http://www.nytimes.com/2011/11/30/technology/facebook-agrees-to-ftc-settlement-on-privacy.html

November 29, 2011

F.T.C. Settles Privacy Issue at Facebook

By SOMINI SENGUPTA

SAN FRANCISCO -- Accusing Facebook of engaging in "unfair and deceptive" practices, the federal government on Tuesday announced a broad settlement that requires the company to respect the privacy wishes of its users and subjects it to regular privacy audits for the next 20 years.

The order, announced by the Federal Trade Commission in Washington, stems largely from changes that Facebook made to the way it handled its users' information in December 2009. The commission contended that Facebook, without warning its users or seeking consent, made public information that users had deemed to be private on their Facebook pages.

The order also said that Facebook, which has more than 800 million users worldwide, in some cases had allowed advertisers to glean personally identifiable information when a Facebook user clicked on an advertisement on his or her Facebook page. The company has long maintained that it does not share personal data with advertisers.

And the order said that Facebook had shared user information with outside application developers, contrary to representations made to its users. And even after a Facebook user deleted an account, according to the F.T.C., the company still allowed access to photos and videos.

All told, the commission listed eight complaints. It levied no fines and did not accuse Facebook of intentionally breaking the law. However, if Facebook violated the terms of the settlement in the future, it would be liable to pay a penalty of $16,000 a day for each count, the F.T.C. said.

Mark Zuckerberg, the chief executive of Facebook, conceded in a lengthy blog post that the company had made "a bunch of mistakes," but said it had already fixed several of the issues cited by the commission.

"Facebook has always been committed to being transparent about the information you have stored with us -- and we have led the Internet in building tools to give people the ability to see and control what they share," he wrote. By way of example, Mr. Zuckerberg pointed to more explicit privacy controls that the company introduced over the summer.

Facebook has long wanted its users to post content -- links, opinions, pictures and other data -- on their Facebook pages with minimal effort, or "friction," as company executives call it. The settlement with the F.T.C. will undoubtedly require it to introduce more such friction.

The order requires Facebook to obtain its users' "affirmative express consent" before it can override their own privacy settings. For example, if a user designated certain content to be visible only to "friends," Facebook could allow that content to be shared more broadly only after obtaining the user's permission.

On Tuesday evening there seemed to be some disagreement about what the agreement entailed. A Facebook spokesman said in response to a question that it did not require the company to obtain "opt in" data-sharing permission for new products.

But David Vladeck, director of the bureau of consumer protection at the F.T.C., said Facebook would have to inform its users about how personal data would be shared even with new products and services that it introduces over the next two decades. "The order is designed to protect people's privacy, anticipating that Facebook is likely to change products and services it offers," he said.

Ever since its public release in 2004, Facebook has drawn an ever-larger number of members, even as its sometimes aggressive approach to changes around privacy have angered some of its users.

"We've all known that Facebook repeatedly cuts corners when it comes to its privacy promises," Eric Goldman, a law professor at Santa Clara University, wrote in an e-mail after the announcement. "Like most Internet companies, they thought they could get away with it. They didn't."

Facebook is also obliged to undergo an independent privacy audit every two years for the next 20 years, according to the terms of the settlement.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, which is part of a coalition of consumer groups that filed a complaint with the F.T.C., commended the order but said settlements with individual companies fall short of what is needed: a federal law to protect consumer privacy.

"We hope they will establish a high bar for privacy protection," Mr. Rotenberg said. "But we do not have in the United States a comprehensive privacy framework. There is always a risk other companies will come along and create new problems."

Several privacy bills are pending in Congress, and Internet companies have stepped up their lobbying efforts. The F.T.C., meanwhile, has ratcheted up its scrutiny of Internet companies. This year alone, it has reached settlement orders with some of the giants of Silicon Valley, including Google.

The order comes amid growing speculation about Facebook's preparations for an initial public offering, which could be valued at more than $100 billion. The settlement with the F.T.C., analysts say, could potentially ease investors' concerns about government regulation by holding the company to a clear set of privacy prescriptions.

"When you have an I.P.O. you don't want investors to be skeptical or jittery," said Ryan Calo, who leads privacy research at the Center for Internet and Society at Stanford Law School. "In order for you to be as valuable as possible, you want to make sure the seas are calm. This calms the seas."