Thursday, April 5, 2012

In the Matter of Facebook, Inc.

In the Matter of Facebook, Inc. 2011 WL 6092532

Mark Zuckerberg sweating through that interview, pre FTC privacy case.
Facebook's privacy practices have been in the public's collective consciousness with  regularity after it was discovered that personal information was being shared with advertisers and other third parties. Compounding this was Facebook's then Byzantine privacy settings, which in theory provided users with control, but in practice either were ignored or used incorrectly.

Eventually the FTC investigated Facebook, and the two entered into a consent order late in 2011.

First, the Facebook agreed to not misrepresent any information concerning privacy or security settings of users, including a) the collection of information, b) the extent to which a consumer could control that information, c) the extent that information was sold to third parties, d) the steps Facebook had taken to verify the security of third parties with access to the information, e) the extent to which the information was available after an account was deleted and f) the extent to which Facebook complied with various government issued privacy guidelines.

Facebook was ordered to clearly state in a separate user agreement the privacy and information collection settings, and obtain users express consent before collecting any private information. Like the Twitter case, Facebook also was required to designate an employee and set up a monitoring and auditing program to assess the new privacy controls and features. Facebook is also required to submit reports to the FTC discussing the implementation and success of such a program.

Yet perhaps the most interesting is that Facebook was given 60 days to implement systems that would ensure private information could not be accessed by any third parties within 30 days of a user deleted his or her account. Facebook, as well as other websites that accept user submitted content, have always warned that deleted information may remain on their servers for sometime. This has to do with the way the data is stored across multiple servers. Even Facebook was upfront about this when they first began introducing photo sharing. Even if the link on a Facebook page is deleted, users can still access photos by entering the direct address until Facebook's servers purge the information. It stands to reason that a third party could do the same.

Since Facebook agreed to this consent order, they must have a method for implementing this requirement. This is good news for users who decide to remove information. Ideally, it would instantly be inaccessible to a third party, but even within the 30 day time limit is an extra level of assurance. It should still be noted that this doesn't necessarily mean Facebook cannot access the information, but it is a step in the right direction.

No comments:

Post a Comment