of these assessments is a huge opportunity for that perception to be confirmed or denied in the minds of consumers.

Fourth, it is troubling that Facebook’s users, who are at the heart of these issues, will be kept in the dark about what the FTC’s investigation found, which may have revealed issues that are not remedied by this settlement, and in which users have a stake. The FTC has not made any report public, and the settlement stipulates that it “does not constitute an admission by [Facebook] that the law has been violated…or that the facts as alleged in the draft complaint…are true.” There should have been greater transparency around this entire process. The FTC would have done well to follow the lead of the Canadian Privacy Commissioner, which in 2009 conducted an extensive investigation of Facebook’s privacy policies and released an exhaustive, 113-page report that detailed the allegations made by a privacy rights organization, the findings of the investigation, the office’s recommendations and Facebook’s response. The comprehensiveness and transparency of the report lead to Facebook adopting the majority of the Privacy Commissioner’s recommendations with specific, clear changes to its policies. It is not too late for the FTC to make its investigation in this issue more transparent, and certainly the process should be much more transparent in all aspects moving forward. Facebook must commit to ensuring that users have ultimate control over their privacy choices, which includes giving them the information to determine whether this settlement is meeting their concerns.

The notions embodied in Facebook’s settlement with the FTC are promising, but clearly there are major issues still at stake. The concerns outlined here should be explicitly inserted into the settlement agreement before it is made final, or, failing that, Facebook should issue a statement committing itself to these and any other relevant clarifying principles. The company that has called privacy “the vector around which [it] operates” must align its actions to its words by taking specific, proactive steps to address continuing consumer concerns. We urge governments to be transparent, impartial, and comprehensive in their assessments and demands of Facebook. We urge users to continue to demand protection of their privacy rights. And, with Facebook reportedly readying for an IPO as soon as next year, we encourage investors to take the privacy concerns of consumers and governments—and the implications for Facebook’s ability to retain users’ trust and patronage— into account before voting with their funds.

 


Tags: , , , , , ,
Posted in Blog | 2 Comments »