The Federal Trade Commission (FTC) has fined Facebook $5 billion for “deceiving users about their ability to control the privacy of their personal information.” With dollar numbers in the billions and trillions being casually tossed about these days, it’s hard to assess just how serious a penalty Facebook paid. The FTC, however, points out that this is “one of the largest penalties ever assessed by the U.S. government for any violation.” Here is a chart the FTC gives to graphically show just what this number means.
In other words, the FTC concluded that Facebook did something really bad. So what was it?
The FTC sapped the company’s power from Mark Zuckerberg on down when they required the establishment of a more or less independent committee to watch for privacy violations. This committee will be monitored by compliance officers who can only be removed by the privacy committee and not by Facebook management. These officers must make quarterly reports to the FTC. If, during their tenure, these officers allow Facebook to operate outside of FTC guidelines, they will be subject to criminal prosecution. The new privacy guidelines also apply to Facebook offshoots, WhatsApp, Instagram, and any new apps the company may develop. Facebook must also make an official report to the FTC any time that 500 or more of its users are compromised by a breach.
Here are a few other actions Facebook must take to attain compliance, some of which users have been asking for for years.
- In the past, Facebook claimed that the use of your telephone number for two-factor authentication (2FA) would never be used for advertising purposes. That was a lie. Now, however, Facebook can no longer do this.
- Facebook must get explicit user consent before it uses any facial recognition technology, or when they change the way they use this technology.
- “Facebook must establish, implement, and maintain a comprehensive data security program.” This seems a little vague to me. Facebook could easily say that’s what they’ve been doing all along.
- “Facebook must encrypt user passwords.” Does this mean they weren’t doing this? Apparently, they weren’t because the report goes on to say that Facebook must scan their network to see if any passwords are being stored in plain text. The point here is that any passwords stored in plain text are immediately usable if discovered by hackers.
- Another regulation confuses me. It says that “Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.” I haven’t signed up for Facebook recently, but what other service’s passwords were they asking for? From my point of view, this seems like something you’d see in a phishing attack.
But it gets worse. Hidden in its privacy settings, Facebook disclosed that any information shared with friends, or that friends shared with you, could also be shared with any app used by that friend. In other words, the app had access to vast amounts of dats. Facebook would then share (sell) the friend’s data with third parties, usually database marketers. Here’s what that permissions page looked like. It was not easy to find. The only difference between the Facebook version and the image below is that Facebook, by default, checked all of the boxes except “Religious and political views” and “Interested in,”
I especially like the line that indicates your friends would be happy to share their personal information because it would make “their experience better and more social.” Yeah, why wouldn’t I want to help out my friends?
The FTC complaint expands on what information was being shared. Here’s the complete list.
Such a wealth of data would be a goldmine to marketers.
And so it was. This deceptive tactic enabled Cambridge Analytica to harvest, analyze, and sell the data of 87 million Facebook users. The page above was finally removed in 2018, though it still appears in grayed-out form to this day.
The commission also found that Facebook would inadequately vet apps that it allowed on its platform. The decision seemed to be to wait until people complained about an app before any removal was taken seriously. However, by the time this happened, the app, and Facebook, had already harvested user data. The FTC concluded that Facebook “often based enforcement of its policies on whether Facebook benefited financially from its arrangements with the developer”. The original complaint reported that, “internal Facebook documents explained, Facebook would contact apps spending more than $250,000 on advertising and ask them to confirm the need for the data they were accessing, while Facebook would terminate access for apps spending less than $250,000.”
The FTC settlement puts Facebook in a grim light. Everyone agrees that Facebook should profit from offering its services; however, the FTC’s findings seem to portray the business as intentionally trying to hide its actions to make this profit. In so doing, Facebook casually compromised the data of users, some of whom believed they were using Facebook with maximized privacy settings. These shady policies exposed these users not only to being advertising targets but to targets of malicious actors.
The problems for the new privacy commission will be the same that Facebook has faced for years – its own size. It seems unlikely, practically and technologically speaking, for the committee to monitor every action that goes on in Facebook and its auxiliary programs, like Messenger, Instagram, and WhatsApp. Add to this that Facebook has plans to develop its own operating system, personal assistant, browser, cloud gaming, and, possibly, even its own chips. Does the committee have the personnel and expertise to monitor all of these? It seems highly unlikely. It may be that the privacy committee will only be able to find the most flagrant privacy abuses, and, with Facebook’s history of cleverly hiding what it does, never learn about other infringements for years. Facebook’s history of slow or inadequate responses to user complaints leads one to believe that serious overstepping of the new regulations may never come to the committee’s attention.
Facebook, as most people know it, may begin to decline. However, it will still remain as one of the tech giants as it moves in other, more profitable, directions. In other words, as the privacy committee focuses its attention on what we now call Facebook, whole other data mining platforms may be developing. It remains to be seen how deceptive these new platforms will be, but, if the past is any indication of the future…