Facebook agrees to FTC security audits after it 'deceived customers'
Leading social networking service Facebook has agreed to settle with the Federal Trade Commission (FTC) on charges that its privacy settings were deceptive to customers, and that it made privacy promises that it didn't keep.
The FTC's original complaint (.pdf here) against Facebook cites eight different cases where Facebook "made promises it didn't keep." These were: deceptive privacy settings, unfair and deceptive privacy changes in 2009, misleading scope of platform applications' access to user information, disclosure of user information to advertisers, deceptive verified apps program, contrary or improper disclosures about retention of user photos and videos, and improper compliance with the US-EU Safe Harbor Framework.
In the settlement, Facebook will be required to obtain consumers' express consent before enacting any changes that override their privacy settings; make all user content totally inaccessible within 30 days of account deletion; establish and maintain a comprehensive privacy program designed to address privacy risks of any new services; and enact mandatory third-party privacy audits every two years for the next twenty years that ensure Facebook is living up to the FTC's privacy guidelines.
Facebook CEO Mark Zuckerberg discussed the settlement in a blog posting on Facebook Tuesday evening, diminishing some of the claims, and expounding on others.
"Even before the agreement announced by the FTC today, Facebook had already proactively addressed many of the concerns the FTC raised," Zuckerberg said. "For example, their complaint to us mentioned our Verified Apps Program, which we canceled almost two years ago in December 2009. The same complaint also mentions cases where advertisers inadvertently received the ID numbers of some users in referrer URLs. We fixed that problem over a year ago in May 2010."
In regards to the mandatory security audits, Zuckerberg announced the creation of two new jobs within the Facebook executive nucleus: Chief Privacy Officer of Policy, and Chief Privacy Officer of Products. These posts will be filled by data security lawyer Erin Egan and Facebook's Chief Privacy Counsel Michael Richter.
"Today's announcement formalizes our commitment to providing you with control over your privacy and sharing -- and it also provides protection to ensure that your information is only shared in the way you intend," Zuckerberg said. "As the founder and CEO of Facebook, I look forward to working with the Commission as we implement this agreement. It is my hope that this agreement makes it clear that Facebook is the leader when it comes to offering people control over the information they share online."