Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Connect Directly

Facebook Settles FTC Charges, Admits Mistakes

CEO Mark Zuckerberg promises to make Facebook a privacy leader.

Top 15 Facebook Apps For Business
(click image for larger view)
Slideshow: Top 15 Facebook Apps For Business
Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their personal information private while allowing that information to be shared and made public.

The proposed settlement requires Facebook to provide consumers with clear notice and to obtain consent when sharing information beyond the guidelines established by consumers' privacy settings. As with Google and its recent privacy settlement with the FTC, Facebook has agreed to have its privacy practices audited for the next 20 years.

Facebook has long insisted, "We take privacy very seriously," and even has gone as far as to insist that it takes privacy "very, very seriously." Now, the company, which earlier this year proposed re-branding privacy policies as data use policies, will face pressure to take privacy very, very, very seriously.

CEO Mark Zuckerberg, in an effort to get out in front of yet another privacy controversy, Tuesday posted a contrite blog post in which he promises to make Facebook "the leader in transparency and control around privacy."

Insisting that Facebook has "a good history of providing transparency and control over who can see your information," Zuckerberg acknowledges his company's missteps.

[Find out about how Facebook fumbled its roll-out of facial recognition technology.]

"I'm the first to admit that we've made a bunch of mistakes," he wrote in his post. "In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done."

As examples of that work, Zuckerberg cited 20 new tools and resources introduced in the past 18 months that have been designed to give users more control over the Facebook experience.

Of course it's not Facebook's good work that got the attention of the FTC. The FTC's complaint cites a series of promises about privacy that Facebook did not keep.

The broken promises include: a December 2009 website change that exposed information, such as Friends Lists, that had been designated private; Facebook's assertion that third-party apps would have only necessary information to operate, when in fact the apps had access to almost all of users' personal data; Facebook's assertion that users could restrict sharing to limited audiences, even though friends could share that information more broadly through third-party apps; Facebook's assertion that it would not share personal information with advertisers, which it nonetheless did; Facebook's claim that photos and videos from deleted accounts could not be accessed, which wasn't true; and Facebook's claim that it complied with the US-EU Safe Harbor Framework governing data transfers between the United States and Europe, with which it did not actually comply.

"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said FTC chairman Jon Leibowitz in a statement. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."

Maybe. The FTC's requirements will do nothing to prevent Facebook users from sharing without considering the implications; the FTC is powerless to protect users from themselves. But the agency has prompted Facebook to create two new privacy officer positions: chief privacy officer for policy, and chief privacy officer for products.

Zuckerberg insists that these two positions will help ensure that Facebook develops products and policies with privacy in mind.

Of course, merely creating a position does not guarantee that that position will have real power to affect important corporate decisions, or even that Facebook's conception of privacy will match consumer expectations.

Google's global privacy counsel Peter Fleischer last week noted on his personal blog that European privacy laws are likely soon to be amended to require that companies have a data protection officer. "This will be a practical step forward for privacy," he notes. "But at the same time, it will be important to define what we're accountable for, internally and externally, especially in a field where the very notion of 'privacy' is highly subjective, and where the visions of what a privacy leader is supposed to do diverge dramatically, by country, by industry, and by function."

Facebook may well take privacy seriously, but like Google it also takes advertising revenue seriously. And as privacy advocate Christopher Soghoian recently noted, the business models of online advertising services are inherently in conflict with user privacy.

The Enterprise Connect conference program covers the full range of platforms, services, and applications that comprise modern communications and collaboration systems. It happens March 25-29 in Orlando, Fla. Find out more.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/30/2011 | 8:52:53 PM
re: Facebook Settles FTC Charges, Admits Mistakes
Hi Brian,

In response, I've come to understand that the only way to protect your privacy on Facebook is to not use Facebook. I also don't believe that Facebook will take steps to finally protect it's users privacy. There's no incentive for them to. If anything, introducing privacy settings that actually work would harm Facebooks digital advertising sales.

Sure, the FTC might be auditing Facebooks privacy things for the next 20 years (I wonder if Facebook is saving money as a result of that ruling somehow) and that sounds great on paper but, this is the FTC we're talking about and it's about as efficient as the rest of the government. I actually like the idea of the FTC controlling my privacy on Facebook even less than I like the idea of Facebook controlling it.

tl;dr - I don't believe anything Facebook says and don't trust the government/FTC to make better decisions than FB.
User Rank: Apprentice
11/30/2011 | 2:21:53 AM
re: Facebook Settles FTC Charges, Admits Mistakes
Bprince, in response to your comment... I still grade it pretty low. B at best...It's great that they've protected us inside of facebook, but there is still a big piece missing...This does noting to protect us against being tracked OUTSIDE of facebook. If interested I think this may be a good read for you http://www.abine.com/wordpress...
User Rank: Ninja
11/30/2011 | 1:52:19 AM
re: Facebook Settles FTC Charges, Admits Mistakes
How does everyone grade Facebook privacy at this point? Any changes you would like to see made?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.