-In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.
Nothing came of it besides an unwanted "please call me" message from him, but it's not a far reach from there to actually being located physically and confronted. We sent this man to jail and changed our names to keep away from him, and Facebook, in spite of their "privacy" settings, let him get a glimpse back into our lives.
Privacy/ethics issues aside, from a pure developer standpoint, isn't this just a feature? Where do we draw the line between functionality and privacy?
User A allows user B to see her data via "Friends only." User B runs app X, whose functionality includes interacting with friends. Let's say it shows on a map where each of your friends lives. App X can see the said data for the purposes of providing functionality.
Yes, I know that by strict definition this conflicts with "friends only." You now have "friends and the application executable code only." But how is this different from, say, Gmail auto-scanning my e-mail to show ads? Is it because I trust Google and don't trust $random_fb_app_developer?
Likely one concern is that this third-party developer can disrespect (or actually, not even know about) that "friends only" setting and inadvertently make the data visible to other parties.
(Disclaimer: Don't get me wrong, I loathe/distrust most FB apps as much as the next person. Just trying to think from an honest developer's shoes here.)
I'm somewhat sympathetic to Facebook on the other app-related claim as well, "Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate." Yes, Facebook could've done better on that, but fine-grained security is something nearly nobody has solved.
This is a reasonable question. Where I personally would draw the line is, "functionality" implies to me that the app would only access user info when it needs to do so for some FUNCTIONAL purpose. If the app does not need the data and is not doing anything legitimate with it, then obviously, the user's privacy should be respected and said info should not be accessed.
They've just been found, in a formal investigation, to have broken numerous fundamental privacy laws across several continents, and been punished with... absolutely nothing, as far as I can tell.
All this has done is teach them that they are above the law and should feel free to continue doing whatever they like without regard to the consequences for the hundreds of millions of real people who are counting on them to behave responsibly.
Face-palm. That's an oxymoron by definition.
Privacy is more important than a lot of shallow people imagine.
nothing. Zero. The FTC has investigated, and the settlement is zero money and zero penalties. Not one dollar. Whew! I'm glad they were punished! They won't do THAT again!
The U.S. is really in late-stage empire breakdown. I don't think there is any significant enforcement of any laws whatsoever against companies and people that are reasonably well connected. The only thing keeping the society from total breakdown is inertia.
When O when will we get regulators with some distance from those they are regulating? (I'm looking at you SEC.)
Also, they settled and all is good between the FTC and Facebook.
Oh, that's an easy one.
You commit fraud if you make any intentional deception in order to benefit yourself, or to harm others. If you intentionally make public commitments that turn out to be false, and you thereby cause some harm to another person, you have committed a fraud.
The FTC is empowered to enforce criminal and civil penalties for fraud on behalf of consumers. From the FTC website: "When the FTC was created in 1914, its purpose was to prevent unfair methods of competition in commerce as part of the battle to bust the trusts. Over the years, Congress passed additional laws giving the agency greater authority to police anticompetitive practices. In 1938, Congress passed a broad prohibition against unfair and deceptive acts or practices.”
From the FTC's Facebook settlement statement, it's perfectly clear that the FTC believes that Facebook is guilty of committing widespread and repeated deceptions in violation of the law.
The settlement itself is tantamount to saying that Facebook has had its last warning, and is on very thin ice with the FTC.
Feel free to complain about whether such a "penalty" is effective. We won't really know until the next time Facebook breaks the law.
Privacy is a civil good but it is a fine line to walk indeed to punish an innovator during a recession. Where's the happy medium?
The independent third-party auditor will give Facebook a stamp of approval, both in the next 180 days and every two years thereafter, because the independent third-party auditor wants the repeat business.
Same thing goes for any regulation that depends on a third party, really. I mean, over the last six years how often is a 409a valuation not to the board's liking? Somehow, magically, the auditors collect their fees from the company and then independently deliver an acceptable answer.
Might as well not have the regulations - or just fine the company something meaningful - instead of engaging in this goofy kabuki theatre.
Accountants supposedly are employed by shareholders, but in practice are employed by executives. This makes auditing problematic, but it does have some value. The bigger problem there is the big four's oligopoly: they are too big to fail.
Not saying it is good or bad (kind of depends on who the contracting company is), but it is very common and pretty much standard business for the government.
"barred from making misrepresentations about the privacy or security of consumers' personal information;"
Is this implying companies are allowed to lie? Seems redundant.
The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.
and then further down:
Each violation of such an order may result in a civil penalty of up to $16,000.
I really hope that's up to $16,000 per person for each violation.
The fix is in.
- required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
Does this include people that have already deleted their account? Does this also include Government agencies and such from seeing the >30 day deleted data? I'd like to know that after permanently deleting my account all my stuff is gone, but I don't really see anywhere that says that's true. Meaning the site is still destroying my privacy even after I've decided to have nothing to do with the account.
When I created an account with HN using Google account via ClickPass, one of the screen steps before I grant access to ClickPass, Google advised me to not grant it and if I do it I can cancel it any time which it will prevent ClickPass to access to my account information and my password.
This warning statement is not new; it’s there everywhere when you grant any application to use your Facebook, Twitter, Google ... etc accounts.
In the mean time Google Search is nothing without us, because "we are the product", they sell (us to third parties or Governments) or use our "private information" or what they told us it’s private without approval from us.
Facebook is doing same thing and that’s why their entire business model under fire in the EU. http://venturebeat.com/2011/11/28/facebook-advertising-eu/ Do you remember what happened in 2008 with Google’s Evil EULA (http://www.theregister.co.uk/2008/09/03/google_chrome_eula_s...)?
Now, are we "the product" still having any privacy? Are we safe? How far we can trust those businesses?
Should we keep using their services; and later complain about how evil their Terms and conditions or EULA are???
This is assuming Facebook will be around in 20 years.
This binds successor corporations operating Facebook's business and thus changes the potential value of Facebook as an acquisition target (and thus as a retail investment choice when it becomes publicly traded).
the monitoring is facebook telling the ftc - we are all cool over here bro and the ftc taking them at their word
Why do people treat them like contracts?
In Europe, however, privacy policies play a significant legal role in terms of complying with privacy and data protection legislation.
Facebook has its international HQ in Europe and deals with personal data about EU citizens, and is thus subject to EU rules as well as US ones.
FB should not be blamed for sharing information that others freely share with FB. It's ridiculous. It's even more ridiculous to think that government regulation is somehow needed to protect privacy. How absurd.
"I keep using this service and they don't do what I want! But I keep sharing my information with them."
Come on. At a certain point, individuals need to accept that THEY maintain a relationship with FB as well.
Your bank should not be blamed for sharing information that you freely share with your bank?
Your doctor should not be blamed for sharing information that you freely share with your doctor?
Law enforcement should not be blamed for sharing information that you freely share with law enforcement?
Perhaps the problem isn't that there's no one to watch the watchmen, but that we're over-reliant on watchmen.
You don't need the FTC to keep Facebook from sharing your private information.
I'm not saying Facebook did nothing wrong, and I'm not saying the FTC is doing nothing wrong now. I'm saying that none of it matters if you delete your own account.
You don't need to worry about who's watching the watchmen when you watch out for yourself. (Can anyone translate that to Latin?)
"Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful."
The FTC exists to enforce that. Now, it's fashionable nowadays for the ill-informed to insist that government is worthless, but in fact this law and similar ones underly every aspect of American society and you owe everything to have to their existence. Without government anti-fraud efforts, commerce does not exist, full stop.
Private enterprise are the applications. Government is the operating system.
But let's take another look at your point: your argument is that I should right now go and delete my account a couple years ago because I know today that Facebook was lying a couple years ago. For everyone who has a time machine, that is a good remedy - it will solve the problem for those people admirably. For those that don't, we need effective government enforcement of anti-fraud laws.
Noli loqui et non servant custodibus
or "Watch your mouth instead of the watchmen".
I guess this was a very complex way of disagreeing with you that "none of it matters".
The FTC is empowered to enforce that with a variety of penalties, including extensive fines.
I know, society is breaking down, kids are getting more disrespectful, things are more expensive, the end of the world is upon us, etc :) You taking your lifetime to come to a realization about the state of the world does not make the realization less true before you had it. It's a memory glitch. Jump back 100 years, it's the same shit.
Yep. Jump back 100 years, and you're in the breakdown of the British empire. And look what we became, a pointless, miserable lame-duck nation utterly yoked to the next empire that rose after us, the USA.
Now you guys are gonna be yoked to the next empire, China.
Have fun with that!
I'll maybe catch you on a beach in Brazil, where hopefully things will be cool. Fingers crossed.
In this day and age I think we can let it slide.
Just a guess.
Mind you, I'm not arguing for a lack of regulation. Rather, that this is what much regulation seems to be reduced to, these days. Sadly.
The fact that there was, according to you, no binding contract, has no bearing on the question of whether they lied or not. They did lie. Case closed.
Your comment confuses basic contract legal principles with privacy rules. This isn't a contract matter; it's a matter of public policy.
You can get started learning why here: http://business.ftc.gov/legal-resources/29/35
If I tell you I'll pick you up at 6 and have no intention of doing it, that's a lie. It's not illegal but it is a lie.
This is not even close to a fine line. The fact that Facebook may be an innovator or the fact that we may be in a recession have nothing to do with their legal responsibilities to their users. If they have violated those responsibilities they should be punished appropriately regardless of the current economic situation, and them being an "innovator" is totally irrelevant. Should we allow innovative companies to dump toxic waste or employ racist hiring policies, for example?
My happy medium, based on my own sense of justice: give Facebook a year to implement systems that actually protect users' privacy (what that would entail is yet another discussion). If they don't comply, hit them with a hefty fine. We get our privacy, Facebook gets to keep its money - some of which was earned by neglecting our privacy.
Opt-outs should be a privilege that is lost when you repeatedly and intentionally violate federal law.
Or Google, Apple, Twitter, Microsoft, Adobe, and thousands of smaller companies who data mine user accounts and change terms of service every day.
I used to have a subscription to The Economist. Recently I purchased an issue at Kroger. Two weeks later a special subscription offer appears in my mailbox - the first marketing material in they have sent in at least three years.
What Facebook did is the bread and butter of today's business - even if it sucks.
As far as I can tell, most people using FB are trying to communicate with their friends (as they previously did via letter, telephone and email), not broadcast every personal detail and thought to potentially any person or organization connected to the web.
Alas they are not well informed that by sending all their communications through Zuckerberg's website, this is in effect what they are doing.
That lack of understanding is something the FTC can address.
So to comply with the FTC's requests, FB will make more disclosures.
But the problem remains. FB, whether intentionally or not, is receiving far too much private information and private conversation, and it's all being channeled over the web.
The value Facebook gets from the data is _sharing_ it with others: advertisers, various organisations devoted to catching bad guys, app developers, etc. It is not "private" by any stretch of the imagination.
Even if they purport to restrict access to a profile to certain users, a determined hacker can get around that.
This is a company that is trying to get into your email inbox at every possible opportunity. The concepts of "Facebook" and "privacy" are irreconcilable in my view. Even regardless of their ethics, there is an underlying architectural problem.
The successor to Facebook, which will offer real privacy, not the imaginary kind FB is pitching, will not be another centralised public website.
Have fun scrolling through your entire FB history to update permissions!
And further that users have been, at least on some level, aware of it.
I was on Facebook when they first implemented the news feed and got everyone upset. They've since introduced dozens of features that have gotten everyone upset (or at least a sizable enough minority to be noticeable). They make it clear that ads are targeted based on your personal information. They make privacy settings complicated. They continuously push you to supply more information, connect with more people, use Facebook for more things. They continuously make more things public by default, and add more features that make personal information discoverable (such as tagging in images).
If they weren't suspicious, they wouldn't have been investigated in the first place.
I'm not talking about a time machine. But let me observe a few things:
- I deleted my account a year ago (and knew I wanted to before that) without the FTC investigating anything. Because Facebook was clearly suspicious.
- You still have an account today even though you know about Facebook's lies today. You don't need a time machine to make changes today.
My argument is this:
Fraud protection is extremely important. There are many cases where there is no suspicion of fraud, no source of information about possible fraud, and consumers get taken advantage of. For example, people get taken advantage of by phishing every day.
But if you fall victim to increasingly bad phishing attacks from the same company over the course of years, you aren't paying attention. You are relying on watchmen to protect you and not watching out for yourself.
I am not blaming the victim. I am trying to empower the victim. Everyone who is reading this and still has a Facebook account knows that Facebook will outright lie about privacy in order to make more money from advertisers. They are still guilty of their actions if you get fooled again, but you don't have to get fooled again.
My argument is "Fool me once, shame on you; fool me twice, shame on me."
You're off by several decades and two world wars. The British Empire was in full bloom in 1911, and there was little unrest in any of its colonies, never mind at home.
The FTC's presence in FB's business decisions will only lend an air of legitimacy to what would otherwise cause problems with their users, and transforms FB's business model from "users are dumb fucks" to "Mom said I could."
Why do people insist on inventing wacky conspiracy theories when the scam is right there in front of them?
Break-up of the big four has been proposed, I see in this mornings Financial Times: http://www.ft.com/intl/cms/s/0/a4f58dba-1a89-11e1-ae4e-00144...
"Quis custodiet ipsos custodes? is a Latin phrase traditionally attributed to the Roman poet Juvenal from his Satires (Satire VI, lines 347–8), which is literally translated as "Who will guard the guards themselves?" Also sometimes rendered as "Who watches the watchmen?""
Trying to apply rules made for physical items (if I take it you don't have it any more) to things that act completely differently is a really bad idea.
Would it make a difference if I had said "something akin" to personal information as property? I mean, we're reading this story, so personal information has currency in some way, right? Seems to me that with some political will that the laws can be nudged further in favor of the user.
Unless you're going to argue that you own anything you happen to know, even after other people know it? Unless you're going to argue that a posted policy on a free website constitutes a binding agreement?
If that was true in all cases, the story we're commenting on wouldn't exist.
Facebook "lies" like Subway "lies" about losing weight by eating there.
You're omitting the fact that Facebook has always stated they may change what they do with your information in the future.
You didn't mention fraud, and I made no comment on fraud. I said they lied. They did.
As for the clumsy smokescreen analogy about Subway, allow me to point out the obvious:
Facebook made promises to users about how FACEBOOK would handle the personal property of said users. These are concrete, easily-definable promises...the kind which are easy to analyze to see if the promise was kept.
It wasn't kept. Furthermore, as the FTC documented in plain English, there was a pattern of behavior, over and over again, that shows any reasonable person that not only did Facebook lie, they lied with prior intent. They never had any intention of keeping those promises and they broke them in the most egregious ways possible.
By contrast, when Subway implies that customers can lose weight by eating certain foods there, they are, obviously, making no promises about how Subway will behave in the future, except an implied promise to be honest about how many calories are in their food (required by law), and to provide some lo-cal options (which they do).
Really bad analogy, in every way.
Yeah, but lying to people isn't a crime. Defrauding them is, but lies and fraud are quite different things.
Yes, but Facebook disclosed personal information which people expected to remain private. Your Subway analogy doesn't cut it because Subway is trusted to disclose information, whereas Facebook is trusted to enclose it.
Even if you accept it was a lie, it's not fraud.
From the dictionary:
"Fraud: Wrongful or criminal deception intended to result in financial or personal gain."
From the FTC report:
"Facebook promised users that it would not share their personal information with advertisers. It did."
If that isn't fraud, I don't know what is.
Fortunately, the law in many countries does not permit such one-sided terms.
Jared Fogle did lose weight eating at Subway.
Then the kids get older and decide "no secrets for anybody!" What's the harm in sharing your life? It's a net win. If you see James got a new turbo jet ski, won't you want to work harder to get one too? Sharing can save the world.
We can't seem to imagine a time when maybe you wanted to keep a secret. Maybe you're helping someone to not be found. Maybe you're helping someone through a bad time in their life. Then, with a profit-oriented privacy change, you end up in the parent's situation.
The world view of the people in charge aren't aligned with "normal." We'll see PR and lip service press releases, but steamrolling over normal people will continue.
Just knowing that your kid is enrolled at Le Rosey signals to a criminal that she is worth kidnapping... and the last status update shows her headed to Ibizia for spring break. In contrast, nobody cares if another poor kid "likes" Justin Bieber. Over-sharing seems a lot riskier for the rich (and famous.) It would be interesting to read the article you mentioned. It's hard to imagine an argument that the rich are not more concerned with privacy than regular people.
The only significant kidnapping in the US is drug-related (in Phoenix) or husbands kidnapping their own children from estranged wives: http://www.latimes.com/news/nationworld/world/latinamerica/l...
But then, looking at things like Protect-IP and SOPA, perhaps the regulatory answer is to just do away with privacy altogether.
I doubt that.