EFF is disappointed by the terms of the settlement agreement announced today between the Federal Trade Commission (FTC) and Facebook. It is grossly inadequate to the task of protecting the privacy of technology users from Facebook’s surveillance-based system of social networking and targeted advertising.
This settlement arises from the FTC’s 2012 settlement order against Facebook, concerning the company’s deceptive statements about user privacy. Facebook violated the 2012 FTC order through its role in the Cambridge Analytica scandal, which violated the privacy rights of millions of Facebook users.
Today’s FTC-Facebook settlement does not sufficiently protect user privacy. For example:
- The agreement does not limit how Facebook collects, uses, and shares the personal information of its users. It is not enough for the agreement to require Facebook to conduct its own privacy review of new products; that just empowers Facebook to decide its own collection, use, and sharing practices.
- The agreement does not provide public transparency regarding how Facebook collects, uses, and shares personal information, or how Facebook implements the FTC settlement. It is not enough for only Facebook and the government to have this information.
- This agreement does nothing to address Facebook’s market power in social networks and internet advertising, and may risk cementing Facebook’s market power.
These deficiencies are not cured by the $5 billion fine against Facebook. For a company the size of Facebook, this is not an effective deterrent against future violations of user privacy.
If the FTC were serious about putting a dent in the privacy problems created by Facebook’s targeted advertising business model, it could have taken aim at two of Facebook’s biggest sources of information: data brokers and third-party tracking.
Some provisions of the settlement agreement are positive. For example, it requires Facebook to delete existing face recognition templates, and bars Facebook from creating new ones, absent the user’s informed opt-in consent. Also, the settlement bars Facebook from using phone numbers provided by users to enhance their security (i.e., for two-factor authentication) for advertising purposes. Unfortunately, the settlement does not address Facebook’s other egregious abuses of user phone numbers, including exposing two-factor authentication numbers to public reverse lookup, and vacuuming up “shadow” contact information that users never gave to Facebook in the first place.
Taken as a whole, this settlement is bad news for consumer privacy. But this is bigger than Facebook. Its surveillance-driven targeted ad business model is common across the web. To protect user’s privacy rights, we need solid consumer data privacy legislation.