Focusing public attention on emerging privacy and civil liberties issues

In re Facebook II

Top News

  • Facebook Timeline Changes User Privacy Settings. Again.: Without user consent, Facebook announced today that it would post archived user information, making old posts available under Facebook's current downgraded privacy settings. Users have just a week to clean up their history before Timeline goes live. The surprising announcement follows a recent decision by the Federal Trade Commission which found that the company had engaged in "unfair and deceptive" trade practices when it changed the privacy settings of its users. EPIC initiated that complaint and is now urging FB users to submit comments to strengthen the proposed settlement. For more information, see EPIC - In Re Facebook and EPIC - Facebook and Privacy. (Dec. 15, 2011)
  • Federal Trade Commission Announces Settlement in EPIC Facebook Privacy Complaint: The Federal Trade Commission has announced an agreement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. In 2009, the EPIC first asked the FTC to investigate Facebook's decision to change its users' privacy settings in a way that made users' personal information, such as Friend lists and application usage data, more widely available to the public and to Facebook’s business partners. The violations are also detailed in the FTC’s 8-count complaint against the company. The proposed settlement agreement bars Facebook from making future changes privacy settings without the affirmative consent of users and requires the company to implement a comprehensive privacy protection program and submit to independent privacy audits for 20 years. The settlement does not adopt EPIC's recommendation that Facebook restore users' privacy settings to pre-2009 levels. Facebook CEO Mark Zuckerberg reacted to the settlement in a post on Facebook's blog, saying that he was "first to admit that we've made a bunch of mistakes." For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Nov. 29, 2011)
  • FTC Releases Agenda for Facial Recognition Workshop: The Federal Trade Commission has announced the agenda and panelists for a workshop exploring the privacy and security issues raised by the increased use of facial recognition technology. The workshop will be held December 8, 2011 at the FTC Conference Center, and will feature diverse panelists with consumer protection, privacy, business, international, and academic backgrounds. EPIC Senior Counsel John Verdi will speak on the panel "Facial Detection & Recognition: Exploring the Policy Implications." EPIC has a complaint pending before the FTC over Facebook's use of facial recognition technology to build a secret database of users' biometric data and to enable the company to automatically tag users in photos. For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Nov. 22, 2011)
  • WSJ: Facebook Close to Settlement with FTC over EPIC Complaint : The Wall Street Journal reports that the Federal Trade Commission is finalizing a settlement with Facebook that follows from a complaint from EPIC and a coalition of US consumer and privacy organizations. In 2009, the organizations urged the Commission to investigate Facebook's decision to change its users' privacy settings which made the personal information of Facebook users more widely available to Facebook's business partners and the public. According to the Wall Street Journal, the settlement would require Facebook to obtain "express affirmative consent" if Facebook makes "material retroactive changes," and to submit to independent privacy audits for 20 years. For more information, see EPIC: In re Facebook, EPIC: Facebook Privacy and EPIC: Federal Trade Commission. (Nov. 10, 2011)
  • Sen. Rockefeller Requests FTC Report on Facial Recognition Technology: Senator John D. Rockefeller (D-WV) sent a letter requesting that the Federal Trade Commission assess the use of facial recognition technology and recommend legislation to protect privacy. Facial recognition technology is being used by technology firms and also police agencies, which has raised civil liberties concerns. The letter cited mobile applications such as SceneTap, which "tracks the male/female ratio and age mix of the crowd [in bars]" and digital advertising at the Venetian Resort in Las Vegas that tailors ads to the person standing in front of the display based on recognition of that person’s age and gender. The FTC will hold a workshop on facial recognition technology on December 8, 2011. EPIC's complaint regarding Facebook's facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, and EPIC: Facial Recognition. (Oct. 20, 2011)
  • Facebook Makes Some Changes, Privacy Complaints Still Pending: In response to several complaints filed by EPIC with the Federal Trade Commission, Facebook announced that it would make some changes in its business practices, including providing more accurate information about the disclosure of user data to others and new safeguards for photo tagging. EPIC, along with several privacy organizations, filed several complaints with the FTC about FB's automated tagging of users, changes in Privacy settings, and transfers of personal data, stating that Facebook's practices were "unfair and deceptive." Facebook's recent actions address some but not all of the issues raised by the consumer organizations. The complaint at the FTC are still pending. For more information see EPIC: Facebook Privacy. (Aug. 29, 2011)
  • Facebook Makes Changes to Facial Recognition; Still Relying on Opt-Out: In response to a letter from the Connecticut Attorney General, Facebook agreed to run ads that link users to their privacy settings and show them how to opt-out of Facebook's facial recognition program. The ads are new, but Facebook has failed to implement an opt-in model for its facial recognition technology. EPIC, along with several other organizations, filed a complaint with the Federal Trade Commission concerning Facebook's unfair and deceptive trade practices regarding biometric data collection. EPIC urged the FTC to require Facebook to suspend the program pending a full investigation. EPIC also urged the Commission to require Facebook to establish stronger privacy safeguards and an opt-in regime for the facial recognition scheme. For more information, see EPIC: In re Facebook and the Facial Identification of Users. (Jul. 27, 2011)
  • Congressman Markey Commends EPIC, Privacy Groups for Filing Facebook Complaint: Congressman Ed Markey today expressed support for the complaint filed last week by EPIC and privacy groups concerning Facebook's new scheme for online tagging. In a published statement, Congressman Markey said, "The Federal Trade Commission should investigate this important privacy matter, and I commend the consumer groups for their filing. When it comes to users’ privacy, Facebook’s policy should be: 'Ask for permission, don’t assume it.' Rather than facial recognition, there should be a Facebook recognition that changing privacy settings without permission is wrong. I encourage the FTC to probe this issue and will continue to closely monitor this issue." EPIC and consumer groups now have several complaints regarding Facebook pending at the FTC. For more information, see EPIC - In re Facebook and EPIC - In re Facebook II, and EPIC - Facebook and Privacy. (Jun. 14, 2011)
  • EPIC Files Complaint, Urges Investigation of Facebook's Facial Recognition Techniques: Today EPIC, and several privacy organizations, filed a complaint with the Federal Trade Commission about Facebook's automated tagging of Facebook users. EPIC alleged that the service was unfair and deceptive and urged the FTC to require Facebook to suspend the program, pending a full investigation, the establishment of stronger privacy standards, and a requirement that automated identification, based on user photos, require opt-in consent. EPIC alleged that "Users could not reasonably have known that Facebook would use their photos to build a biometric database in order to implement a facial recognition technology under the control of Facebook." EPIC warned that "absent injunctive relief by the Commission, Facebook will likely expand the use of the facial recognition database it has covertly established for purposes over which Facebook users will be able to exercise no meaningful control." EPIC has previously filed two complaints with the Commission regarding Facebook. For more information see EPIC: Facebook Privacy. (Jun. 10, 2011)
  • Facebook Resumes Plan to Disclose User Home Addresses and Mobile Phone Numbers: Facebook indicated in a letter to Rep. Markey (D-MA) and Rep. Barton (R-TX) that it will go forward with a proposal to provide users' addresses and mobile phone numbers to third-party application developers. The Congressman earlier expressed concern about the proposal. Facebook also wrote that it may disclose the home addresses and mobile numbers of minors who use the social networking service. Facebook suspended the plan after EPIC and others objected. EPIC and several consumer organizations have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In re Facebook, EPIC: In re Facebook II, and EPIC: Facebook Privacy. (Mar. 2, 2011)

Summary of EPIC's Facebook Complaint

On May 7, 2010, EPIC and fourteen other organizations filed a complaint with the Federal Trade Commission, alleging that Facebook has engaged in unfair and deceptive trade practices. The complaint addresses Facebook's latest round of changes, including linking profile information, abolishing the 24 hour data retention limit for developers, instituting social plugins and "Instant Personalization," and the use of cookies by Facebook to track users' internet activity.

In the complaint, EPIC asks the FTC to open an investigation into Facebook, to compel Facebook to allow users to choose whether to link and publicly disclose personal information, to compel Facebook to restore its previous requirement that developers retain user information for no more than 24 hours, and to compel Facebook to make its data collection practices clearer and more comprehensible. The following organizations signed onto the complaint:

  • The Electronic Privacy Information Center
  • The Bill of Rights Defense Committee
  • The Center for Digital Democracy
  • The Center for Financial Privacy and Human Rights
  • Center for Media and Democracy
  • Consumer Federation of America
  • Consumer Task Force for Automotive Issues
  • Consumer Watchdog
  • FoolProof Financial Education
  • Patient Privacy Rights
  • Privacy Activism
  • Privacy Journal
  • The Privacy Rights Clearinghouse
  • The U.S. Bill of Rights Foundation
  • U.S. PIRG

Background

Facebook

Facebook is a social networking site founded in 2004 by Harvard student Mark Zuckerberg. The site “connects people with friends and others who work, study and live around them.” As of December 2009, Facebook has nearly 150 million users in the United States.

Facebook and Privacy

Facebook has had a controversial history with respect to privacy. In 2006, Facebook launched a feature called “News Feed” which allowed users to track their friends’ Facebook updates and activity in real time. Within 24 hours, hundreds of thousands of the site’s users protested the feature. One Facebook group, “Students against Facebook News Feed” grew to 284,000 members within just a few days. As a result of the widespread protest, Mark Zuckerberg wrote an open letter to Facebook users, apologizing for doing a “bad job of explaining what the new features were and an even worse job of giving you control of them." Facebook then updated its privacy settings to allow for more user control over the News Feed Feature.

In 2007, Facebook launched Facebook Beacon, which allowed a Facebook user’s purchases to be publicized on their friends’ News Feed after transacting with third-party sites. Users were unaware that such features were being tracked, and the privacy settings originally did not allow users to opt out. As a result of widespread criticism, Facebook Beacon was shut down in 2009.

In February 2009, Facebook changed its Terms of Service. The new TOS allowed Facebook to use anything a user uploads to the site for any purpose, at any time, even after the user ceased to use Facebook. Further, the TOS did not provide for a way that users could completely close their account. Rather, users could “deactivate” their account, but all the information would be retained by Facebook, rather than deleted. EPIC planned to file an FTC complaint, alleging that the new Terms of Service violated the FTC Act Section 5, and constituted “unfair and deceptive trade practices.” In response to this planned complaint, and user criticism, Facebook returned to its previous Terms of Service.

EPIC's Previous Facebook Complaint

In late 2009, Facebook rolled out another round of changes which required mandatory disclosure of profile information that had previously been protected by users' privacy settings. The site automatically made some user information, including users' names, profile pictures, friends lists, fan pages, gender, and networks, available to the public, including to third-party developers, without offering users a choice to opt-out. The new Facebook privacy policy stated that “certain categories of information . . . are considered publicly available to everyone, including Facebook-enhanced applications, and therefore do not have privacy settings.” Consequently, users could no longer control who views certain types of information and could not prevent third-party applications from viewing certain types of information. EPIC, along with several other organizations, filed a complaint and supplemental complaint, with the FTC, citing "unfair and deceptive trade practices," and urging the agency to investigate.

EPIC filed a supplemental complaint regarding several Facebook services, including Facebook Connect and iPhone syncing. EPIC alleged that Facebook's representations regarding Facebook Connect and iPhone syncing were unfair and deceptive because users who employ the services are not informed beforehand that they will no longer have control over their information.

To date, the FTC has failed to take any action regarding these complaints.

EPIC's FTC Complaint

EPIC’s FTC complaint is signed by a number of other organizations, including the Bill of Rights Defense Committee, the Center for Digital Democracy, the Center for Financial Privacy and Human Rights, the Center for Media and Democracy, the Consumer Federation of America, the Consumer Task Force for Automotive Issues, Consumer Watchdog, FoolProof Financial Education, Patient Privacy Rights, Privacy Activism, Privacy Journal, the Privacy Rights Clearinghouse, the U.S. Bill of Rights Foundation, and U.S. PIRG.

The complaint highlights several aspects of Facebook’s most recent changes that threaten its users’ privacy. The complaint focuses on Facebook's unfair and deceptive trade practice of sharing of user information with the public and with third-party application developers. First, the complaint argues that Facebooks decision to force users to make previously protected information "publicly available" is an unfair practice. Second, the complaint argues that Facebook’s new social plugins and instant personalization are misleading and deceptive. Third, Facebook deceives users by not clearly informing them about cookies which Facebook uses to track users' internet activity. Fourth, Facebook's decision to allow developers to maintain user information indefinitely contradicts its previous policies and assurances to users.

Facebook now requires mandatory disclosure of even more information, including users' music, film, television, and literature preferences, employment information, educational information, current city, hometown, activities, interests, and likes and dislikes. Facebook forced users to convert information that had previously been protected under privacy settings into "links," which are "publicly available" information. Users were not given a choice to opt-out of this process. Users could either convert profile information into "links" or Facebook would remove the information from that user's profile. These changes contradict earlier assurances made by the company that users would be empowered to protect their information because, as Facebook stated, "you may not want everyone in the world to have the information you share on Facebook.”

The changes also contradict users' reasonable expectation about their privacy. Facebook allows users to adjust their privacy settings, but these adjustments have no practical effect on the public availability of information such as pages, links, employment information, and film and music preferences. Even if a user adjusts her settings so this information is limited to "friends only," the information may not be visible on the user's profile, but it is still publicly available elsewhere.

EPIC's complaint also alleges that Facebook's social plugin program is unfair and deceptive. Facebook has also developed a social plugin program that encourages users to interact with websites across the internet. “Social plugins” are buttons or boxes that appear on third party websites that prompt a Facebook user to click on or comment on items of interest. For example, is a user chooses to "Like" a news article by clicking on a "Like" button, this action is displayed on the third party website, disclosed to the user's friends and appears on the user's Facebook profile. This interaction results in user information being shared with those websites and the user's interaction being published to her friends on her "news feed." This sharing of information is not apparent to users, though, because all that users see when they navigate to a social plugin site is a small "like" or "recommend" button. There is nothing about the button which indicates the vast underlying exchange of information that occurs when a user clicks on it.

Facebook's new Instant Personalization feature is also problematic. Instant personalization allows three partner websites - Microsoft Docs, Pandora, and Yelp - to use cookies and users' "publicly available" information to serve Facebook users a tailored "experience." Pandora, for example, uses information in a user's profile to serve him music based on his stated music preferences and his friends' music preferences. Facebook disclosed user information to these three partner sites without users ever granting their permission.

Facebook has also changed its developer data retention rule in a way that profoundly affects users, without ever gaining users' consent. Previously, Facebook had limited developers data retention by mandating that developers delete user information after 24 hours. That rule was abolished to allow developers to maintain user information indefinitely.

Facebook has also failed to be transparent regarding its use of cookies. Facebook uses cookies to track users across the internet, destroying their ability to surf the internet anonymously. EPICs complaint argues that the use of cookies is not obvious to Facebook users or controllable under the privacy settings.

These changes together amount to a massive disclosure of user information that had previously been protected under users' privacy settings. This information has now been disclosed to third parties and can be retained indefinitely.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. ยง 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.

Legal Documents

News Stories and Blog Items