Risk
11/30/2011
12:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Facebook's FTC Deal: 8 Things To Expect

Federal Trade Commission settlement allows Facebook to maintain some privacy policies, but also mandates key changes. Here's what users should know.

How will Facebook's privacy and security settings change?

The Federal Trade Commission (FTC) announced Tuesday a proposed settlement with Facebook. The action stems from allegations that the social network "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public," according to the FTC.

Facebook had labeled some of those privacy changes as its response to consumers who were clamoring for a simpler way to control their privacy settings. But the Electronic Privacy Information Center (EPIC) and other consumer-rights group saw it differently and filed complaints with the FTC, which investigated Facebook and hit it with an eight-count indictment.

"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said Jon Leibowitz, the chairman of the FTC, in a statement announcing the settlement. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."

[ Can consumers' privacy interests be balanced with Web companies' requirements for user data? Learn more in W3C Proposes Do Not Track Privacy Standard. ]

Here, then, are some security and privacy changes to expect from Facebook in the wake of the settlement:

1. Privacy settings won't revert: Privacy groups, including EPIC, had called on the FTC to "restore users' privacy settings to pre-2009 levels," and then obtain explicit consent from users to change those settings. Instead, Facebook gets to keep its most recent privacy settings, which expose most private information by default, in place.

2. Consumers will opt-in to future changes: Going forward, according to the FTC settlement, Facebook will be "required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences."

3. Breaking up will be easier: The FTC settlement also requires that Facebook "required prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account."

4. Little contrition: Commenting on the settlement, "I'm the first to admit that we've made a bunch of mistakes," said Facebook founder and CEO Mark Zuckerberg in a blog post. But he argued that on balance, Facebook had offered a good balance of "transparency and control over who can see your information," despite a few missteps. "In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done," he said.

5. Internal processes get more privacy-centric: "The FTC also recommended improvements to our internal processes," said Zuckerberg in his blog post. "We've embraced these ideas, too, by agreeing to improve and formalize the way we do privacy review as part of our ongoing product development process. As part of this, we will establish a biannual independent audit of our privacy practices to ensure we're living up to the commitments we make." That's necessary, since Facebook must submit to third-party audits beginning in 180 days, followed by once every two years, to ensure that its privacy program complies with the FTC settlement requirements.

6. Facebook faces $16,000 fines: The FTC settlement says that Facebook will be hit with a $16,000 fine for every violation. For a company that's valued at about $100 billion, that's pocket change. But multiplying the number of affected users by the violation could result in steep penalties, not to mention bad publicity.

7. Facebook adds privacy executives: Zuckerberg announced that attorney Erin Egan will fill the company's new "chief privacy officer for policy" role, while Facebook's current chief privacy counsel, Michael Richter, will become its "chief privacy officer for products." According to Zuckerberg, Richter and his team "will work to ensure that our principles of user control, privacy by design, and transparency are integrated consistently into both Facebook's product development process and our products themselves," which paraphrases what the FTC settlement requires.

8. Facebook likely won't stumble again: Did the government get a fair deal out of Facebook? Will Facebook learn to not run afoul of the FTC in the future? In response to both questions, it's interesting that the social network now counts former FTC chair Timothy Muris as a lobbyist, while former FTC commissioner Mozelle Thompson is Facebook's "chief privacy adviser," reported Gawker. The implication: One way or another, don't expect Facebook to get caught over future privacy changes.

In today's uncertain and highly scrutinized financial services industry, achieving effective risk management is vital for survival. The report examines the need for enterprise risk management, the benefits of holistic data management, and ERM best practices. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
sfcopywriter
50%
50%
sfcopywriter,
User Rank: Apprentice
12/1/2011 | 2:59:44 AM
re: Facebook's FTC Deal: 8 Things To Expect
I don't know if it's a fair deal or not, but having some black and white terms regarding privacy and clear penalties - here's hoping that the $16K will be multiplied per affected user, like you suggest - can only be a good thing when you consider that Facebook may be filing for an IPO in the very near future. Someone has to reign them in. Once they're public, will they be able to resist the lure of short-term profits and continue to think long-term about user experience? I don't know, but it scares me. I just don't want the things mentioned in this article - Will Facebook Be Free Forever? http://blog.sfcopywriter.com/2... - to come true.
ericabritt
50%
50%
ericabritt,
User Rank: Apprentice
12/1/2011 | 1:44:05 AM
re: Facebook's FTC Deal: 8 Things To Expect
There are still important facts left out of this. The settlement doesnGÇÖt stop Facebook from talking you all over the internet. I wonGÇÖt argue that this isnGÇÖt a fair step in the right direction, but what about protecting us everywhere else? More on the tracking side of the story here: http://www.abine.com/wordpress...
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/30/2011 | 8:57:01 PM
re: Facebook's FTC Deal: 8 Things To Expect
Google+ may also put some pressure on Facebook to stay on top of privacy issues as Google builds it out.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

CVE-2014-3024
Published: 2014-08-29
Cross-site request forgery (CSRF) vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.12 and 7.5 through 7.5.0.6 and Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk allows remote authenticated users to hijack the authentication of arbitr...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.