Facebook Fined $5 Billion for Deceiving Its Users

The Federal Trade Commission (FTC) has fined Facebook $5 billion for “deceiving users about their ability to control the privacy of their personal information.” With dollar numbers in the billions and trillions being casually tossed about these days, it’s hard to assess just how serious a penalty Facebook paid. The FTC, however, points out that this is “one of the largest penalties ever assessed by the U.S. government for any violation.” Here is a chart the FTC gives to graphically show just what this number means.

fb chart

In other words, the FTC concluded that Facebook did something really bad. So what was it?

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC Chairman Joe Simons. The FTC also mandated a complete change in Facebook’s privacy policy throughout its hierarchy. To put it in simple terms, the FTC felt that Facebook liked to talk about protecting its users’ privacy but really didn’t do much, and in some cases, they were, frankly, misleading their users. Although Facebook makes around $60 billion a year in profits, this fine constitutes a financial penalty that still hurts. But it’s not only the fine, the decision deals yet another blow to Facebook’s already shaky reputation. In addition, the ruling comes with new privacy guidelines that will lead to a loss of control over what Facebook can do from now on.

The FTC sapped the company’s power from Mark Zuckerberg on down when they required the establishment of a more or less independent committee to watch for privacy violations. This committee will be monitored by compliance officers who can only be removed by the privacy committee and not by Facebook management. These officers must make quarterly reports to the FTC. If, during their tenure, these officers allow Facebook to operate outside of FTC guidelines, they will be subject to criminal prosecution. The new privacy guidelines also apply to Facebook offshoots, WhatsApp, Instagram, and any new apps the company may develop. Facebook must also make an official report to the FTC any time that 500 or more of its users are compromised by a breach.

Here are a few other actions Facebook must take to attain compliance, some of which users have been asking for for years.

  • In the past, Facebook claimed that the use of your telephone number for two-factor authentication (2FA) would never be used for advertising purposes. That was a lie. Now, however, Facebook can no longer do this.
  • Facebook must get explicit user consent before it uses any facial recognition technology, or when they change the way they use this technology.
  • “Facebook must establish, implement, and maintain a comprehensive data security program.” This seems a little vague to me. Facebook could easily say that’s what they’ve been doing all along.
  • “Facebook must encrypt user passwords.” Does this mean they weren’t doing this? Apparently, they weren’t because the report goes on to say that Facebook must scan their network to see if any passwords are being stored in plain text. The point here is that any passwords stored in plain text are immediately usable if discovered by hackers.
  • Another regulation confuses me. It says that “Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.” I haven’t signed up for Facebook recently, but what other service’s passwords were they asking for? From my point of view, this seems like something you’d see in a phishing attack.

This is not the first time the FTC has tried to regulate Facebook. Back in 2012 they attempted to curb some of Facebook’s business practices that it found to be unethical. Ethics aside, shortly after the 2012 ruling, Facebook began selling the data of a user’s Facebook Friends even when those friends had signed up for a strict privacy policy. Facebook would present this agreement in the form of a permissions pop-up.

app user

But it gets worse. Hidden in its privacy settings, Facebook disclosed that any information shared with friends, or that friends shared with you, could also be shared with any app used by that friend. In other words, the app had access to vast amounts of dats. Facebook would then share (sell) the friend’s data with third parties, usually database marketers. Here’s what that permissions page looked like. It was not easy to find. The only difference between the Facebook version and the image below is that Facebook, by default, checked all of the boxes except “Religious and political views” and “Interested in,”

apps others use

I especially like the line that indicates your friends would be happy to share their personal information because it would make “their experience better and more social.” Yeah, why wouldn’t I want to help out my friends?

The FTC complaint expands on what information was being shared. Here’s the complete list.

app shares

Such a wealth of data would be a goldmine to marketers.

And so it was. This deceptive tactic enabled Cambridge Analytica to harvest, analyze, and sell the data of 87 million Facebook users. The page above was finally removed in 2018, though it still appears in grayed-out form to this day.

The commission also found that Facebook would inadequately vet apps that it allowed on its platform. The decision seemed to be to wait until people complained about an app before any removal was taken seriously. However, by the time this happened, the app, and Facebook, had already harvested user data. The FTC concluded that Facebook “often based enforcement of its policies on whether Facebook benefited financially from its arrangements with the developer”. The original complaint reported that, “internal Facebook documents explained, Facebook would contact apps spending more than $250,000 on advertising and ask them to confirm the need for the data they were accessing, while Facebook would terminate access for apps spending less than $250,000.”

The other main problem the commission found with Facebook’s privacy policy was its use of facial recognition. If you put up a photo and see that Facebook is suggesting certain photo tags, it means that you have the facial recognition setting turned on. This was the default setting. In other words, a user wasn’t really given the choice to opt in on facial recognition. This, the commission thought, was deceptive.

The FTC settlement puts Facebook in a grim light. Everyone agrees that Facebook should profit from offering its services; however, the FTC’s findings seem to portray the business as intentionally trying to hide its actions to make this profit. In so doing, Facebook casually compromised the data of users, some of whom believed they were using Facebook with maximized privacy settings. These shady policies exposed these users not only to being advertising targets but to targets of malicious actors.

The problems for the new privacy commission will be the same that Facebook has faced for years – its own size. It seems unlikely, practically and technologically speaking, for the committee to monitor every action that goes on in Facebook and its auxiliary programs, like Messenger, Instagram, and WhatsApp. Add to this that Facebook has plans to develop its own operating system, personal assistant, browser, cloud gaming, and, possibly, even its own chips. Does the committee have the personnel and expertise to monitor all of these? It seems highly unlikely. It may be that the privacy committee will only be able to find the most flagrant privacy abuses, and, with Facebook’s history of cleverly hiding what it does, never learn about other infringements for years. Facebook’s history of slow or inadequate responses to user complaints leads one to believe that serious overstepping of the new regulations may never come to the committee’s attention.

Facebook, as most people know it, may begin to decline. However, it will still remain as one of the tech giants as it moves in other, more profitable, directions. In other words, as the privacy committee focuses its attention on what we now call Facebook, whole other data mining platforms may be developing. It remains to be seen how deceptive these new platforms will be, but, if the past is any indication of the future…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s