Risk

11/30/2011
12:07 PM
50%
50%

Facebook's FTC Deal: 8 Things To Expect

Federal Trade Commission settlement allows Facebook to maintain some privacy policies, but also mandates key changes. Here's what users should know.

How will Facebook's privacy and security settings change?

The Federal Trade Commission (FTC) announced Tuesday a proposed settlement with Facebook. The action stems from allegations that the social network "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public," according to the FTC.

Facebook had labeled some of those privacy changes as its response to consumers who were clamoring for a simpler way to control their privacy settings. But the Electronic Privacy Information Center (EPIC) and other consumer-rights group saw it differently and filed complaints with the FTC, which investigated Facebook and hit it with an eight-count indictment.

"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said Jon Leibowitz, the chairman of the FTC, in a statement announcing the settlement. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."

[ Can consumers' privacy interests be balanced with Web companies' requirements for user data? Learn more in W3C Proposes Do Not Track Privacy Standard. ]

Here, then, are some security and privacy changes to expect from Facebook in the wake of the settlement:

1. Privacy settings won't revert: Privacy groups, including EPIC, had called on the FTC to "restore users' privacy settings to pre-2009 levels," and then obtain explicit consent from users to change those settings. Instead, Facebook gets to keep its most recent privacy settings, which expose most private information by default, in place.

2. Consumers will opt-in to future changes: Going forward, according to the FTC settlement, Facebook will be "required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences."

3. Breaking up will be easier: The FTC settlement also requires that Facebook "required prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account."

4. Little contrition: Commenting on the settlement, "I'm the first to admit that we've made a bunch of mistakes," said Facebook founder and CEO Mark Zuckerberg in a blog post. But he argued that on balance, Facebook had offered a good balance of "transparency and control over who can see your information," despite a few missteps. "In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done," he said.

5. Internal processes get more privacy-centric: "The FTC also recommended improvements to our internal processes," said Zuckerberg in his blog post. "We've embraced these ideas, too, by agreeing to improve and formalize the way we do privacy review as part of our ongoing product development process. As part of this, we will establish a biannual independent audit of our privacy practices to ensure we're living up to the commitments we make." That's necessary, since Facebook must submit to third-party audits beginning in 180 days, followed by once every two years, to ensure that its privacy program complies with the FTC settlement requirements.

6. Facebook faces $16,000 fines: The FTC settlement says that Facebook will be hit with a $16,000 fine for every violation. For a company that's valued at about $100 billion, that's pocket change. But multiplying the number of affected users by the violation could result in steep penalties, not to mention bad publicity.

7. Facebook adds privacy executives: Zuckerberg announced that attorney Erin Egan will fill the company's new "chief privacy officer for policy" role, while Facebook's current chief privacy counsel, Michael Richter, will become its "chief privacy officer for products." According to Zuckerberg, Richter and his team "will work to ensure that our principles of user control, privacy by design, and transparency are integrated consistently into both Facebook's product development process and our products themselves," which paraphrases what the FTC settlement requires.

8. Facebook likely won't stumble again: Did the government get a fair deal out of Facebook? Will Facebook learn to not run afoul of the FTC in the future? In response to both questions, it's interesting that the social network now counts former FTC chair Timothy Muris as a lobbyist, while former FTC commissioner Mozelle Thompson is Facebook's "chief privacy adviser," reported Gawker. The implication: One way or another, don't expect Facebook to get caught over future privacy changes.

In today's uncertain and highly scrutinized financial services industry, achieving effective risk management is vital for survival. The report examines the need for enterprise risk management, the benefits of holistic data management, and ERM best practices. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sfcopywriter
50%
50%
sfcopywriter,
User Rank: Apprentice
12/1/2011 | 2:59:44 AM
re: Facebook's FTC Deal: 8 Things To Expect
I don't know if it's a fair deal or not, but having some black and white terms regarding privacy and clear penalties - here's hoping that the $16K will be multiplied per affected user, like you suggest - can only be a good thing when you consider that Facebook may be filing for an IPO in the very near future. Someone has to reign them in. Once they're public, will they be able to resist the lure of short-term profits and continue to think long-term about user experience? I don't know, but it scares me. I just don't want the things mentioned in this article - Will Facebook Be Free Forever? http://blog.sfcopywriter.com/2... - to come true.
ericabritt
50%
50%
ericabritt,
User Rank: Apprentice
12/1/2011 | 1:44:05 AM
re: Facebook's FTC Deal: 8 Things To Expect
There are still important facts left out of this. The settlement doesnGt stop Facebook from talking you all over the internet. I wonGt argue that this isnGt a fair step in the right direction, but what about protecting us everywhere else? More on the tracking side of the story here: http://www.abine.com/wordpress...
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/30/2011 | 8:57:01 PM
re: Facebook's FTC Deal: 8 Things To Expect
Google+ may also put some pressure on Facebook to stay on top of privacy issues as Google builds it out.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1060
PUBLISHED: 2018-06-18
python before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.
CVE-2018-1090
PUBLISHED: 2018-06-18
In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
CVE-2018-1152
PUBLISHED: 2018-06-18
libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image.
CVE-2018-1153
PUBLISHED: 2018-06-18
Burp Suite Community Edition 1.7.32 and 1.7.33 fail to validate the server certificate in a couple of HTTPS requests which allows a man in the middle to modify or view traffic.
CVE-2018-12530
PUBLISHED: 2018-06-18
An issue was discovered in MetInfo 6.0.0. admin/app/batch/csvup.php allows remote attackers to delete arbitrary files via a flienamecsv=../ directory traversal. This can be exploited via CSRF.