Facebook reaches privacy settlement

Facebook has agreed to settle with the Federal Trade Commission (FTC) on charges that it deceived consumers.

According to the FTC, the proposed settlement will require the social network to “live up to its promises in the future” by giving users clear notice and obtaining users' express consent before their information is shared beyond their privacy preferences.

Facebook founder and CEO Mark Zuckerberg posted a lengthy blog on the subject yesterday, in which he acknowledged the mistakes made by Facebook and pledged to make the site the leader in transparency and control around privacy.

Zuckerberg says: “Overall, I think we have a good history of providing transparency and control over who can see your information.

“That said, I'm the first to admit that we've made a bunch of mistakes. In particular, I think that a small number of high-profile mistakes, like Beacon four years ago, and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done.”

Zuckerberg adds that he understands people are “just naturally sceptical” of sharing personal information online.

“Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected. It's important for people to think about this, and not one day goes by when I don't think about what it means for us to be the stewards of this community and their trust.”

According to Zuckerberg, Facebook has always been committed to transparency and providing tools for users to control what they share.

“But we can also always do better. I'm committed to making Facebook the leader in transparency and control around privacy.”

Facebook faced an eight-charge complaint from the FTC, which listed instances in which the service allegedly violated user trust and privacy.

“They didn't warn users that this change was coming, or get their approval in advance,” says the FTC.

Another claim against Facebook states the site deceived users by saying third-party apps would have access only to limited user information needed to operate. The FTC, however, notes that the apps could access nearly all of users' personal data.

Facebook is also alleged to have told users that its “Verified Apps” programme certified the security of the participating apps when it actually didn't.

The FTC also adds: “Facebook promised users that it would not share their personal information with advertisers. It did. Facebook claimed that it complied with the US-EU Safe Harbour Framework that governs data transfer between the US and the European Union. It didn't.”

The settlement bars Facebook from making what the FTC calls “any further deceptive privacy claims” and requires the social network to obtain periodic assessments of its privacy practices by independent auditors for the next 20 years.

Another key requirement is that Facebook will have to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences.

Zuckerberg says the agreement with the FTC means the social network is “making a clear and formal long-term commitment to do the things we've always tried to do and planned to keep doing”.

Going on the defensive, Zuckerberg highlights FTC concerns that had already been addressed.

“For example, their complaint to us mentioned our Verified Apps programme, which we cancelled almost two years ago in December 2009. The same complaint also mentions cases where advertisers inadvertently received the ID numbers of some users in referrer URLs. We fixed that problem over a year ago, in May 2010.”

Zuckerberg, however, says his company has embraced the recommended improvements to its internal processes.

“We will establish a biannual independent audit of our privacy practices to ensure we're living up to the commitments we make.”

Zuckerberg also announced the creation of two new corporate positions within the company: a chief privacy officer for policy and another one for product.

The new chief privacy officer for policy is Erin Egan who is partner and co-chairman of international law firm Covington & Burling, while chief privacy officer for products will be Michael Richter, Facebook's former chief privacy counsel.

“These two positions will further strengthen the processes that ensure that privacy control is built into our products and policies,” says Zuckerberg.

“As the founder and CEO of Facebook, I look forward to working with the commission as we implement this agreement. It is my hope that this agreement makes it clear that Facebook is the leader when it comes to offering people control over the information they share online.”

Reuters quotes FTC chairman Jon Leibowitz: "Nothing in this order will restrict Facebook's ability to innovate. But Facebook's innovation does not have to come at the expense of consumer privacy."

The settlement with Facebook follows a similar agreement between the FTC and Google over its controversial rollout of Google Buzz.

Leading up to the announcement of the Facebook settlement, new media lawyer, Paul Jacobson, commented: “The settlement will still allow Facebook to introduce new products and services going forward, which may require particular sharing settings, and obtain your consent to those changes in some way. That may simply take the form of a consent in future versions of Facebook's privacy policy.”

Jacobson, however, notes the focus of the settlement remains on retroactive changes and won't determine how content may be shared going forward.

“This remains users' responsibility,” says Jacobson. “Users simply must familiarise themselves with Facebook's privacy controls and make informed choices about what they share and with whom.

“Facebook's privacy controls and its data use policy have improved dramatically in the last four to five years. Facebook's deal with the FTC should firmly place control over users' profile information more in their hands than they have experienced in the past and that is a win for users.”

Facebook's proposed changes to comply with the FTC will now go into a public comment period, and are expected to be accepted and finalised by the FTC early next year. The full list of requirements and statement from the FTC can be seen here.