Facebook shared user IDs with advertisers, allowing them to tie Facebook data to information gleaned about users on other sites, according to the Federal Trade Commission, which unveiled a privacy settlement with the company yesterday.
The FTC order calls for audits of Facebook's privacy program for the next 20 years, and requires the company to obtain express affirmative consent from users before altering their privacy preferences in the future. Meanwhile Facebook has created two new privacy roles, suggesting a strengthened commitment to right its past privacy wrongs. Yet, following the FTC announcement, congressional privacy hawks almost immediately swooped in, calling for passage of privacy legislation and continued federal scrutiny of Facebook's privacy practices.
The FTC claimed Facebook shared user IDs with third parties including advertisers, allowing them to combine other data about people with ad interaction data. The agency alleges the data sharing with advertisers occurred between September 2008 and May 2010, according to Maneesha Mithal, associate director of the FTC's Division of Privacy and Identity Protection. She noted the FTC only alleges that Facebook engaged in "deceptive and unfair" practices, not that it had knowledge of the data sharing.
The settlement "sends a strong message throughout the world and throughout cyberspace," said FTC Chairman Jon Liebowitz. "It also signals the FTC will use every tool at our disposal...to make sure that every company treats users' privacy with care and respect."
In a statement regarding the settlement, the commission noted, "Facebook told users they could restrict sharing of data to limited audiences - for example with 'Friends Only.' In fact, selecting 'Friends Only' did not prevent their information from being shared with third-party applications their friends used."
Facebook CEO Mark Zuckerberg acknowledged his company's privacy failings."I'm the first to admit that we've made a bunch of mistakes," he wrote in a blog post yesterday. "In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done."
In his lengthy post, Zuckerberg said his firm has created two new positions within Facebook to "further strengthen the processes that ensure that privacy control is built into our products and policies." Erin Egan, formerly a partner in the global privacy and data security practice of law firm Covington and Burling, joined as chief privacy officer, policy. Michael Richter, Facebook's current chief privacy counsel, is set to fill the new chief privacy officer, products, role.
In addition to the data sharing allegations, the FTC claims Facebook failed to notify users when previously private information – such as Friends Lists – were made public. The agency also said Facebook allowed access to content such as photos and videos from deactivated or deleted accounts. The FTC does not have the authority to fine Facebook for the alleged violations, which according to Liebowitz, "have stopped." However, if Facebook violates the requirements of the settlement, it will be subject to fines.
Federal legislators quickly reacted to the news. "I remain alarmed by a continuing pattern of privacy and security problems at Facebook," said Rep. Ed Markey of Massachusetts, in a statement regarding the settlement. Markey and his co-chair of the House Privacy Caucus, Rep. Joe Barton of Texas, have sent Facebook and other digital media firms numerous inquiries about privacy and data security practices, and co-sponsored the Do Not Track Kids Act of 2011, which sits in legislative limbo along with a host of other House and Senate privacy bills introduced this year.
Senator Jay Rockefeller called the settlement "just the first step toward protecting consumer privacy," in a statement. In early May, the Senate Commerce Committee Chairman introduced his Do-Not-Track Online Act of 2011. "Ultimately, I believe legislation is needed that empowers consumers to protect their personal information from companies surreptitiously collecting and using that personal information for profit," he continued in his statement.
Meanwhile, Senator John Kerry, who introduced his own privacy bill along with Senator John McCain in April, called the settlement an FTC success, noting, "These priorities are consistent with what Senator McCain and I had in mind when we introduced our Internet Privacy Bill of Rights."