Consumer Groups Hammer Facebook Privacy Violations in Federal Complaint

Facebook users were shocked to learn this week that private chats could have been viewed by their friends because of a security hole that was only recently closed, and also that new Facebook features can secretly add applications to your profile.

Facebook, Twitter becoming business tools, but CIOs remain wary

But those weren't the only privacy complaints Facebook faced this week. On Wednesday, the Electronic Privacy Information Center filed a 38-page complaint against the company with the Federal Trade Commission, demanding that Facebook cancel new features introduced in mid-April that compel users to share more information than before.

"Facebook now discloses personal information to third parties that Facebook users previously did not make available," EPIC said in its complaint. "These changes violate user expectations, diminish user privacy, and contradict Facebook's own representations. These business practices are Unfair and Deceptive Trade Practices."

The FTC isn't likely to rule on the complaint any time soon, but in the meantime let's take a look at the key allegations made by the Electronic Privacy Information Center. Fourteen other privacy and consumer protection groups joined EPIC in filing the FTC complaint, and EPIC sent a letter to members of Congress describing the allegations.

Here's a summary of the FTC complaint against Facebook:

Facebook violated its own privacy policy by making user information publicly available with changes introduced the week of April 18, 2010, the complaint alleges. Facebook is now making information such as a user's hometown, education, work, activities, likes and interests public, whereas previously such information could be hidden, the complaint states.

"As a result of these material changes, Facebook requires users to designate personal information as publically linkable 'Links,' 'Pages,' or 'Connections' or to no longer make such information available,"the complaint states. Many Facebook users previously restricted access to this profile data, which includes users' friends list, music preferences, affiliated organizations, employment information, educational institutions, film preferences, reading preferences, and other information."

When the changes went live, Facebook presented users with a pop-up screen compelling them to link their profiles to various pages selected by Facebook based upon content entered manually into the user's profile. The user could either link their profiles to all selected pages, choose pages individually, or click the "ask me later" button.

If the "ask me later "option was chosen, users were later presented the same screen with only the "link all" and "choose individually" options. If they click "choose individually", they are taken to a page with a series of pre-checked boxes, forcing them to uncheck all boxes if they don't want their profiles linked to every page.

But unchecking boxes also deleted major portions of a person's profile, the complaint says.

"If the user unchecked all of the boxes in an attempt to opt-out of the compelled disclosure of her profile information, another pop-up window appeared to inform the user that if no information is designated as 'publically available,' then major sections of the user's profile that were previously available on the user's Facebook page will be deleted and left empty," the complaint states. "As a result of a material change in its business practice, Facebook no longer permits users to provide 'pure text' entries into fields for work and education, current city, hometown, and likes and interests. All entries into these fields must be 'linked.'"

When most Facebook users signed up for the service, they weren't required to make employment, educational information and music, film, book and TV preferences public information, but they are now forced to link their profile information to Facebook pages, making the information viewable by everyone rather than just their friends, the complaint says.

"Facebook states that 'if you don't link to any pages, these sections on your profile will be empty. By linking your profile to pages, you will be making these connections public,'" the FTC complaint reads. "Facebook states that now websites and applications will have access to 'publicly available information. This includes your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages.'"

Even if users designate content as private, Facebook will hide the information on the user's profile but disclose it elsewhere, such as on friends' pages, community pages and third-party websites, EPIC writes in the complaint. For example, even if users disable Facebook's new "instant personalization" feature, their information may be disclosed to third party websites if any of their friends have not disabled the service.

Moreover, the act of "liking" pages may reveal personal data "without clearly indicating to users when their personal information is being given to third party websites."

Facebook's privacy settings limit users' ability to browse the Web anonymously because of integration with third party site, EPIC also claims.

"Facebook uses cookies to track its users," the complaint states. "Thus, whenever a user is logged-in to Facebook and surfing the Internet, he is also transmitting information about which websites he's visited to Facebook. A user does not have to click on or interact with a social plugin for his information trail to be transmitted to Facebook." EPIC and the other privacy groups that filed the complaint said Facebook's privacy practices are prohibited by the FTC, and asked the FTC to force Facebook to restore its previous privacy settings, restore a previous requirement that developers retain user data for no more than 24 hours, and make data collection practices easier to understand and give "Facebook users meaningful control over personal information provided by Facebook to advertisers and developers."

Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin

Read more about software in Network World's Software section.

Subscribe to the Security Watch Newsletter

Comments