The FTC has just announced its eight-count deception charge against Facebook has been settled, with the world's largest social network submitting to a wide array of remedies that include 20 years of privacy auditing and strict controls on how the company deals with your personal data in the future. In this post I will explain some of the implications, for Facebook users, and for consumer privacy in general.
Although this settlement was predicted–by the Threat Blog and others–it may take a while before all the ramifications of this case are fully realized, at Facebook, across the Internet, and around the world. For a start, this settlement instantly tops the charts as the most far-reaching privacy protection action that any government anywhere has ever taken. Remember, Facebook has 800 million users, more than the entire Internet 7 years ago, and Facebook now encompasses 28% of the current Internet population worldwide. And Facebook just agreed that it has made mistakes and will mend its ways.
America has often been criticized–from within and without–for its lack of explicit privacy rights, but the U.S. Federal Trade Commission has just made the case for saying America is doing more than any other country to punish companies that don't respect consumer privacy. Facebook joins a long line of world famous brand names that have agreed to mend their ways at the insistence of the FTC, names like Eli Lilly, Google, Disney, and Microsoft. Based on my own past experience with companies upon whom the FTC has imposed privacy settlements, it is no exaggeration to say Facebook will be a different company from this day forward.
So let's get to the meat of this case. The FTC complaint lists a number of instances in which Facebook allegedly made promises that it did not keep (and I'm quoting from the FTC announcement here):
Remember, the FTC is the federal agency responsible for deterring, detecting, prosecuting, and punishing consumer deception. So the first point to make is this: If you had the feeling Facebook was deceiving you about the privacy matters listed here, that feeling has just been validated, by the highest authority in the land. But what will this settlement mean for the future of your relationship with Facebook? The remedies in this case, as laid out in today's FTC announcement, mean that Facebook is:
The first three bullets speak directly to the concerns of the Facebook user. No more unannounced or unapproved changes to how your personal data is handled. No more life after death for your deleted account. And no more false promises concerning the privacy and security of information about you that finds its way into Facebook.
What a lot of people may overlook, because it is hidden in the denser text of those last two bullet points, is that the way in which Facebook develops from now on, as a product and a company, everything from the user interface you see and the features you are offered, all the way to the vast array of Facebook servers and systems around the world that you don't see, will be shaped by this settlement.
If you can get executives at companies that have agreed to an FTC settlement like this one to talk about it, they will tell you that the way you do business changes dramatically when you are legally bound by "a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services." For a start, things move more slowly and more deliberately when you know you are being watched, and when you have to think through all the ramifications of any changes you make to your systems or your product. This settlement doesn't mean privacy-related problems at Facebook have all gone away, and it won't stop Facebook scams dead in their tracks, but it is a big step in the right direction.
Author Stephen Cobb, We Live Security