Following more than a year of speculation since the Federal Trade Commission said it was investigating Facebook over privacy lapses, the regulator has officially announced the terms of its settlement with the beleaguered social network: $5 billion (as previously rumored) and improved privacy oversight within the company.

The order-mandated privacy program covers Facebook-owned WhatsApp and Instagram, as well as Facebook’s eponymous social platform.

Facebook assessed $5 billion penalty, subjected to sweeping new restrictions on user privacy decisions to settle FTC charges the company violated a 2012 FTC order by deceiving users about their ability to control privacy of their personal info. Read more: https://t.co/NYx2JnKmJV pic.twitter.com/7KVd3Vg02J — FTC (@FTC) July 24, 2019

The order was approved in a 3-2 vote by the agency’s commissioners. The FTC notes that the penalty against Facebook is the largest ever imposed on any company for violating consumers’ privacy — as well as flagging that it’s “almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide”.

In addition to the money, Facebook will have to create a board committee on privacy, and must provide executive assurance that user data is being respected.

Meaningful oversight?

“The settlement order announced today also imposes unprecedented new restrictions on Facebook’s business operations and creates multiple channels of compliance. The order requires Facebook to restructure its approach to privacy from the corporate board-level down, and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight,” the FTC writes in a press release announcing the decision.

“Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices,” said FTC chairman, Joe Simons, in a statement. “The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations. The Commission takes consumer privacy seriously, and will enforce FTC orders to the fullest extent of the law.”

The FTC says the structure of its 20-year order against Facebook removes the “unfettered control” over privacy decisions exercised by CEO Mark Zuckerberg — by creating greater accountability at the board of directors level via the establishment of what it calls an “independent privacy committee”.

“Members of the privacy committee must be independent and will be appointed by an independent nominating committee,” it writes. “Members can only be fired by a supermajority of the Facebook board of directors.”

Facebook will also be required to designate compliance officers who will be responsible for Facebook’s privacy program.

“These compliance officers will be subject to the approval of the new board privacy committee and can be removed only by that committee — not by Facebook’s CEO or Facebook employees,” it writes. “Facebook CEO Mark Zuckerberg and designated compliance officers must independently submit to the FTC quarterly certifications that the company is in compliance with the privacy program mandated by the order, as well as an annual certification that the company is in overall compliance with the order. Any false certification will subject them to individual civil and criminal penalties.”

Another strand is aimed at strengthening external oversight of Facebook, with the FTC claiming enhancements to audit processes which must take place every two years to evaluate the effectiveness of Facebook’s privacy program and identify any gaps.

“The assessor’s biennial assessments of Facebook’s privacy program must be based on the assessor’s independent fact-gathering, sampling, and testing, and must not rely primarily on assertions or attestations by Facebook management,” it writes in what sounds like the end of Facebook being able to mark its own regulatory homework on its home turf.

It goes on: “The order prohibits the company from making any misrepresentations to the assessor, who can be approved or removed by the FTC. Importantly, the independent assessor will be required to report directly to the new privacy board committee on a quarterly basis. The order also authorizes the FTC to use the discovery tools provided by the Federal Rules of Civil Procedure to monitor Facebook’s compliance with the order.”

Facebook must also conduct a privacy review of every new or modified product, service, or practice before it is implemented, and document its decisions about user privacy, per the order.

While the designated compliance officers must submit a quarterly privacy review report — sharing this with Facebook’s CEO and the independent assessor, as well as with the FTC upon its request.

The order also imposes security breach disclosure requirements on Facebook, which is required to document incidents when data of 500 or more users has been compromised, along with details of how it has sought to fix the problem — and provide that to the FTC and the assessor within 30 days of discovering the breach.

The FTC first confirmed that it was investigating Facebook in March of last year, during the then-new hubbub surrounding Cambridge Analytica’s abuse of data siphoned from the network. The regulator was specifically concerned that Facebook had been systematically violating the terms of its 2012 agreement, which barred them from a number of practices concerning user data.

Rumors started less than a year later that the fine the FTC was considering would be “record-setting,” though as many pointed out at the time, almost any conceivable amount would be easily (if not gladly) written off by the company, which brings in upwards of $50 billion per year in revenue.

In April, seeing the writing on the wall and perhaps privy to some of the conversations, Facebook set aside $3 billion to cover the costs of the settlement it knew was coming (it still made a $2.4B profit), but said it expected the number may actually be $5 billion. And indeed that is the number that surfaced two weeks ago in early reports of the FTC vote. (Some had suggested fines far higher, perhaps mitigated by good behavior, but the FTC doesn’t seem to have taken them up on the idea.)

While multi-billion dollar fines make splashy headlines there could well be far greater business costs (and product friction) for Facebook locked up in the administrative and bureaucratic requirements of the order.

The FTC notes a laundry list of what it couches as “significant new privacy requirements” that it’s also imposing on the company — writing that:

Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;

Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;

Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;

Facebook must establish, implement, and maintain a comprehensive data security program;

Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and

Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.

Although there are already criticisms of the order for not being strong enough — including from inside the FTC itself.

Blanket immunity and no deterrent

Rohit Chopra, one of the commissioners who voted against the settlement, has published a statement explaining why he did not back it — in which he warns that it “doesn’t fix the incentives causing these repeat privacy abuses” because it fails to stop Facebook from “engaging in surveillance or integrating platforms”.

“There are no restrictions on data harvesting tactics — just paperwork. $FB gets to sign off on what’s acceptable,” he wrote in a set of tweets summarizing his views after the settlement was announced.

Chopra also objects to the lack of penalties for Zuckerberg, Sheryl Sandberg, and other Facebook executives — pointing out that the FTC is going after individuals attached to Cambridge Analytica’s misuse of Facebook data yet letting Facebook’s leadership “get blanket immunity for their role in the violation”.

He also flags that “settlement fine print gives Facebook broad immunity for ‘known’ and ‘unknown’ violations” — wondering: “What’s covered by these immunity deals? Facebook knows but the public is kept in the dark.”

“Facebook’s flagrant violations were a direct result of their business model of mass surveillance and manipulation, and this action blesses this model. The settlement does not fix this problem. It now goes to court for approval,” he adds. “We should all be concerned that the business incentives of big tech platform behavioral advertising spur practices that are dividing our society. When companies break the law and cause massive harm, they need to be held accountable.”

Also dissenting from the settlement is FTC commissioner Rebecca Kelly Slaughter who also takes the view the order will not do enough to “effectively deter Facebook from engaging in future law violations” — writing in her own dissenting statement that she would have preferred the agency to instigate litigation against Facebook and Zuckerberg, and fight for “the right outcome in a public court of law”.

“I cannot view the order as adequately deterrent without both meaningful limitations on how Facebook collects, uses, and shares data and public transparency regarding Facebook’s data use and order compliance,” she also says, adding that her “deepest concern” is that “its release of Facebook and its officers from legal liability is far too broad”.

FTC limits

Discussing the settlement in a phone call with TechCrunch, the FTC’s former CTO, Ashkan Soltani, dubbed it a “terrible outcome” for his former employer. “Facebook’s dominated the press schedule the entire time,” he told us. “They’ve controlled when this release is, same day as the Mueller [testimony], same day as their earnings’ call. The $5BN number — while significant for the agency is essentially a ‘get out of jail’ card for Facebook,” he added, noting that the order indemnifies for any behavior prior to June 12 — “which is I think unheard of”.

“It’s kind of crazy in terms of how good of a deal this was for the company.”

That such a favorable result could be signed off by even three of five commissioners is “a sign of who the FTC is”, he also said.

“The significance of this case shows how limited the agency’s ability is,” he suggested. “They have limited authority but the settlement — this is unheard of. I’ve never seen a provision like that in another FTC order.”

“I think it makes sense in terms of they were between a rock and a hard place in terms of what they could do,” he added. “The alternative would be to go to court against one of the largest companies in the world, with an endless budget, and the [enforcement] authority is kind of thin.”

In terms of whether there’s anything of substance in the order that could rein in Facebook’s future behavior, Soltani suggested there are some “useful” injunctions which imply the agency looked at behavior beyond the Cambridge Analytica scandal.

But at the same time there’s not enough here to respond to “where the company is going”.

“I don’t think it really addresses the direction that Facebook is moving towards and it really highlights the lack of authority that the agency has,” he told us, discussing the limits of US protection for privacy in the age of data-mining tech giants.

“The FTC is the trade Commission, right,” he added. “It’s designed to essentially protect against unfair and deceptive practices and it’s really designed to protect industry from one another… and somehow that evolved to be our leading consumer protection agency — but that authority is quite limited, particularly in the area of privacy.”

David Carroll, the academic whose complaint against Cambridge Analytica’s use of his data features as a focal point of The Great Hack — the just released Netflix documentary that digs into the Facebook data abuse scandal — was also withering in his assessment of the FTC order.

“Maybe a Netflix doc could be more punitive to Facebook than this settlement,” he told us.

Facebook’s response

Facebook has responded to the penalty announcement in a lengthy blog post penned by general counsel, Colin Stretch.

“The agreement will require a fundamental shift in the way we approach our work and it will place additional responsibility on people building our products at every level of the company,” he writes. “It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.

“The accountability required by this agreement surpasses current US law and we hope will be a model for the industry. It introduces more stringent processes to identify privacy risks, more documentation of those risks, and more sweeping measures to ensure that we meet these new requirements. Going forward, our approach to privacy controls will parallel our approach to financial controls, with a rigorous design process and individual certifications intended to ensure that our controls are working — and that we find and fix them when they are not.”

Stretch goes on to describe the Cambridge Analytica data misuse scandal as “a breach of trust between Facebook and the people who depend on us to protect their data”, before claiming the company will adopt a new more “robust” approach to privacy risk.

“We will be more robust in ensuring that we identify, assess and mitigate privacy risk,” he writes. “We will adopt new approaches to more thoroughly document the decisions we make and monitor their impact. And we will introduce more technical controls to better automate privacy safeguards.”

He also says Facebook will undertake a review of its “systems” — which he says the company expects will surface “issues” — pledging that “when it does, we will work swiftly to address them”.

Buried later on in the blog, Stretch also confirms that Facebook has settled a separate investigation by the Securities and Exchange Commission — agreeing to pay a further $100M to resolve a probe of its processes for disclosing data abuses to investors.

“We share the SEC’s interest in ensuring that we are transparent with our investors about the material risks we face, and we have already updated our disclosures and controls in this area,” he writes.

In another response, Zuckerberg has posted a comment about the settlement on his Facebook page — where he says “we’re going to make some major structural changes to how we build products and run this company”.

He also writes that Facebook expects complying with the changes instigated by the FTC order will take “hundreds of engineers and more than a thousand people across our company”.

Although it’s not clear whether that means Facebook will be beefing up its headcount, with 1,000 extra hires, or shifting priorities of what some of its existing staff focus on.

This report was updated with additional comment