Facebook settles with FTC over privacy bungles

Facebook has finally settled with the Federal Trade Commission over a complaint regarding its privacy practices, which will see the business subject to new rules including independent audits for the next 20 years.

Founder and chief executive Mark Zuckerberg has written an extensive blog post on the changes, saying the company has made mistakes and announcing a new privacy system that will allow users to opt-in to changes, rather than having to opt-out.

The settlement comes after years of privacy complaints levelled at Facebook, whose members have complained that regular changes to privacy settings have inadvertently allowed the public to view private data.

“That said, I’m the first to admit that we’ve made a bunch of mistakes. In particular, I think a small number of high profile mistakes,” Zuckerberg said in a new blog post.

The latest truce also comes after dealings with Google and Twitter, helping to provide new benchmarks for what customers can expect regarding privacy obligations from social companies.

The settlement comes after the Federal Trade Commission charged Facebook with unfair and deceptive business practices as part of an eight-page complaint. In fact, the FTC found “a number of instances” where Facebook made promises it didn’t necessarily intend to keep.

“By designating certain user profile information publically available that previously had been subject to privacy settings, Facebook materially changed it promises that users could keep such information private,” it wrote.

“Facebook represented that third-party apps that users installed would have access only to user information that they needed to operate,” the FTC said. “In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.”

A significant number of complaints relate to changes made in late 2009 that affect how information and pictures were shared, along with lists of online friends. That same complaint also targets the way Facebook gave data to third party advertisers and application makers.

Overall, the FTC said it found “numerous occasions” where Facebook told users they would keep certain information private, and then ended up sharing it with third parties.

As a result, Facebook has settled with the FTC. But there are some serious caveats, with Facebook having to submit to audits every two years for the next 20. And it will also ensure that new privacy changes are “opt in”, rather than “opt out”.

The settlement is still subject to review before the end of the year, but it represents a severe blow to the company, and Zuckerberg, who has been an advocate of allowing users to share their data openly and freely across networks and applications – sometimes pushing boundaries while doing so.

But as part of the company’s response, Zuckerberg has split the role of chief privacy officer – Erin Egan will be in charge of policy, and Michael Richter will be in charge of products.

Zuckerberg also said he understands that users are “naturally sceptical” of what it means to share such personal information online.

“Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected. It’s important for people to think about this, and not one day goes by when I don’t think about what it means for us to be the stewards of this community and their trust.”

But the FTC isn’t taking chances – Facebook will be subject to fines of several thousand dollars a day if it does not comply.

“Facebook’s innovation does not have to come at the expense of consumer privacy,” FTC Chairman Jon Leibowitz said in a statement. “The FTC action will ensure it will not.”