The Facebook/FTC Settlement Proposal: What's New, What's Not

By: Chris Conley

Earlier today the FTC announced a proposed settlement with Facebook, addressing its assertion that Facebook deceived users by failing to uphold its privacy promises. As we said elsewhere, the proposed settlement has one major step forward: it prohibits the company from "begging forgiveness instead of asking permission" by changing its privacy settings to make data more public or share it with more people. But it doesn't cure all of the outstanding issues [pdf] with Facebook privacy.

Here's a quick rundown of the plusses, minuses, and outstanding questions of the proposed settlement. (You can read the whole thing here [pdf].)

+ Asking Permission, Not Begging Forgiveness. No more Beacon; no more "privacy transitions" that make more information public. Facebook must now obtain a user's express consent before taking any information previously covered by a privacy setting and making it more public than it was before, and it promises not to "misrepresent in any matter, expressly or by implication," its privacy protections for names, photos, location history, and other information.

+ What's Gone is Really Gone. Once you delete a photo from Facebook, Facebook will ensure that no one else can access it within 30 days. (It still can't help if your friend copied the photo and reposted it on Facebook or elsewhere, however.)

+ Comprehensive Privacy Program. Facebook is required under the proposed settlement to establish a "comprehensive privacy program" that will protect the privacy of identifiers, photos, and location information in both new and existing products. Facebook has already announced that it will be appointing two new privacy officers in response to the proposed settlement.

- The App Gap Remains. Although Facebook has promised to be clear about how information will be shared with third parties going forward, the proposed settlement does not fix existing problems [pdf] such as the "app gap" and Instant Personalization.

? Still Out of Control? The proposed settlement makes it very clear that Facebook must ask permission before increasing its sharing of information that currently has a privacy setting, but it does not explicitly put the same requirement on information that currently has no privacy setting at all (including information like your name and profile picture that used to have such controls). This is particularly important as the company continues to collect information about its users activities outside of Facebook itself, such as its log of every visitors to Web pages that include a Like button.

? Privacy by Default? The settlement agreement also doesn't explicitly address how Facebook will deal with new kinds of information from future products, since that information is also not covered by an existing privacy setting.

? The FTC's Future Role? The FTC is empowered to ensure that Facebook complies with the settlement, and Facebook has made a broad promise not to "misrepresent" its privacy protections in the future. But it's not entirely clear whether the FTC would use this authority to challenge new Facebook products or services that aren't dealing with information currently covered by a privacy setting.

Chris Conley is the Technology and Civil Liberties Fellow with the ACLU of Northern California.