Why the FTC is taking a new look at Facebook privacy

FILE -- Mark Zuckerberg, chief executive of Facebook, testifies to the Senate, on Capitol Hill in Washington, April 10, 2018. In 2011, Facebook agreed to settle charges that it had deceived consumers on privacy. But new problems have resurfaced old concerns. (Tom Brenner/The New York Times) less FILE -- Mark Zuckerberg, chief executive of Facebook, testifies to the Senate, on Capitol Hill in Washington, April 10, 2018. In 2011, Facebook agreed to settle charges that it had deceived consumers on ... more Photo: Tom Brenner / New York Times Photo: Tom Brenner / New York Times Image 1 of / 1 Caption Close Why the FTC is taking a new look at Facebook privacy 1 / 1 Back to Gallery

After a yearlong string of news reports that have called Facebook’s data-sharing practices into question, federal regulators are taking a hard look at how the social media company handles the personal information of its users.

It is not the first time Facebook has drawn government scrutiny. About seven years ago, after charges were leveled by the Federal Trade Commission, the company made an agreement with the agency to overhaul its privacy practices.

That agreement, called a consent decree, provides a road map for how the FTC is likely to scrutinize Facebook over the coming months.

MBA BY THE BAY: See how an MBA could change your life with SFGATE's interactive directory of Bay Area programs.

Why did the FTC accuse Facebook of deceptive practices in the first place? In 2007, Facebook introduced Facebook Beacon, a program that broadcast details on users’ online purchases to their friends, initially allowing users to opt out of sharing their purchases only on a case-by-case basis.

CEO Mark Zuckerberg apologized with what an article in the New York Times described as a “symphony of contrition.” In a Facebook post that year, Zuckerberg wrote: “I’m not proud of the way we’ve handled this situation and I know we can do better.”

At the end of 2009, a coalition of nonprofit consumer and privacy groups, led by the Electronic Privacy Information Center, petitioned the FTC to investigate Facebook’s handling of user data.

The groups filed a complaint saying Facebook had repeatedly disregarded users’ expectations and diminished their privacy. The complaint argued that the company had violated a federal law prohibiting unfair and deceptive business practices.

In 2011, the FTC filed charges against Facebook that said the company had deceived consumers about their privacy.

What were the FTC’s charges? The FTC’s complaint charged Facebook with a number of deceptive privacy practices. Among them:

•Facebook shared users’ personal details with advertisers even though the company had promised not to do so, the agency said.

•Facebook allowed third-party apps that users had installed to have access to nearly all their personal data — even though Facebook had stated the apps could obtain only the personal information they needed to operate, the agency said.

•In 2009, the agency said, Facebook changed its information-handling practices, making certain personal details — like users’ friends lists — public, overriding the choices of people who wanted to keep that data private. The policy change, the FTC’s complaint said, exposed users’ profile information, including “potentially controversial political views or other sensitive information,” to third parties.

•The agency said Facebook claimed it certified the security practices of apps participating in its “Verified Apps program,” but the company did not do so.

What did the FTC require? In November 2011, Facebook agreed to settle charges that it had deceived consumers by “telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” the FTC said at the time.

The agreement, which became final in 2012, prohibited Facebook from misleading consumers about their data privacy and security. The social network committed to getting the explicit consent of users before making changes that overrode their privacy preferences.

The agency ordered Facebook to put a comprehensive privacy program in place to protect the privacy and confidentiality of users’ information and to manage the risks of existing and new products.

It also required Facebook over the next 20 years to undergo biennial audits by an independent third party to certify the privacy program was properly protecting the information of the company’s users.

Why is the federal consent agreement relevant now? In March, the New York Times reported that a voter-profiling company, Cambridge Analytica, had harvested the personal data of millions of Facebook users without their knowledge or permission.

The voter-profiling company obtained the data from a researcher who had offered a personality survey app on Facebook. Although only about 270,000 Facebook users agreed to share their data to participate in the survey, the Facebook platform enabled the app to improperly harvest the personal details of millions of those users’ friends — consumers who had not agreed to share their information with the survey app.

Privacy experts, law professors and at least one former FTC official have argued that Facebook’s failure to prevent the survey app from obtaining the data of users’ friends violated the federal consent agreement. So did Facebook’s failure to prevent the app developer from sharing both users’ data and the data of users’ friends with Cambridge Analytica, these critics said.

They said the Cambridge Analytica episode suggested that Facebook had failed to adequately conduct the risk assessments the agreement required it to do. It also failed to obtain required, explicit consent from users’ friends for the sharing of their data with third parties, the privacy experts said.

They also argued that Facebook had failed to operate a comprehensive privacy protection program and take reasonable precautions — steps the company was obligated to take under the consent decree.

“The consent decree requires Facebook to always be vigilant to possible privacy problems and try to solve them,” said David C. Vladeck, a professor at Georgetown Law and a former director of consumer protection at the FTC who oversaw the investigation that led to the consent decree. “Cambridge Analytica made clear that Facebook was not auditing third-party apps.”

On March 26, the FTC said it was conducting an investigation into Facebook’s privacy practices. An agency spokeswoman declined to comment this month on the progress of the investigation.

Since then, Facebook has made other admissions about privacy problems that experts said could potentially violate the consent agreement or trigger new federal charges of deceptive privacy practices.

•In June, the Menlo Park company said a software bug made public the posts of up to 14 million users who thought the posts were private.

•Also in June, the Times reported that Facebook had allowed device-makers like Amazon, Apple, Blackberry, Microsoft and Samsung access to the data of users’ friends without their explicit consent, even after the company said it would no longer share such information with outsiders.

•In September, the company said a security breach had exposed the personal data of nearly 50 million users.

•In October, Facebook said Russian firms had scraped user data, including “matching photos from individuals’ personal social media accounts in order to identify them.”

•In December, Facebook said a software bug had given apps access to a larger set of users’ photos than usual.

•Also in December, the Times reported that Facebook had shared user data with Amazon, Microsoft, Yahoo and other companies without users’ knowledge or permission.

In addition to the FTC, Facebook is under investigation by the Justice Department, the FBI, the Securities and Exchange Commission and several government agencies in Europe over Cambridge Analytica’s harvesting of user data.

What does Facebook say? Facebook said it had developed a privacy program as required by federal regulators and it had not violated the consent decree.

“We are transparent with people about how we use their information and respect people’s privacy settings,” Sally Aldous, a Facebook spokeswoman, said in a statement. “We have a privacy program, which ensures we protect people’s information, which we continuously evolve to address the privacy risks of our products and services.”

Aldous said the company’s privacy program involved more than three dozen control mechanisms — including a privacy governance team and security teams that “ensure privacy risks for product launches and major changes are identified, discussed, and escalated for decisions when necessary.”

Facebook said it disagreed with the Times’ characterization of its sharing of user data with Amazon, Apple, Blackberry, Microsoft, Samsung, Yahoo and other companies.

The social network said device-makers used information from Facebook to integrate certain Facebook features on their services and agreed not to use that information for their own purposes. The company also said Spotify and other third-party apps had access to users’ Facebook data only after users signed in with their Facebook account in those apps.

“None of these partnerships or features gave companies access to information without people’s permission, nor did they violate our 2012 settlement with the FTC,” Konstantinos Papamiltiadis, director of developer platforms and programs at Facebook, wrote in a news release.

Natasha Singer is a New York Times writer.