Facebook has
agreed to settle a Federal Trade Commission complaint by promising to obtain users' express consent before sharing their information with a wider audience than in the past.
The social
networking service also promised to prevent anyone from accessing deleted accounts within 30 days of deletion. Plus, Facebook agreed to institute a comprehensive privacy policy and to submit to audits
for 20 years.
The proposed settlement, announced Tuesday, would resolve an FTC complaint alleging that Facebook deceived users by repeatedly sharing information that users believed would be
private when uploaded. The FTC's 19-page complaint, unveiled on Tuesday along with the proposed settlement, spells out a variety
of ways that Facebook allegedly deceived users.
Among others, in December of 2009 Facebook reclassified a host of data about users as “public” -- including people's names,
photos and friend lists. “They didn't warn users that this change was coming, or get their approval in advance,” the FTC said in a statement. That Facebook shift also prompted the
Electronic Privacy Information Center and other groups -- including the American Library Association, Center for Digital Democracy and Consumer Federation of America -- to file a complaint against the company.
The FTC also said that Facebook broke promises to users by allowing app developers to
access profile information they didn't need. “A platform application with a narrow purpose, such as a quiz regarding a television show, in many instances could access a user’s relationship
status, as well as the URL for every photo and video that the user had uploaded to Facebook’s Web site, despite the lack of relevance of this information to the application,” the FTC said
in its complaint.
The authorities also alleged that Facebook shared some users' names with advertisers via referrer headers. (Facebook recently prevailed in a lawsuit stemming from that same
issue. A judge in that case ruled that the users weren't harmed by any disclosures and, therefore, couldn't pursue their claim in court.)
Facebook CEO Mark Zuckerberg said in a blog post that the company had made “a bunch of mistakes.” He added: “I think that a small number of high-profile
mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done.”
Zuckerberg also
noted that Facebook had already fixed some of the issues noted by the FTC.
In the last two years, Facebook revised its privacy controls to give users more say over who can access their data.
But the social networking service hadn't promised prior to Tuesday to seek users' opt-in consent to future privacy-related changes.
Sen. John Kerry (D-Mass.), who introduced an online privacy
bill earlier this year, praised the deal.
“This settlement will help ensure that companies keep their promises to consumers and give those consumers a real voice in how their information
is used, distributed, and managed,” Kerry stated. “These priorities are consistent with what Senator McCain and I had in mind when we introduced our Internet Privacy Bill of
Rights.”
The terms of the Facebook settlement, which were first rumored earlier this month, are in line with the FTC's settlement with Google over
its launch of Buzz. That deal requires Google to create a comprehensive privacy program and
submit to independent privacy audits for the next 20 years. Google also promised that it will obtain people's express consent before sharing their information more broadly than its privacy policy
allowed at the time of collection.
Buzz created social networks out of people's Gmail contacts. At launch, the service revealed information about the names of users' email contacts, if users
activated Buzz without changing the defaults. That design meant that a host of confidential information could inadvertently become known, including the names of Gmail users' doctors, lawyers or
coworkers.
The FTC will accept comment on the proposed Facebook settlement until Dec. 30.