Yesterday I wrote about the Future of Privacy in light of the ongoing Leveson Inquiry into phone hacking by journalists in England. But in another courtoom on the other side of the Atlantic yesterday, Facebook was being held accountable for its massive invasions of privacy. Specifically, the American Federal Trade Commission concluded that Facebook deceived consumers “by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”
According to the FTC press release:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.
The FTC goes on to say that “The proposed settlement bars Facebook from making any further deceptive privacy claims, requires that the company get consumers’ approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years”
Obviously, for those of us who like privacy and who like transparency, this is a very good thing. But the ease with which facebook was able to make these changes suggests the degree to which they are controlling the agenda and the FTC – and the rest of us – are playing catch-up. Similarly, a security researcher named Trevor Eckhart showed in a video released yesterday that every single url and text message and email and photo (etc.) that you click into or create on your mobile phone is stored in a 3rd party application (CarrierIQ) including secure sites and passwords. Eckhart claims that this info is then sent to the 3rd part developer (CarrierIQ inc.), but this appears to be an unproven claim at the moment. But it appears indisputable that all this info is logged and stored in this 3rd party app, and that it could be sent to the 3rd party carrier, or anyone else who could hack into it. So at best it is a risky and highly insecure situation.
All of which is to emphasize how much easier and deeper the potential for secret surveillance is online than off. Should there perhaps be a formal inquiry into the future of privacy online, like the Leveson Inquiry, so that those of us who use facebook and mobile phones and other digital tools can proactively choose our future instead of discovering what we have lost in the rear-view mirror?