Facebook’s record $5 billion fine that it will pay to the Federal Trade Commission will do little to stop Facebook from trying to slurp up as much of your data as it can, with two exceptions: facial recognition and telephone numbers. Instead, the Facebook-FTC agreement is primarily intended to stem the tide of your data flowing through Facebook and out to third-party developers.
Facebook agreed to pay a $5 billion fine and submit to a 20-year oversight program Wednesday as part of an FTC order agreed to by both companies—punishment for Facebook’s unwillingness to adhere to another, separate 2012 FTC order that also governed user data privacy. As many have noted, the $5 billion fine is a slap on the wrist: Facebook recorded $15 billion in revenue for the March 2019 quarter alone.
Many of the changes the FTC will enforce will be structural, and their impact on how Facebook does business can’t be accurately predicted. Probably the most significant will be the creation of an independent privacy committee, named by the company’s board. Those members can be fired only by a supermajority of the board itself. That’s significant, as chief executive Mark Zuckerberg personally owns a majority of Facebook shares, giving him control over the company.
Facebook will also be forced to name privacy compliance officers, who must be approved by the board’s privacy committee. These privacy officers will be responsible for enforcing the FTC order, and will provide quarterly certifications to the FTC that they’re adhering to it. Once a year, Zuckerberg and the privacy committee will also be subject to an annual review by the FTC.
How Facebook will be allowed to use facial recognition
FTC: Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users.
The most immediate, direct impact on Facebook users will be in facial recognition and phone numbers. The background details are spelled out in a separate suit being brought by the Department of Justice against Facebook, which seeks additional civil penalties in addition to the fine that Facebook agreed to.
Facebook uses facial recognition to “tag” people in your photos. In addition to the social aspects, Facebook now says it uses facial recognition to alert you to photos that others have uploaded with you in them, conceivably without your consent. Facebook also uses photos to verify that you are who you say you are, as part of account authorization.
With Facebook, though, it’s never simple. The DOJ suit alleges the step-by-step methods Facebook used to convince you to turn on facial recognition. What the DOJ objected to was that Facebook essentially turned on facial recognition to 30 million existing users without their consent, and an additional 30 million new users were opted in to facial recognition without consent.
One question left unanswered is whether the FTC’s new order will satisfy the DOJ, whose separate suit was also filed Wednesday. Another, of course, is how Facebook will treat facial recognition that a user has already opted into. Finally, how up-front will Facebook be with “material” new uses for facial recognition, that you’ll need to opt into?
How Facebook will be allowed to use your phone number
FTC: Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising.
Between 2015 and 2018, Facebook encouraged users to sign up for two-factor authentication, including texting a code to your phone number. What Facebook didn’t tell you is that the phone number was also being handed over to advertisers, according to the DOJ. As recently as November, 2018, Facebook was still asking for your phone number for 2FA without disclosing that it was also providing it to advertisers.
The FTC doesn’t say much here, so we don’t know whether the ruling will bar this behavior going forward, or attempt to undo past actions as well.
How Facebook will be required to manage your passwords
FTC: Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plain text. Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
In April, Facebook disclosed that hundreds of millions of passwords were stored in “a readable format” within its servers, and accessible to its own developers. The FTC wants to put an end to it.
The FTC settlement also requires Facebook to “establish, implement, and maintain a comprehensive data security program.”
How Facebook will be allowed to broker your data to advertisers
FTC: Facebook must exercise greater oversight over third-party apps, including terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data.
The major thrust of the FTC’s consent decree is to oversee how Facebook sells your data to third-party advertisers. Again, there’s nothing here about limiting Facebook’s ability to actually acquire your data. (The FTC also said Wednesday that it had sued Cambridge Analytica, the developer of the “thisisyourdigitallife” app, which in or around 2014 allegedly collected personal information from Facebook users after the app claimed that it wouldn’t do so.)
Both the FTC and DOJ alleged that Facebook hadn’t told users how it was using data collected on you and your friends.
In April, 2014, Facebook announced that it would stop allowing third-party app developers to collect data on your Facebook friends, as well as on you. The FTC said, however, that Facebook privately told developers that it could collect data on friends through April, 2015, if they had an app on the platform. At the same time, Facebook told reporters that it had deprecated, or phased out, what it called Graph API V1, which allowed app access to friend data. Instead, the company said, Graph API V2 would be used, which blocked third-party developers from accessing that data. But what Facebook didn’t tell anyone is that more than two dozen “whitelisted” developers were still given access to Graph API V1 and the friends data, according to the DOJ.
That data included “users’ bios, birthdays, family and relationships, websites, status updates, photos, videos, links, notes, hometowns, current cities, education histories, work histories, activities, interests, ‘likes,’ app activity, and status of being online.” All were sent to the third-party app developers, the DOJ said.
“In some instances,” the suite alleges, “the apps called for data about Affected Friends in numbers that greatly exceeded the number of the apps’ monthly active users. For example, one app highlighted in the audit made more than 450 million requests for data—roughly 33 times its monthly active users,” the suit alleges.
It appears that the FTC is giving Facebook some leeway in determining whether third-party apps can “justify” their need for user data. That’s a bit problematic, given that the DOJ’s suit alleges that Facebook confirmed the need for data only with app developers spending more than $250,000 on Facebook. Apps spending less than that had their privileges automatically revoked.
So what’s changed? Other than the oversight committees, it's hard to say. In a Facebook post, Zuckerberg offered yet another pledge to protect privacy: “We have a responsibility to protect people’s privacy,” he wrote, in a post cited by the company. “We already work hard to live up to this responsibility, but now we’re going to set a completely new standard for our industry.”
Did the agreement go far enough?
It’s clear that financially, Facebook won’t materially feel the effects of the fine save for a quarter or two. When news of the proposed settlement leaked a short time ago, Facebook’s stock actually went up.
It’s worth noting that the FTC agreement was agreed to by a 3-2 vote, with the dissenting commissioners strongly objecting. Commissioner Rohit Chopra wrote that the agreement gave Facebook executives “blanket immunity” and argued that it would not provide significant change. “[T]he order allows Facebook to decide for itself how much information it can harvest from users and what it can do with that information, as long as it creates a paper trail,” he wrote.