
Facebook settles with FTC, under privacy watch for 20 years - count_zero
http://www.ftc.gov/opa/2011/11/privacysettlement.shtm
======
brown9-2
Wow, this list is brutal:

 _-In December 2009, Facebook changed its website so certain information that
users may have designated as private – such as their Friends List – was made
public. They didn't warn users that this change was coming, or get their
approval in advance.

\- Facebook represented that third-party apps that users' installed would have
access only to user information that they needed to operate. In fact, the apps
could access nearly all of users' personal data – data the apps didn't need.

\- Facebook told users they could restrict sharing of data to limited
audiences – for example with "Friends Only." In fact, selecting "Friends Only"
did not prevent their information from being shared with third-party
applications their friends used.

\- Facebook had a "Verified Apps" program & claimed it certified the security
of participating apps. It didn't.

\- Facebook promised users that it would not share their personal information
with advertisers. It did.

\- Facebook claimed that when users deactivated or deleted their accounts,
their photos and videos would be inaccessible. But Facebook allowed access to
the content, even after users had deactivated or deleted their accounts.

\- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework
that governs data transfer between the U.S. and the European Union. It
didn't._

~~~
d_r
_"- Facebook represented that third-party apps that users' installed would
have access only to user information that they needed to operate. In fact, the
apps could access nearly all of users' personal data – data the apps didn't
need."_

Privacy/ethics issues aside, from a pure developer standpoint, isn't this just
a feature? Where do we draw the line between functionality and privacy?

User A allows user B to see her data via "Friends only." User B runs app X,
whose functionality includes interacting with friends. Let's say it shows on a
map where each of your friends lives. App X can see the said data for the
purposes of providing functionality.

Yes, I know that by strict definition this conflicts with "friends only." You
now have "friends and the application executable code only." But how is this
different from, say, Gmail auto-scanning my e-mail to show ads? Is it because
I trust Google and don't trust $random_fb_app_developer?

Likely one concern is that this third-party developer can disrespect (or
actually, not even know about) that "friends only" setting and inadvertently
make the data visible to other parties.

(Disclaimer: Don't get me wrong, I loathe/distrust most FB apps as much as the
next person. Just trying to think from an honest developer's shoes here.)

~~~
_delirium
That's one of the two bullet points where I can see a reasonable case for
Facebook's side. It's slightly muddied because the app is running _on
Facebook_ where they control it, but I can sort of see an argument for apps'
actions conceptually being actions of the user running them.

I'm somewhat sympathetic to Facebook on the other app-related claim as well,
_"Facebook represented that third-party apps that users' installed would have
access only to user information that they needed to operate."_ Yes, Facebook
could've done better on that, but fine-grained security is something nearly
nobody has solved.

~~~
cbr
"nearly nobody"? I might even say "nobody".

------
jellicle
So the penalty for ongoing repeated lies and fraud is....

nothing. Zero. The FTC has investigated, and the settlement is zero money and
zero penalties. Not one dollar. Whew! I'm glad they were punished! They won't
do THAT again!

The U.S. is really in late-stage empire breakdown. I don't think there is any
significant enforcement of any laws whatsoever against companies and people
that are reasonably well connected. The only thing keeping the society from
total breakdown is inertia.

~~~
tokenadult
On what legal basis would you expect a financial penalty for a free,
voluntary-participation online service that did the things that the FTC found
that Facebook did? What does the law on the subject give the FTC authority to
do?

~~~
rhizome
The law has long been castrated on your points. The legal basis would be, of
course, that private information is property, but that one doesn't exist in
this country (yet?).

~~~
tbrownaw
_The legal basis would be, of course, that private information is property,
but that one doesn't exist in this country (yet?)._

Trying to apply rules made for physical items (if I take it you don't have it
any more) to things that act completely differently is a _really_ bad idea.

~~~
rhizome
Humans are smart, they don't have to use the exact same laws. Like I implied,
the laws don't actually exist in the US.

Would it make a difference if I had said "something akin" to personal
information as property? I mean, we're reading this story, so personal
information has currency _in some way_ , right? Seems to me that with some
political will that the laws can be nudged further in favor of the user.

------
state_machine
The best part is when you get to the footer and see: "Like the FTC on
Facebook".

~~~
jpdoctor
Utterly inexcusable. Someone (several someones really) at the FTC should lose
their jobs over that.

When O when will we get regulators with some distance from those they are
regulating? (I'm looking at you SEC.)

~~~
MartinCron
Should government agencies who regulate telephone services not use telephones?

~~~
shibboleth
I don't think that's a fair analogy to use. While government regulatory
agencies covering the telecommunication sector may indeed use telephones, they
don't stick a recommendation to use Company A on their website... especially
if they have just given Company A a simple slap on the wrist for an arguably
large grievance. You may (or may not) counter by saying that Facebook is an
entire market in itself that can't be ignored (which it isn't), but after
viewing their Facebook page I see no additional information that I couldn't
simply find on the front page of the FTC's website.

------
sunchild
There is a lot of nonsense legal interpretation in this thread. Did anyone
actually read the settlement?

You commit fraud if you make any intentional deception in order to benefit
yourself, or to harm others. If you intentionally make public commitments that
turn out to be false, and you thereby cause some harm to another person, you
have committed a fraud.

The FTC is empowered to enforce criminal and civil penalties for fraud on
behalf of consumers. From the FTC website: "When the FTC was created in 1914,
its purpose was to prevent unfair methods of competition in commerce as part
of the battle to bust the trusts. Over the years, Congress passed additional
laws giving the agency greater authority to police anticompetitive practices.
In 1938, Congress passed a broad prohibition against unfair and deceptive acts
or practices.”

From the FTC's Facebook settlement statement, it's perfectly clear that the
FTC believes that Facebook is guilty of committing widespread and repeated
deceptions in violation of the law.

The settlement itself is tantamount to saying that Facebook has had its last
warning, and is on very thin ice with the FTC.

Feel free to complain about whether such a "penalty" is effective. We won't
really know until the next time Facebook breaks the law.

------
johnnyg
Many have posted to this thread with complaints that boil down to "this is a
slap on the wrist because they are well connected". If you were the FTC, what
would you do to Facebook in this case, how would it be supported in law and
what long term change for the better would your action create?

Privacy is a civil good but it is a fine line to walk indeed to punish an
innovator during a recession. Where's the happy medium?

~~~
1010100101
The problem here is the personal information is being voluntarily given to
Facebook. And the FTC can do nothing about that.

As far as I can tell, most people using FB are trying to communicate with
their friends (as they previously did via letter, telephone and email), not
broadcast every personal detail and thought to potentially any person or
organization connected to the web.

Alas they are not well informed that by sending all their communications
through Zuckerberg's website, this is in effect what they are doing.

That lack of understanding is something the FTC can address.

So to comply with the FTC's requests, FB will make more disclosures.

But the problem remains. FB, whether intentionally or not, is receiving far
too much private information and private conversation, and it's all being
channeled over the web.

~~~
sunchild
Wrong. The FTC said very clearly that it thinks Facebook lured consumers in
under false pretenses. That's punishable by criminal and civil penalties, in
theory. The FTC usually settles these kind of cases, AFAIK. Sometimes there's
money involved, sometimes not. Anyone who isn't in compliance with their own
published privacy policy should be worried about the FTC; they can (again, in
theory) do serious harm to a business – even one as big as Facebook.

~~~
1010100101
So are you suggesting that despite FB's rather sizeable legal budget and level
of investment they will _still_ not be able to bring themsleves into
compliance and stay that way? At least until the IPO. If Facebook even exists
20 years let alone 5 years from now I would be shocked. The data they've
collected will of course probably have an infinite lifetime.

~~~
sunchild
In the US, given that they're not in a regulated industry (except to the
extent they qualify as a site aimed at children), they really only need to
comply with their own stated privacy policies. The question is: will they?

------
gyardley
I never understood why bodies like the FTC rely on 'independent, third-party
audits' for enforcement, since they end up making the entire action pointless.

The independent third-party auditor will give Facebook a stamp of approval,
both in the next 180 days and every two years thereafter, because the
independent third-party auditor wants the repeat business.

Same thing goes for any regulation that depends on a third party, really. I
mean, over the last six years how often is a 409a valuation not to the board's
liking? Somehow, magically, the auditors collect their fees from the company
and then independently deliver an acceptable answer.

Might as well not have the regulations - or just fine the company something
meaningful - instead of engaging in this goofy kabuki theatre.

~~~
JonnieCache
Don't the credit rating agencies work the same way? The companies being rated
pay the agencies, not the companies that want to know the rating.

~~~
chalst
They do. Their value is unclear.

Accountants supposedly are employed by shareholders, but in practice are
employed by executives. This makes auditing problematic, but it does have some
value. The bigger problem there is the big four's oligopoly: they are too big
to fail.

~~~
philwelch
How are the big four all "too big to fail" when not too long ago they were the
big five?

~~~
chalst
See, e.g., the discussion in <http://www.economist.com/node/3984019>

Break-up of the big four has been proposed, I see in this mornings Financial
Times:
[http://www.ft.com/intl/cms/s/0/a4f58dba-1a89-11e1-ae4e-00144...](http://www.ft.com/intl/cms/s/0/a4f58dba-1a89-11e1-ae4e-00144feabdc0.html)

------
arthurgibson
Specifically, under the proposed settlement, Facebook is:

"barred from making misrepresentations about the privacy or security of
consumers' personal information;"

Is this implying companies are allowed to lie? Seems redundant.

~~~
johnthedebs
I think what it means is that, in this case, the FTC gets to watch and make
sure Facebook complies. If they don't, they get penalized for it. FTA:

 _The proposed order also contains standard record-keeping provisions to allow
the FTC to monitor compliance with its order._

and then further down:

 _Each violation of such an order may result in a civil penalty of up to
$16,000._

I really hope that's up to $16,000 per person for each violation.

~~~
seiji
The next site-wide privacy snafu will cost $11 trillion dollars.

------
rhizome
This just means that Facebook privacy changes will have the imprimatur of the
FTC from now on, which FB paid for with the airing of a little bit of dirty
laundry.

The fix is in.

------
ThePinion
Okay so question on this one.

\- required to prevent anyone from accessing a user's material more than 30
days after the user has deleted his or her account;

Does this include people that have already deleted their account? Does this
also include Government agencies and such from seeing the >30 day deleted
data? I'd like to know that after permanently deleting my account all my stuff
is gone, but I don't really see anywhere that says that's true. Meaning the
site is still destroying my privacy even after I've decided to have nothing to
do with the account.

------
egyamado
It is our mistake we made them now they sell us as product
<http://news.ycombinator.com/item?id=3293936>

When I created an account with HN using Google account via ClickPass, one of
the screen steps before I grant access to ClickPass, Google advised me to not
grant it and if I do it I can cancel it any time which it will prevent
ClickPass to access to my account information and my password.

This warning statement is not new; it’s there everywhere when you grant any
application to use your Facebook, Twitter, Google ... etc accounts.

In the mean time Google Search is nothing without us, because "we are the
product", they sell (us to third parties or Governments) or use our "private
information" or what they told us it’s private without approval from us.

Facebook is doing same thing and that’s why their entire business model under
fire in the EU. <http://venturebeat.com/2011/11/28/facebook-advertising-eu/>
Do you remember what happened in 2008 with Google’s Evil EULA
([http://www.theregister.co.uk/2008/09/03/google_chrome_eula_s...](http://www.theregister.co.uk/2008/09/03/google_chrome_eula_sucks/))?

Now, are we "the product" still having any privacy? Are we safe? How far we
can trust those businesses?

Should we keep using their services; and later complain about how evil their
Terms and conditions or EULA are???

------
rmc
I wonder how this settlement compares to EU Data Protection Law. Is it
possible FB could abide by FTC rules and still be outside EU rules? Will FB
use this "We're OK by the FTC now!" as a claim to be not so bad in the EU?

~~~
kmfrk
I think it would be too much of a mess to manage, really. Even Canadian
consumer protection laws have shaped Facebook's privacy policy.

------
ktrgardiner
> Obtain periodic assessments of its privacy practices by independent, third-
> party auditors for the next 20 years.

This is assuming Facebook will be around in 20 years.

~~~
tokenadult
_This is assuming Facebook will be around in 20 years._

This binds successor corporations operating Facebook's business and thus
changes the potential value of Facebook as an acquisition target (and thus as
a retail investment choice when it becomes publicly traded).

------
veyron
I am strangely reminded of that episode in 30 rock where tracy realizes he can
just pay a fine to make obscene comments and do obscene things on TV ...

------
Igor_Bratnikov
so is Google for google buzz, the capability of the ftc to monitor and/or do
more than a slap on the wrist is no existent

the monitoring is facebook telling the ftc - we are all cool over here bro and
the ftc taking them at their word

------
dreamdu5t
Privacy policies aren't binding contracts or agreements. They're just stated
policies.

Why do people treat them like contracts?

~~~
_delirium
Contracts are a pretty gray area. In a lot of contexts, a handshake agreement
or email exchange, if documented well enough, can constitute a binding,
legally enforceable contract. It doesn't have to be on a paper saying OFFICIAL
CONTRACT with signatures at the bottom.

------
dreamdu5t
You know... people could just take responsibility for sharing their private
information. If they don't think a website "privacy policy" is enough of an
assurance, it is their fault for accepting that risk.

FB should not be blamed for sharing information that others freely share with
FB. It's ridiculous. It's even more ridiculous to think that government
regulation is somehow needed to protect privacy. How absurd.

"I keep using this service and they don't do what I want! But I keep sharing
my information with them."

Come on. At a certain point, individuals need to accept that THEY maintain a
relationship with FB as well.

~~~
sp332
I gave my info to FB and they promised to only share it with certain people.
Then they made that info publicly available. That's a breach of trust, and
possibly criminal.

