You are here

Why the FTC is taking a new look at Facebook privacy

US federal regulators are now taking a hard look at how Facebook is handling the personal information of its users amid allegations of improper data sharing.

New York

AFTER a year-long string of news reports that have called Facebook's data-sharing practices into question, US federal regulators are taking a hard look at how the social media company handles the personal information of its users.

It is not the first time Facebook has drawn government scrutiny. About seven years ago, after charges were levelled by the Federal Trade Commission (FTC), the company made an agreement with the agency to overhaul its privacy practices. That agreement, called a consent decree, provides a roadmap for how the FTC is likely to scrutinise Facebook over the coming months.

Why did the FTC accuse Facebook of deceptive privacy practices in the first place?

Market voices on:

In 2007, Facebook introduced Facebook Beacon, a program that broadcast details on users' online purchases to their friends, initially allowing users to opt out of sharing their purchases only on a case-by-case basis. Facebook's chief executive, Mark Zuckerberg, apologised with what an article in The New York Times described as a "symphony of contrition". In a Facebook post that year, he wrote: "I'm not proud of the way we've handled this situation and I know we can do better."

At the end of 2009, a coalition of non-profit consumer and privacy groups, led by the Electronic Privacy Information Center, petitioned the FTC to investigate Facebook's handling of user data. The groups filed a complaint, saying Facebook had repeatedly disregarded users' expectations and diminished their privacy. The complaint argued that the company had violated a federal law prohibiting unfair and deceptive business practices. In 2011, the FTC filed charges against Facebook that said the company had deceived consumers about their privacy.

What were the FTC's charges against Facebook?

The FTC's complaint charged Facebook with a number of deceptive privacy practices. Among them:

  • Facebook shared users' personal details with advertisers even though the company had promised not to do so, the agency said.
  • Facebook allowed third-party apps that users had installed to have access to nearly all their personal data - even though Facebook had stated the apps could obtain only the personal information they needed to operate, the agency said.
  • In 2009, the agency said Facebook changed its information-handling practices, making certain personal details - such as users' friends lists - public, overriding the choices of people who wanted to keep that data private. The policy change, the FTC's complaint said, exposed users' profile information, including "potentially controversial political views or other sensitive information", to third parties.
  • The agency said Facebook claimed it certified the security practices of apps participating in its "Verified Apps program", but the company did not do so.

What did the FTC require Facebook to do?

In November 2011, Facebook agreed to settle complaints that it had deceived consumers by "telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public", the FTC said in a statement at the time.

The agreement, which became final in 2012, prohibited Facebook from misleading consumers about their data privacy and security. The social network committed to getting the explicit consent of users before making changes that overrode their privacy preferences.

The agency ordered Facebook to put a comprehensive privacy program in place to protect the privacy and confidentiality of users' information and to manage the risks of existing and new products. It also required Facebook over the next 20 years to undergo biennial audits by an independent third party to certify the privacy program was properly protecting the information of the company's users.

Why is the federal consent agreement relevant now?

In March 2018, The New York Times reported that a voter-profiling company, Cambridge Analytica, had harvested the personal data of millions of Facebook users without their knowledge or permission. The voter-profiling company obtained the data from a researcher who had offered a personality survey app on Facebook.

Although only about 270,000 Facebook users agreed to share their data to participate in the survey, the Facebook platform enabled the app to improperly harvest the personal details of millions of those users' friends - consumers who had not agreed to share their information with the survey app, The Times reported.

Privacy experts, law professors and at least one former FTC official have argued that Facebook's failure to prevent the survey app from obtaining the data of users' friends violated the federal consent agreement. So did Facebook's failure to prevent the app developer from sharing both users' data and the data of users' friends with Cambridge Analytica, these critics said.

They said the Cambridge Analytica episode suggested that Facebook had failed to adequately conduct the risk assessments the agreement required it to do. It also failed to obtain required, explicit consent from users' friends for the sharing of their data with third parties, the privacy experts said.

They also argued that Facebook had failed to operate a comprehensive privacy protection program and take reasonable precautions - steps the company was obligated to take under the consent decree.

"The consent decree requires Facebook to always be vigilant to possible privacy problems and try to solve them," said David Vladeck, a professor at Georgetown Law and a former director of consumer protection at the FTC who oversaw the investigation that led to the consent decree. "Cambridge Analytica made clear that Facebook was not auditing third-party apps."

On Mar 26, the FTC said it was conducting an investigation into Facebook's privacy practices. An agency spokeswoman declined to comment on the progress of the investigation.

What does Facebook say?

Facebook said it had developed a privacy program as required by federal regulators and it had not violated the consent decree.

"We are transparent with people about how we use their information and respect people's privacy settings," said Sally Aldous, a Facebook spokeswoman. "We have a privacy program, which ensures we protect people's information, which we continuously evolve to address the privacy risks of our products and services."

Ms Aldous said the company's privacy program involved more than three dozen control mechanisms - including a privacy governance team and security teams that "ensure privacy risks for product launches and major changes are identified, discussed and escalated for decisions when necessary".

Facebook said it disagreed with The Times' characterisation of its sharing of user data with Amazon, Apple, Blackberry, Microsoft, Samsung, Yahoo and other companies. The social network said device-makers used information from Facebook to integrate certain Facebook features on their platforms and agreed not to use that information for their own purposes. The company also said Spotify and other third-party apps had access to users' Facebook data only after users signed in with their Facebook account in the third-party apps. NYTIMES