Facebook Privacy: 6 Key Moments

As FTC settlement nears on opt-in privacy settings, take a look back at Facebook's key privacy flaps.

Mathew J. Schwartz, Contributor

November 11, 2011

4 Min Read

Facebook has agreed to obtain an explicit opt-in from users before altering the manner in which their personal information gets collected, stored, or shared.

Friday, sources close to the ongoing talks between Facebook and the Federal Trade Commission (FTC) said that the social networking giant would ensure it obtained "express affirmative consent" before making any "material retroactive changes" to a user's privacy policy, reported the Wall Street Journal.

Such retroactive changes were used to justify a 2009 privacy policy volte-face, in which Facebook implemented new privacy policies and settings that made many people's designated-as-private information--including their profile photos, list of friends, pages of which they're a fan, gender, and geographic networks--publicly accessible. At the time, Facebook founder and CEO Mark Zuckerberg described the changes as "fulfilling a request made by many of you to make the privacy settings page simpler by combining some settings."

But the changes led many users to protest, despite prominent warnings by Facebook on its homepage that users should revisit their privacy policy settings in light of the changes.

Soon after, the Electronic Privacy Information Center (EPIC), a nonprofit research group, filed a complaint with the FTC on users' behalf, alleging that Facebook had engaged in "unfair and deceptive trade practices." Interestingly, the FTC's definition of "deceptive" doesn't mean the practice was necessarily done on purpose, but rather looks at whether the result of the action would be likely to end up misleading a customer.

"Facebook's changes to users' privacy settings disclose personal information to the public that was previously restricted," according to EPIC's complaint. "Facebook's changes to users' privacy settings also disclose personal information to third parties that was previously not available." In addition, it said, the changes simply confused a large swath of users. Interestingly, Zuckerberg himself also "reversed changes to his personal Facebook privacy settings after the transition from the original privacy settings to the revised settings made public his photographs and other information," said EPIC in its complaint.

Asked about Facebook's reported settlement offer to the FTC, a Facebook spokeswoman declined to comment.

According to news reports, the FTC has yet to sign off on the proposed deal, which would see Facebook create a more comprehensive privacy policy and submit to independent, annual privacy audits for the next 20 years. Facebook's reported proposal, however, would mirror a similar deal that the FTC reached with Google earlier this year, over accusations that the Buzz social networking service violated user privacy. A Gmail user had sued Google for violating his privacy by automatically adding Buzz onto his Gmail account, which included automatically importing all of his email contacts into the social network.

Google settled the civil suit, paying $8.5 million--minus legal fees--into a fund meant to benefit organizations that promote Internet privacy education. It also agreed to create a more comprehensive privacy policy, and to submit to annual, independent audits of its privacy policies for 20 years. Last month, meanwhile, Google killed Buzz altogether.

Twitter this year also settled with the FTC after the agency investigated a series of security breaches through which hackers gained administrative control over the entire site, twice, in 2009. As part of that settlement, Twitter agreed to specific security program enhancements, as well as independent, annual audits of its security posture for the next 10 years.

Facebook's privacy settlement proposal notably comes just four months before the deadline for the company to make its financial results public, should it choose to pursue an initial public offering.

6 Key Moments In Facebook Privacy

November 2009: From November to December 2009, Facebook begins updating its privacy policies and changes people's privacy settings accordingly.

December 2009: Four days after the changes become fully live, there are more than 500 Facebook groups devoted to the site's privacy settings.

May 2010: Facebook pitches more "simplistic" privacy options for users.

December 2010: The FTC proposes "do not track" online advertising opt-out capabilities for consumers, and signals a crackdown on websites' privacy policies, saying that industry self-regulation has failed.

November 2011: Facebook reportedly ready to sign a deal with the FTC that will require Facebook to obtain a user's explicit consent before Facebook can change the way it uses their personal information.

April 2012: Deadline for Facebook to go public, which experts estimate would value the company at up to $100 billion.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights