Focusing public attention on emerging privacy and civil liberties issues

Social Networking Privacy

Latest News/Events

  • EPIC Urges FTC Investigation into Facebook Timeline: EPIC sent a letter requesting that the Federal Trade Commission determine whether changes Facebook has made to the profiles of its users are consistent with the terms of a settlement reached between Facebook and the FTC. EPIC's letter states that "with Timeline, Facebook has once again taken control over the user's data from the user and has now made information that was essentially archived and inaccessible widely available without the consent of the user." The settlement requires Facebook to give users clear and prominent notice and obtain users' express consent before changing their privacy settings. EPIC sent a similar letter to the FTC about Timeline and the secret tracking of users in September 2011. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Dec. 28, 2011)
  • EPIC Submits Comments on FTC Facebook Privacy Settlement: EPIC submitted comments to the FTC on a proposed settlement with Facebook. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. However, EPIC said that the settlement is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission." In order to address the issues raised by the complaints, respond to recent changes in Facebook's business practices like Timeline, and fulfill the FTC's duty to act in the public interest, EPIC recommended that the settlement be improved. Specifically, EPIC recommended that the FTC require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web. For more information, see EPIC: Facebook Privacy, and EPIC: FTC Facebook Settlement. (Dec. 28, 2011)
  • EPIC Sues DHS Over Covert Surveillance of Facebook and Twitter : EPIC has filed a Freedom of information Act lawsuit against the Department of Homeland Security to force disclosure of the details of the agency's social network monitoring program. In news reports and a Federal Register notice, the DHS has stated that it will routinely monitor the public postings of users on Twitter and Facebook. The agency plans to create fictitious user accounts and scan posts of users for key terms. User data will be stored for five years and shared with other government agencies.The legal authority for the DHS program remains unclear. EPIC filed the lawsuit after the DHS failed to reply to an April 2011 FOIA request. For more information, see EPIC: Social Networking Privacy. (Dec. 20, 2011)
  • Facebook Timeline Changes User Privacy Settings. Again.: Without user consent, Facebook announced today that it would post archived user information, making old posts available under Facebook's current downgraded privacy settings. Users have just a week to clean up their history before Timeline goes live. The surprising announcement follows a recent decision by the Federal Trade Commission which found that the company had engaged in "unfair and deceptive" trade practices when it changed the privacy settings of its users. EPIC initiated that complaint and is now urging FB users to submit comments to strengthen the proposed settlement. For more information, see EPIC - In Re Facebook and EPIC - Facebook and Privacy. (Dec. 15, 2011)
  • EPIC Launches Campaign Urging Public Comment on Facebook Privacy Settlement: EPIC launched the "Fix FB Privacy Fail" campaign to encourage the public to support improvements to a settlement between Facebook and the FTC. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. Although the proposed settlement is far-reaching, there are several ways in which it could be improved. EPIC has recommended that the FTC require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web. The period for public comment on the proposed settlement ends on December 30. The campaign also allows users to sign on to the petition without using Facebook. For more information, see EPIC: FTC Facebook Settlement. (Dec. 13, 2011)
  • Federal Trade Commission Announces Settlement in EPIC Facebook Privacy Complaint: The Federal Trade Commission has announced an agreement with Facebook that follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. In 2009, the EPIC first asked the FTC to investigate Facebook's decision to change its users' privacy settings in a way that made users' personal information, such as Friend lists and application usage data, more widely available to the public and to Facebook’s business partners. The violations are also detailed in the FTC’s 8-count complaint against the company. The proposed settlement agreement bars Facebook from making future changes privacy settings without the affirmative consent of users and requires the company to implement a comprehensive privacy protection program and submit to independent privacy audits for 20 years. The settlement does not adopt EPIC's recommendation that Facebook restore users' privacy settings to pre-2009 levels. Facebook CEO Mark Zuckerberg reacted to the settlement in a post on Facebook's blog, saying that he was "first to admit that we've made a bunch of mistakes." For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Nov. 29, 2011)
  • Federal Trade Commission to Announce Settlement in EPIC Facebook Privacy Complaint: The Federal Trade Commission has scheduled a 1:00 pm EDT press conference to announce a privacy settlement with Facebook, following a complaint that was filed by EPIC and other consumer and privacy organizations. More news to follow. (Nov. 29, 2011)
  • Federal Judge Orders Twitter to Turn Over Information About Wikileaks Supporters: A federal district judge in Virginia has ordered Twitter to make available to the Justice Department the personal information - including IP addresses, session times, and relationships between other Twitter users - of people who may have supported Wikileaks. In reaching this decision, Judge O'Grady relied on a revised version of Twitter's privacy policy, which was not in place when the users signed up. Under the Court's order the Department of Justice may obtain the data with a warrant under the Stored Communications Act. The targets of the Department of Justice's investigation are the WikiLeaks' Twitter account, and the accounts of three people connected to the group: Seattle coder and activist Jacob Appelbaum; Birgitta Jonsdottir, a member of Iceland's parliament; and Dutch businessman Rop Gonggrijp. EPIC has several FOIA requests pending with US federal agencies concerning the investigation of Wikileaks. For more information see EPIC: Social Networking Privacy. (Nov. 17, 2011)
  • WSJ: Facebook Close to Settlement with FTC over EPIC Complaint : The Wall Street Journal reports that the Federal Trade Commission is finalizing a settlement with Facebook that follows from a complaint from EPIC and a coalition of US consumer and privacy organizations. In 2009, the organizations urged the Commission to investigate Facebook's decision to change its users' privacy settings which made the personal information of Facebook users more widely available to Facebook's business partners and the public. According to the Wall Street Journal, the settlement would require Facebook to obtain "express affirmative consent" if Facebook makes "material retroactive changes," and to submit to independent privacy audits for 20 years. For more information, see EPIC: In re Facebook, EPIC: Facebook Privacy and EPIC: Federal Trade Commission. (Nov. 10, 2011)
  • Congress, #KWTK Presses Facebook to Disclose Secret Profiles: Lawmakers in Washington have sent a letter to Mark Zuckerberg, Facebook's CEO, asking questions about the company's data retention practices, following a news report that a single European Facebook user obtained more than 1,200 pages of his own personal data from the company, including information that he had previously deleted. Following an effort of privacy advocates in Europe, EPIC has launched the KWTK (Know What They Know) campaign and is urging Facebook users to obtain their complete "data dossier" from the company. For more information, see EPIC: Facebook Privacy and EPIC:#kwtk. (Oct. 31, 2011)
  • International Privacy Officials Recommend Social Networking Privacy Safeguards. The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces. Regulators should ensure openness, and oblige data breach notification. Providers must be transparent; live up to promises made to users; and use privacy friendly defaults. Privacy and consumer groups are also recommended to raise the awareness of regulators, providers and the general public. (Apr. 17, 2008)
  • Facebook Caves to Privacy Demands, Adopts Limited Opt-In. Social networking site Facebook.com significantly modified the privacy features of its new "Beacon" advertising system. Facebook users found their purchases on third party sites were being broadcast to their Facebook friends. Users had only limited options for opting out of the broadcast. In response to complaints from EPIC, the Center for Digital Democracy, Moveon.org, and thousands of users, Facebook will now ask that users opt-in before broadcasting their details. Facebook will continue to collect information from third party sites and will continue to ask for opt-ins until the user consents. See also EPIC's Facebook Privacy Page. (Nov 30, 2007)
  • Facebook to Collect, Distribute User Interactions With Third Party Sites. Social networking website Facebook.com introduced its "Beacon" feature to much controversy. Facebook users who shop at third party websites will have their purchases broadcast to their friends via Facebook. Facebook receives this third party information and shares it unless user opt-out during a brief pop-up window at the third party site. Interest group MoveOn.org has started a petition campaign and Facebook group against this feature. The MoveOn petition and Facebook group demand that Facebook share user information only with explicit opt-in permission. Facebook considered, but did not adopt, a blanket opt-out for the beacon feature. (Nov 28, 2007)
  • Facebook Unveils New "Social Ads." Social networking site Facebook.com unveiled "social ads," a new advertising product. Marketers create Facebook profiles and purchase advertising targeting other users profile information. Further, a users name and picture will be shown to their friends in promotion of a product after that user interacts with the marketer in some way. A law professor has questioned whether this violates the privacy tort prohibiting commercial appropriation of name and likeness. Facebook's privacy settings do not currently allow one to opt out of receiving marketing or being used in it. (Nov. 14, 2008)

Background

Social networking Web sites, such as Facebook, MySpace, Twitter, Google Buzz, LinkedIn and Friendster have become established forums for keeping in contact with old acquaintances and meeting new ones, for sharing personal information, and for establishing mobile communication capabilities. Users can create their own Web page and post details about themselves: where they went to school, their favorite movie titles, and their relationship status. They can link to friends on the same site, whose photos, names, and perhaps a brief description, will also appear on the Web page. They can communicate with friends and establish business contacts. While these Web sites are useful tools for exchanging information, there has been growing concern over breaches in privacy caused by these social networking services. Many users feel that their personal details are being circulated far more widely than they would like.

Who Gets Access?

Social networking sites give their users an easy way to share information about themselves. However, many users are quickly finding that the information they intend to share with their friends can all too easily find its way into the hands of the authorities, strangers, the press, and the public at large. For example, job recruiters are looking to these sites as well as performing more traditional background checks on potential employees. Performing a search using these sites may result in retrieving a substantial amount of personally identifiable information about a person.

Many sites restrict who can join a site, and therefore access a user's information. Many Web sites include age stipulations in their terms of use. Friendster, for example, requires that all its users be over 16, and this requirement is flagged on the registration form. Facebook and MySpace both require that users by 13 years of age. Other Web sites, like LinkedIn and Orkut, require that users be part of a particular, in this case professional, community before they join and users are therefore only accepted by invitation. Facebook is now open to anyone who wants to register but still requires a user to show that he or she is a member of a given community before adding them to that network of users. However, the ease with which digital information can be copied and distributed means that anyone within the authorized group may still pass the information along to others. Also, Web sites are routinely sharing user information with third parties for advertising purposes.

Facebook has more limited search features than MySpace. As of May 2010, Facebook users can control whether their profiles are available to those who enter a user’s name into a public search engine. By default, this public search function is enabled; however, users have the ability to disable this function through a series of links starting on the main privacy settings page. Facebook users who are registered with the site, by contrast, can use the site to conduct a search of those already on their list of contacts, or those users who make their information to every Facebook user.

Facebook has undergone many changes to its privacy policy since 2006, many of which resulting in less user control over who gets access to their personal information. EPIC filed two complaints with the Federal Trade Commission (FTC) focusing on Facebook's unfair and deceptive trade practice of sharing of user information with the public and with third-party application developers. The first complaint, In re Facebook (December 17, 2009) and Supplemental Complaint (January 14, 2010), focuses on Facebook's unfair and deceptive trade practice of sharing of user information with the public and with third-party application developers. First, the complaint argues that Facebooks decision to force users to make previously protected information "publicly available" is an unfair practice. Second, the complaint argues that Facebook’s new social plugins and instant personalization are misleading and deceptive. Third, Facebook deceives users by not clearly informing them about cookies which Facebook uses to track users' internet activity. Fourth, Facebook's decision to allow developers to maintain user information indefinitely contradicts its previous policies and assurances to users.

EPIC’s second complaintagainst Facebook to the FTC, filed on May 5, 2010, focuses on Facebook's unfair and deceptive trade practice of sharing of user information with the public and with third-party application developers. First, the complaint argues that Facebooks decision to force users to make previously protected information "publicly available" is an unfair practice. Second, the complaint argues that Facebook’s new social plugins and instant personalization are misleading and deceptive. Third, Facebook deceives users by not clearly informing them about cookies which Facebook uses to track users' internet activity. Fourth, Facebook's decision to allow developers to maintain user information indefinitely contradicts its previous policies and assurances to users.

After EPIC’s second FTC complaint against Facebook, and public criticism of Facebook’s privacy policies, Facebook again altered its privacy policy. As of the latest round of changes to its privacy settings in May 2010, users have the ability to control access to most of their personal information, including Basic Information (friend lists, education and work, current city and hometown, interests and Pages), bio, status, photos, posts, religious and political views, relationships, birthday, email address, phone number, and address. Users also have the ability to disable participation in platform applications, games, and third-party websites, thereby preventing such third parties to have access to their personal data. However, like the public search option, users must opt-out of disclosing their personal information to platform applications, games, and websites.

Also, a number of privacy issues raised in EPIC’s FTC complaints remain unresolved as of the latest Facebook privacy changes. Facebook still allows developers to maintain user information indefinitely. Facebook has also failed to be transparent regarding its use of cookies. Facebook uses cookies to track users across the internet, destroying their ability to surf the internet anonymously. EPICs complaint argues that the use of cookies is not obvious to Facebook users or controllable under the privacy settings.

These changes together amount to a massive disclosure of user information that had previously been protected under users' privacy settings. This information has now been disclosed to third parties and can be retained indefinitely.

Most recently, Google launched their own social networking service. On February 9, 2010, Google introduced Buzz, a social networking service linked to Gmail, Google’s email service. There are currently over 37 million Gmail users in the United States. Google Buzz is an opt-out service that compiles a Gmail user’s social networking list based on address book and Gchat list contacts. When users checked their email through Gmail on February 9th, they were confronted with a screen introducing the new service as “Gmail + buzz.” Whether the user clicked on “Sweet! Check out Buzz” or “Nah, go to my inbox,” Google Buzz was activated, and a list of followers and “people who you follow” were already populated using frequent contacts. These lists were publicly viewable by other Gmail users, and if a user had a Google profile, this information was publicly indexed by search engines.

Google experienced a strong backlash from users who were unhappy that their Gmail address books were essentially published for all to see. Address book contacts routinely contain deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. In response to user outcry, Google made several changes to its Google Buzz service. Despite these changes, Google still compiled social networking lists based on address book contacts without first notifying users, and allowed such information to be publicly indexed by search engines without clearly notifying users.

Google users were still not satisfied, and on February 13, 2010, Google made additional changes to the Google Buzz service. Rather than using an auto-follow structure for the “people who you follow” list, Google now uses an auto-suggest model, where users can pre-screen who they follow. However, the auto-follow model is still in place for the “followers” list, or list of “people who follow you.” The burden remains on users to constantly check and block their followers.

MySpace also entered the Facebook and Google Buzz privacy debates in May 2010. However, while MySpace seems to have simplified their privacy controls, the default privacy settings for users as well as the amount of information available to non-users via search functions remains the same. MySpace allows the general public to search its database of members by display name, full name, MySpace URL, or email. This search can be filtered by gender, age, city, state, or zip code, country, and users who display photos or display name and photos. If users have not changed their privacy settings from the default level, searchers can view users’ whole profiles. These profiles may include personal information such as occupation, hometown, sexual orientation, ethnicity, and religion, as well as photos of users, their family, and their friends.

Friendster, the predecessor to Facebook, MySpace, and Google Buzz, also restricts searches to members. However, members can view other users' full profiles, whether they are on the member's contact list or not. Notably, if the person searched for does not turn up in the Friendster database, the Friendster search engine provides a direct link to a data broker, which offers to search for the person.

Users who expect their information to be viewed only by people they know may be dismayed to realize how broadly their personal data is disseminated. Once it is published online, they retain little control over it. While a person's real-world friends may not all have the same level of access to that person's personal information, the hundreds of "friends" on a social networking profile all have the same status, and access to everything posted online.

Default privacy settings on individual accounts allow a great deal of information to be displayed to anyone who views a profile; personal features such as blogs and comments would be accessed by anyone viewing a profile page. If the default settings were set at a higher level, users would immediately have more control. A user who did not want every detail of his or her profile available to those outside their network of friends, or who did not want to allow photographs on his or her profile page to be downloaded, for example, would not automatically be consenting to these actions as soon as he or she set up a profile page.

Hand in hand with this fact goes the possibility that any one of a user's several hundred "friends" can download this information and use it wherever and however they wish.  In fact, access can extend beyond friends and members. Users need to realize that prospective employers, job recruitment agencies, law enforcement, and members of academic staff, can gain access to photographs, comments and information posted on profile pages, whether or not this information comports with the image you would like to portray to the world outside the network.

Control of Information: The Means of Dissemination Matters

More than other social networking services, Facebook has had a controversial history with respect to privacy and the means of disseminating personal user information. In September 2006, a change made by Facebook to how it distributed information caused an uproar among users. The change involved the introduction of a News Feed feature that gathered information on the actions of all of a user's contacts and compiled it into a chronological list on the user's home page. In response to the new feature, a grassroots movement began among Facebook's users. Students Against Facebook News Feed, one of many groups that petitioned against the new feature claimed in its' mission statement that Facebook "went a bit too far this time." Thousands of users voiced their complaints about the News Feed. "[Before,] you could make silly Facebook groups without having to worry about who might find out…It's starting to feel like there's too many tags on you. It's like you have to cover your tracks," one user said.

Many groups were set up on Facebook to campaign against this feature. According to one group, "any user of this Web site may and often does have 'friends' who they barely know, if at all. Some people have friend counts in the four, five, and six hundreds. Is it right for Facebook to automatically broadcast a break up with a boyfriend or a denied friendship-add to all those most peripheral of relationships?" The comments of those who joined the various groups echoed the general dissatisfaction among users. "The new features are almost like it's trying to make me be a stalker even though I don't want to," said one user.

Although they had already published information on their sites, the protesting Facebook users recognized that privacy can be incorporated in the ways that information is distributed, and not just in who is permitted to see the information. In response to the negative reaction to News Feed, Facebook apologized. "Somehow we missed (the) point with News Feed and Mini-Feed and we didn't build in the proper privacy controls right away," Mark Zuckerberg, CEO of Facebook, said.

Users also objected to the fact that Facebook allowed News Feed to begin distributing their information without any warning. Users had no notice of the new feature and, more importantly, were not given the opportunity to decide whether they wanted their information to be shared in this way.

In 2007, Facebook launched Facebook Beacon, which allowed a Facebook user’s purchases to be publicized on their friends’ News Feed after transacting with third-party sites. Users were unaware that such features were being tracked, and the privacy settings originally did not allow users to opt out. As a result of widespread criticism, Facebook Beacon was shut down in 2009.

In February 2009, Facebook changed its Terms of Service. The new TOS allowed Facebook to use anything a user uploads to the site for any purpose, at any time, even after the user ceased to use Facebook. Further, the TOS did not provide for a way that users could completely close their account. Rather, users could “deactivate” their account, but all the information would be retained by Facebook, rather than deleted. EPIC planned to file an FTC complaint, alleging that the new Terms of Service violated the FTC Act Section 5, and constituted “unfair and deceptive trade practices.” In response to this planned complaint, and user criticism, Facebook returned to its previous Terms of Service.

In late 2009, Facebook rolled out another round of changes which required mandatory disclosure of profile information that had previously been protected by users' privacy settings. The site automatically made some user information, including users' names, profile pictures, friends lists, fan pages, gender, and networks, available to the public, including to third-party developers, without offering users a choice to opt-out. The new Facebook privacy policy stated that “certain categories of information . . . are considered publicly available to everyone, including Facebook-enhanced applications, and therefore do not have privacy settings.” Consequently, users could no longer control who views certain types of information and could not prevent third-party applications from viewing certain types of information. EPIC, along with several other organizations, filed a complaint and supplemental complaint, with the FTC, citing "unfair and deceptive trade practices," and urging the agency to investigate.

EPIC filed a supplemental complaint regarding several Facebook services, including Facebook Connect and iPhone syncing. EPIC alleged that Facebook's representations regarding Facebook Connect and iPhone syncing were unfair and deceptive because users who employ the services are not informed beforehand that they will no longer have control over their information.

To date, the FTC has failed to take any action regarding these complaints. However, the FTC did take action against Twitter. On June 24, 2010, the Federal Trade Commission (FTC) announced a significant enforcement action. The Commission's complaint against Twitter charged that "serious lapses in the company's data security allowed hackers to obtain administrative control of Twitter." The FTC found that the lax practices allowed access to nonpublic tweets even though the company assured users in its privacy policy that it was "very concerned about safeguarding the confidentiality of your personally identifiable information." Under the terms of the settlement, "Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information."

Facebook’s privacy policies illustrate the problems that may result from using an opt-out system. Opt-out systems assume consent in the absence of an affirmative act by the user, and so are less preferable to opt-in systems. An opt-in system gives the user more control, by allowing users to flag the specific disclosures they wish to activate. An opt-out system, on the other hand, allows widespread sharing of information, sometimes unknown to the user. This forces users to take the time to find and deactivate each disclosure in turn, to attain their desired level of security. 

The privacy controls enabled by Facebook are more opt-out than opt-in. Default settings still disseminate most profile changes to all of a user's contacts. Facebook's solution still allows for those who do not bother to read through the "my privacy" section, located on the left hand side of the profile page, to end up sharing more than they expect.

In addition to problems with opt-out privacy protections, Google Buzz illustrates the privacy protections when one kind of internet service—email—is transformed into another kind of service—social networking—without user consent. EPIC filed a complaintwith the FTC on February 16, 2010 arguing that that Google’s change in business practices and service terms violated user privacy expectations, diminished user privacy, contradicted Google’s own privacy policy, and may have also violated federal wiretap laws.

EPIC’s complaint begins by stressing the importance of email privacy. While email senders and recipients always have an opportunity to disclose email-related information to third parties, email service providers have a particular responsibility to safeguard the personal information that subscribers provide. Improper disclosure of even a limited amount of subscriber information by an email service provider can be a violation of both state and federal law. As an email service provider, Google’s attempt to convert the personal information of all of its customers into a separate service raises far-reaching concerns for subscribers and implicates both consumer and personal privacy interests.

The complaint goes on to describe Google Buzz and Google’s disclosure of users’ email contacts. Gmail contact lists routinely include deeply personal information, including the names and email addresses of estranged spouses, current lovers, attorneys and doctors. The frequency with which a user communicates with a given contact is also deeply personal and demonstrates the closeness of the user’s relationship with that contact. The activation of Buzz disclosed not only portions of users’ contact lists, but more specifically disclosed the contacts with whom users communicate most often. The fact that the auto-following lists were composed of users’ most common Gmail contacts was widely known and publicized, as well as easily deduced by individual users. As such, anyone looking at a newly-activated Buzz user’s “following” list would know that the list indicated which people that user communicated with most often.

Privacy Policies

Like many Web sites that collect user information, the aforementioned social networking Web sites have privacy policies. However, there are some problems. These policies are disclaimers produced by a Web site, that become waivers once the user accepts them. By accepting the terms of the policy, the user volunteers to relinquish some known right or privilege they may have. If a user felt the Web site had broken promises it made in the privacy policy, it is doubtful that the user could sue the Web site for breach of contract on the basis of the policy. These policies also contain loopholes. Problems with these policies include a lack of visibility, insufficient information on how the Web sites change their policies, the lack of independent reviewers to monitor these Web sites, and unspecific details of whom the Web sites share user information.  

One problem is that these policies are difficult for users to find and read. Although reading these policies is part of the registration process, they may not be specified on the registration form. The privacy policy may just be mentioned in the Terms of Use of a Web site. Providing users with a box to tick to indicate they have read and accepted a privacy policy is not enough. All three Web sites should make their privacy policies more obvious and users need should be encouraged by the Web sites to actively read through what they are agreeing to.

Another problem with privacy policies is that they are fluid, and may be altered by the Web site. All of these Web sites state that from time to time changes may be made to their privacy policies, which will be posted on the site. It is never specified how long these changes would be posted for, or where. Notice alone is not enough. The changes should be explained to users, along with any specific results the changes incur. Another manifestation of this problem is that not only can terms change, but Web sites can also reset user preferences, and place them back at default level.

The only one of these sites to overtly use a third party to review its privacy policy is Facebook. Facebook pays to be a licensee of the TRUSTe Privacy Program. However, TRUSTe's program suffers several flaws. In the past, TRUSTe has not punished their licensees who have, in TRUSTe's own opinion, compromised consumer trust and privacy. TRUSTe has even been described as untrustworthy by certain commentators.

These policies are also unclear about the terms by which users' details are shared with third parties. Facebook, MySpace and Friendster affirm that the user can choose to share information with marketers through sponsored groups or other on-site offers, such as competitions or sweepstakes. The Web sites reserve the right to transfer personal information to a successor in interest that acquires rights to that information as a result of the sale of the Web site. They state that they will not share users' contact information with marketers without your permission. Facebook and MySpace assert that the user can tell when another company is involved in any store or service provided, and they establish that they may share customer information with that company in connection with the member's use of that store or service. However, they do not specify how it would be so clear to the user when another company is involved. MySpace may transfer personal information to certain ad partners, if the user has explicitly requested to receive information from these ad partners. How a user would go about doing this is vague though. The Web sites do not elaborate on what information they provide to advertisers in aggregate usage information, nor do they note the potential for third parties to disaggregate the information.

Privacy policies, like all agreements, should be clear and easy to follow, so that users have a firm grasp on what they are signing-up to. Unfortunately, Web sites' privacy policies, and terms of use often seem overly cross-referenced. Users need to do a great deal of switching between the two in order to get all the details, and definitions. This makes the task of reading through the information more difficult than it needs to be.

News

Resources

Previous Top News

  • Sen. Rockefeller Requests FTC Report on Facial Recognition Technology: Senator John D. Rockefeller (D-WV) sent a letter requesting that the Federal Trade Commission assess the use of facial recognition technology and recommend legislation to protect privacy. Facial recognition technology is being used by technology firms and also police agencies, which has raised civil liberties concerns. The letter cited mobile applications such as SceneTap, which "tracks the male/female ratio and age mix of the crowd [in bars]" and digital advertising at the Venetian Resort in Las Vegas that tailors ads to the person standing in front of the display based on recognition of that person’s age and gender. The FTC will hold a workshop on facial recognition technology on December 8, 2011. EPIC's complaint regarding Facebook's facial recognition is still pending before the FTC. For more information, see EPIC: In re Facebook, and EPIC: Facial Recognition. (Oct. 20, 2011)
  • Facebook Makes Some Changes, Privacy Complaints Still Pending: In response to several complaints filed by EPIC with the Federal Trade Commission, Facebook announced that it would make some changes in its business practices, including providing more accurate information about the disclosure of user data to others and new safeguards for photo tagging. EPIC, along with several privacy organizations, filed several complaints with the FTC about FB's automated tagging of users, changes in Privacy settings, and transfers of personal data, stating that Facebook's practices were "unfair and deceptive." Facebook's recent actions address some but not all of the issues raised by the consumer organizations. The complaint at the FTC are still pending. For more information see EPIC: Facebook Privacy. (Aug. 29, 2011)
  • Twitter Adopts Privacy Enhancing Technique, Defaults to HTTPS: Twitter has joined the ranks of Gmail with a decision to implement HTTPS functionality by default for all users in order to encrypt data and protect privacy. The change stems from several security problems in early 2011, including two incidents where hackers gained administrative control of the popular service and led to a settlement with the Federal Trade Commission requiring Twitter to adopt stronger security measures. Earlier, EPIC had pointed out the importance of HTTPS by default in a complaint to the Commission regarding Google and Cloud Computing Services. For more information, see EPIC: Social Networking Privacy and EPIC: In re Google and Cloud Computing. (Aug. 24, 2011)
  • Government Accountability Office: Agencies Must Improve Social Networking Privacy, Security: An independent report recommends that federal agencies "improve their development and implementation of policies and procedures for managing and protecting information associated with social media use." The Government Accountability Office, an independent, nonpartisan agency, surveyed twenty-three agencies concerning privacy and security policies. Only half of the agencies have updated their privacy policies to take account of personal information collected through social media monitoring. Only a quarter conducted privacy impact assessments of agency social media activities. The GAO also noted that only seven of the surveyed agencies have identified and documented social-media security risks. In March, EPIC filed comments regarding DHS's Social Media Monitoring and Situational Awareness Initiative, identifying substantial privacy and security risks. For more information, see EPIC: Social Networking Privacy. (Aug. 2, 2011)
  • Facebook Makes Changes to Facial Recognition; Still Relying on Opt-Out: In response to a letter from the Connecticut Attorney General, Facebook agreed to run ads that link users to their privacy settings and show them how to opt-out of Facebook's facial recognition program. The ads are new, but Facebook has failed to implement an opt-in model for its facial recognition technology. EPIC, along with several other organizations, filed a complaint with the Federal Trade Commission concerning Facebook's unfair and deceptive trade practices regarding biometric data collection. EPIC urged the FTC to require Facebook to suspend the program pending a full investigation. EPIC also urged the Commission to require Facebook to establish stronger privacy safeguards and an opt-in regime for the facial recognition scheme. For more information, see EPIC: In re Facebook and the Facial Identification of Users. (Jul. 27, 2011)
  • Congressman Markey Commends EPIC, Privacy Groups for Filing Facebook Complaint: Congressman Ed Markey today expressed support for the complaint filed last week by EPIC and privacy groups concerning Facebook's new scheme for online tagging. In a published statement, Congressman Markey said, "The Federal Trade Commission should investigate this important privacy matter, and I commend the consumer groups for their filing. When it comes to users’ privacy, Facebook’s policy should be: 'Ask for permission, don’t assume it.' Rather than facial recognition, there should be a Facebook recognition that changing privacy settings without permission is wrong. I encourage the FTC to probe this issue and will continue to closely monitor this issue." EPIC and consumer groups now have several complaints regarding Facebook pending at the FTC. For more information, see EPIC - In re Facebook and EPIC - In re Facebook II, and EPIC - Facebook and Privacy. (Jun. 14, 2011)
  • Facebook Resumes Plan to Disclose User Home Addresses and Mobile Phone Numbers: Facebook indicated in a letter to Rep. Markey (D-MA) and Rep. Barton (R-TX) that it will go forward with a proposal to provide users' addresses and mobile phone numbers to third-party application developers. The Congressman earlier expressed concern about the proposal. Facebook also wrote that it may disclose the home addresses and mobile numbers of minors who use the social networking service. Facebook suspended the plan after EPIC and others objected. EPIC and several consumer organizations have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In re Facebook, EPIC: In re Facebook II, and EPIC: Facebook Privacy. (Mar. 2, 2011)
  • Chairman Leahy Announces New Subcommittee on Privacy and Technology: Sen. Patrick Leahy (D-VT), Chairman of the Senate Judiciary Committee, has established a new Subcommittee on Privacy, Technology and the Law as part of his commitment to protecting “Americans’ privacy in the digital age.” Sen. Al Franken (D-MN) will chair the subcommittee, which will will cover privacy laws and policies, new business practices, social networking sites, privacy standards, and the privacy implications of emerging technologies. For related information, see EPIC: Social Networking Privacy, EPIC: Cloud Computing. (Feb. 16, 2011)
  • Facebook Enables Full-Session Encryption: Facebook will now allow full-session HTTPS. The switch to encrypted cloud-based computing promotes privacy and security, particularly when users access Facebook from public Internet access points. Previously, Facebook only used HTTPS when users’ passwords were being sent to the site. Third party applications currently do not support HTTPS. Users can opt into HTTPS through their “Account Settings;” however, HTTPS is not yet the default. Facebook will use "social authentication, rather than traditional CAPTCHA," to deter hackers. EPIC has previously recommended the adoption of strong privacy techniques for cloud-based services. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Google subsequently established HTTPS by default for Gmail. For related information, see EPIC: Facebook, EPIC: Cloud Computing, and EPIC: Social Networking Privacy. (Feb. 7, 2011)
  • Facebook Drops Plan to Disclose Users' Home Addresses and Personal Phone Numbers: Facebook has retreated from its decision to allow third-party access to users home addresses and phone numbers. Facebook backed off after criticism of the new policy, but said it would go forward once it has made further changes. EPIC Executive Director Marc Rotenberg said "Facebook is trying to blur the line between public and private information. And the request for permission does not make clear to the user why the information is needed or how it will be used." EPIC, and several consumer organizations, have complaints pending at the Federal Trade Commission concerning Facebook's earlier changes to users' privacy settings. For more information, see EPIC: In Re Facebook, EPIC: In Re Facebook II, and EPIC: Facebook Privacy. (Jan. 18, 2011)
  • Labor Relations Board Files Complaint against Company over Facebook Post: The National Labor Relations Board has issued a complaint against American Medical Response of Connecticut for firing an employee who complained about her supervisor on Facebook. The company claimed that it fired the employee for violating its policy against depicting the company on a social media site. The NLRB's complaint states that the company's blogging and internet posting policy is overly broad; the company illegally denied union representation during the investigation; and that the firing violated an employee's right to engage in concerted activities. The National Labor Relations Act protects an employee's right to engage in group activities, such as discussing work-related issues, to improve workplace conditions. A hearing is scheduled for January 25, 2011. For related information, see EPIC: Workplace Privacy and EPIC: Social Networking Privacy. (Nov. 9, 2010)
  • New Social Networking Privacy Poll Released, Kids Privacy Campaign Launched: According to a national poll from Common Sense Media, three out of four parents believe that social network services do not adequately protect children's online privacy. The Common Sense Media "Protect Our Privacy - Protect Our Kids" campaign calls for opt-in consent, clear and simple privacy statements, updated privacy laws, and a prohibition on behavioral marketing for kids. EPIC filed comments with the Federal Trade Commission aimed at improving the Children's Online Privacy Protection Act (COPPA). EPIC President Marc Rotenberg testified before the Senate Commerce Committee earlier this year, and urged Congress to extend COPPA to cover social networks and teens. For more information, see EPIC: COPPA. (Oct. 12, 2010)
  • Facebook Uses RFID to Track Users' Locations for Advertising Promotion: At the Coca-Cola Village Amusement Park in Israel, visitors were recently issued bracelets with RFID chips that linked to their Facebook accounts, according to Adland. RFID readers scattered throughout the park updated the users' Facebook pages when the bracelets were scanned. On-site photographers also posted photos that were automatically tagged with the users' identities. Facebook had previously tested the use of RFID for location tracking at the f8 Developer Conference in April. Facebook has also just launched Places, which is designed to make users' location information widely available. For more information, see EPIC Facebook Privacy, EPIC Facebook Places. (Aug. 25, 2010)
  • Facebook "Places" Embeds Privacy Risks, Complicated and Ephemeral Opt-Out Unfair to Users: The recently announced Facebook service Places makes user location data routinely available to others, including Facebook business partners, regardless of whether users wish to disclose their location. There is no single opt-out to avoid location tracking; users must change several different privacy settings to restore their privacy status quo. For users who do not want location information revealed to others, EPIC recommends that Facebook users: (1) disable "Friends can check me in to Places," (2) customize "Places I Check In," (3) disable "People Here Now," and (4) uncheck "Places I've Visited." EPIC, joined by many consumer and privacy organizations, has two complaints pending at the Federal Trade Commission concerning Facebook's unfair and deceptive trade practices, which are frequently associated with new product announcements. For more information, see EPIC In Re Facebook, EPIC In Re Facebook II, and EPIC Facebook Privacy. (Aug. 19, 2010)
  • EPIC to Urge Congress to Strengthen Privacy Laws for Facebook Users: In prepared testimony (PDF) for a Congressional hearing on "Online Privacy, Social Networking and Crime Vicitimization," EPIC Executive Director Marc Rotenberg urged lawmakers to update federal law to protect the privacy of Facebook users. Mr. Rotenberg said that Facebook's constant changes to the privacy settings of users have made it virtually impossible for users to control who gets access to their personal information. He also said that the failure of the Federal Trade Commission to investigate Facebook's business practices means that Congress must now amend the federal privacy law to limit the ability of Social Network companies to disclose user information to third parties without informed and explicit consent. Also testifying at the hearing are witnesses from the FBI, the Secret Service, Symantec, and Facebook. For more information, see EPIC Social Networking Privacy, EPIC Facebook, and EPIC In re Google Buzz. (Jul. 28, 2010)
  • Facebook Scores Low on Consumer Satisfaction: In a recent study by Foresee Results and the University of Michigan, Facebook has scored extremely low in the area of customer satisfaction. The 2010 American Customer Satisfaction Index E-Business Report included social networking companies for the first time, and Facebook scored a 64, putting it "in the bottom 5% of all measured private sector companies and in the same range as airlines and cable companies." The polling company attributed Facebook's low scores to "privacy concerns, frequent changes to the website, and commercialization and advertising." For more information, see EPIC Facebook Privacy and EPIC Public Opinion on Privacy. (Jul. 22, 2010)
  • FTC Invites Public Comment on Twitter Settlement: The FTC is calling for public comments on the recent Twitter Settlement. The Commission's complaint against Twitter charged that "serious lapses in the company's data security allowed hackers to obtain administrative control of Twitter." The FTC found that the lax practices allowed access to nonpublic tweets even though the company assured users in its privacy policy that it was "very concerned about safeguarding the confidentiality of your personally identifiable information." Under the terms of the settlement, "Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information." Comments are due on July 26, 2009, and may be submitted electronically or in paper form. For more information, see EPIC: Social Networking Privacy. (Jul. 2, 2010)
  • White House Adopts Weird Opt-Out Privacy Policy for Public Access to Government Web Sites: The White House has announced a new "Clear Notice and Personal Choice" policy for the use of Web Measurement and Customization Technologies for government web sites. The policy is remarkable in that there does not appear to be any legal basis to allow federal agencies to routinely disclose personal information of citizens to private companies. The policy is accompanied by new Guidance for Agency Use of Third-Party Websites and Applications. The White House also announced a National Strategy for Trusted Identities in Cyberspace. EPIC had urged the White House to uphold Privacy Act obligations in use of web 2.0 services. For more information, see EPIC - Privacy and Government Contracts with Social Media Companies. (Jun. 28, 2010)
  • Federal Trade Commission Takes Action Against Twitter, Social Network Service Settles Charges It Deceived Consumers: The FTC announced a significant enforcement action today. The Commission's complaint against Twitter charged that "serious lapses in the company's data security allowed hackers to obtain administrative control of Twitter." The FTC found that the lax practices allowed access to nonpublic tweets even though the company assured users in its privacy policy that it was "very concerned about safeguarding the confidentiality of your personally identifiable information." Under the terms of the settlement, "Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information." EPIC has two complaints currently pending at the FTC concerning similar practices by Facebook, another social networking service. For more information, see EPIC - Facebook Privacy, EPIC - In re Facebook I, and EPIC - In re Facebook II. (Jun. 24, 2010)
  • Privacy Conference Attendees Set Out Social Networking Bill of Rights: Participants at the 2010 Conference on Computers, Freedom, and Privacy have prepared a Social Network Users' Bill of Rights. The Bill of Rights sets out principles for providers of  social network services, including clarity of policies, empowerment of users, freedom of speech, data minimization, and user control. For more information, follow #billofrights and see EPIC: Social Networking Privacy and EPIC: Facebook Privacy. (Jun. 23, 2010)
  • EPIC, Privacy Groups Recommend Further Changes for Facebook: EPIC has joined a letter, organized by the ACLU of Northern California, calling for Facebook to fix ongoing privacy problems with the social network service. The letter, signed by several privacy organizations, recommends that Facebook make "Instant Personalization" opt-in, limit data retention, give users greater control over their information, and allow users to export their content from Facebook. EPIC has a complaint currently pending at the Federal Trade Commission, charging that Facebook has engaged in unfair and deceptive trade practices. For more information, see EPIC Facebook Privacy. (Jun. 16, 2010)
  • Privacy Issue Attracts Fire in California Attorney General Race: Facebook privacy has become a hot topic in the California race for Attorney General. In the Democratic primary, Kamala Harris has attacked former Facebook Chief Privacy Officer Chris Kelly over the company's privacy practices. But Kelley has recently criticized some of the Facebook changes and said that "instant personalization" should be opt-in. Kelly has also supported a Moveon Facebook campaign though some bloggers have doubts. During the last election cycle, EPIC launched PRIVACY08 to encourage candidates to debate privacy issues. Also see EPIC Facebook Privacy. (Jun. 7, 2010)
  • Congress Pursues Investigation of Google and Facebook's Business Practices: Following similar letters from other Congressional leaders, the head of the House Judiciary Committee has asked Google Inc. and Facebook to cooperate with government inquiries into privacy practices at both companies. Rep. Conyers (D-MI) noted that Google's collection of user data "may be the subject of federal and state investigations" and asked Google to retain the data until "such time as review of this matter is complete." Rep. Conyers also asked Facebook to provide a detailed explanation regarding its collection and sharing of user information. The House Judiciary Committee is expected to hold hearings on electronic privacy later this year. For more information, see EPIC: Facebook Privacy, EPIC: In re Facebook II, and EPIC: Search Engine Privacy. (Jun. 1, 2010)
  • New Study Shows Young Americans Value Privacy: A new study from the Pew Internet and American Life Project has found that "[r]eputation management has now become a defining feature of online life for many internet users, especially the young." The Pew study Reputation Management and Social Media found that young adults are far more likely than their older counterparts to take steps to maintain control over their digital identities, including changing their privacy settings, restricting access to their data, and removing their names from tagged photographs. The report also found that these privacy-protecting activities have become considerably more common across all age groups than they were when a similar study was conducted in 2006. For more information, see EPIC Public Opinion on Privacy. (May. 27, 2010)
  • Facebook Expected to Announce Privacy Changes: Following a recent column in the Washington Post by Facebook CEO Mark Zuckerberg, the company is expected to announce new, simplified privacy settings this week.  EPIC objected to the last several rounds of changes that Facebook made, filing a complaint with the FTC in December when the company reclassified much of users' data as "publicly available information," a supplement to that complaint in January, and another complaint this month when Facebook forced users' profile information to become publicly available links instead of private data.  For more information, see EPIC: Facebook, EPIC: In re Facebook, and EPIC: In re Facebook II. (May. 25, 2010)
  • New Facebook Privacy Complaint Filed with Trade Commission: Today, EPIC and 14 privacy and consumer protection organizations filed a complaint with the Federal Trade Commission, charging that Facebook has engaged in unfair and deceptive trade practices in violation of consumer protection law. The complaint states that changes to user profile information and the disclosure of user data to third parties without consent "violate user expectations, diminish user privacy, and contradict Facebook’s own representations." The complaint also cites widespread opposition from Facebook users, Senators, bloggers, and news organizations. In a letter to Congress, EPIC urged the Senate and House Committees with jurisdiction over the FTC to monitor closely the Commission's investigation. The letter noted the FTC's failure to act on several pending consumer privacy complaints. For more information, see EPIC: Facebook Privacy. (May. 5, 2010)
  • Senators Oppose Facebook Changes, Schumer Urges Trade Commission to Regulate Social Network Services: Senators Charles Schumer (D-NY), Michael Bennet (D-CO), Mark Begich (D-AK), and Al Franken (D-MI) have sent a letter to Facebook CEO Mark Zuckerberg to express concern about "recent changes to the Facebook privacy policy and the use of personal data by third-party websites." Senator Schumer has also asked the Federal Trade Commission to establish guidelines for social networking sites. The Senators' statements came after Facebook announced it would disclose user data to websites without consent. Senator Schumer stated "Previously, users had the ability to determine what information they chose to share and what information they wanted to keep private." EPIC has filed a complaint and with the FTC about the recent changes to Facebook's privacy settings. For more information, see EPIC: Facebook Privacy and EPIC: In re Facebook. (Apr. 27, 2010)
  • Facebook's Data Grab: New Policies Transfer Control of User Data to Facebook: Facebook announced significant changes at F8 this week that will integrate Facebook with many web sites, but also make it more difficult for Facebook users to limit the disclosure of personal information. The announcement follows recent changes to Facebook privacy settings and privacy policies. "Instant personalization" will give Facebook's business partners access to users' likes, interests, friends, and other details, unless users opt-out. Facebook has also removed a key privacy safeguard and will allow third parties to store user data indefinitely. EPIC has a complaint pending at the FTC concerning recent changes to Facebook's privacy settings. For more information, see EPIC: Facebook Privacy and EPIC's Previous FTC Complaint regarding Facebook, EPIC: In re Facebook. (Apr. 22, 2010)
  • Lawmakers Urge FTC to Investigate Google Buzz: Ten House Members have asked the Federal Trade Commission to pursue an investigation into the Google social networking service Buzz, given "Google's practice of automatically using consumers' e-mail address books to create contact lists for Buzz and then publicly disclosing the names of those private contacts" online. The lawmakers also asked the Commission to consider the privacy implications of Google's proposed acquisition of AdMob, the mobile phone advertising company. EPIC has filed a complaint with the FTC, asking the Commission to investigate Google Buzz. Previously, EPIC recommended that the FTC block Google's acquisition of Doubleclick, the banner advertising firm, because of the privacy implications. For more information, see EPIC: In re Google Buzz. (Mar. 29, 2010)
  • EPIC Recommends Effective Consumer Privacy Standards, Calls Notice and Choice a "Failed Experiment": At the third FTC Privacy Roundtable, EPIC senior counsel John Verdi will recommend that the Commission push forward with effective and meaningful privacy safeguards for American consumers. Mr. Verdi will say that the "notice and choice" approach has failed, and will recommend that the FTC enforce Fair Information Practices, such as the OECD Privacy Guidelines. The discussion can be viewed via webcast. Additional information on the FTC roundtable event can be found here. For more information, see EPIC In re Google Buzz, EPIC In re Facebook, and EPIC In re Google and Cloud Computing. (Mar. 17, 2010)
  • Judge Waits to Decide on Proposed Settlement in Facebook Privacy Case: Following a hearing last week, U.S. District Court Judge Seeborg reserved decision about the approval of Facebook’s proposed 9.5 million dollar settlement in a case involving Facebook Beacon. According to the settlement terms, Facebook would contribute about $6 million to the establishment of a privacy organization. Facebook, however, would maintain control over this organization, as Facebook's top lobbyist would become co-President and all significant decisions would require a unanimous vote. EPIC and several other privacy organizations, including the Consumer Federation of America and the Privacy Rights Clearinghouse, have written a letter to Judge Seeborg, ask him to reject the settlement as proposed. For more information, see EPIC: Facebook Privacy. (Mar. 1, 2010)
  • Study Ranks Top 20 Companies for Privacy in 2010, Facebook Drops Off List: Ponemon Institute released its annual study identifying the top twenty companies that are most trusted for privacy. American Express was ranked first, earning the Most Trusted for Privacy distinction for the fifth year in a row. Facebook suffered several privacy missteps over the last year, including a recent change in privacy settings at the end of 2009, and as a result, failed to make the 2010 list. Google, however, returned to the Top 20, ranked at 13. The survey also produced significant findings regarding consumer attitudes towards privacy, including the finding that consumers feel they are losing control over their personal information. Further, the responses revealed that consumers’ fear of identity theft is the main factor for brand trust diminishment, while a company’s implementation of privacy features contribute to brand trust. Other significant positive factors were limits on the collection of personal information and online anonymity. (Feb. 26, 2010)
  • Facebook Users Object to Beacon Settlement: Facebook users filed papers in federal court objecting to a proposed deal that would extinguish the company's liability for disclosing personal information in violation of federal law. Users criticized the class action settlement, stating "the class receives no meaningful relief." Other objectors alleged "in effect, Facebook is paying itself the benefit but class members are releasing their individual privacy claims." EPIC previously submitted a letter to the judge hearing the case. EPIC's letter opposes the settlement and proposes alternatives that would enable stronger privacy safeguards for Facebook users in the future. For more information, see EPIC Facebook Privacy, EPIC Harris v. Blockbuster. (Feb. 2, 2010)
  • EPIC, Privacy Groups Oppose Facebook Settlement: EPIC and other privacy groups sent a letter to the federal judge overseeing a class-action settlement against Facebook in California, opposing the settlement as unfair and unreasonable. As proposed, the settlement does not provide any benefit for Facebook users whose private data was illegally exposed by Facebook "Beacon." Instead, the deal would create a new "privacy foundation" subject to Facebook's influence. Fair settlements typically provide compensation to class members or a remedy that addresses the underlying harm, which in this case was a violation of federal privacy law. The letter from EPIC proposes alternatives that would enable stronger privacy safeguards for Facebook users in the future. For more information, see EPIC Facebook Privacy, EPIC Harris v. Blockbuster. (Jan. 19, 2010)
  • Canadian Privacy Commission to Investigate Facebook: Canada’s Privacy Commissioner Jennifer Stoddart has launched an investigation into the information collection and use practices of online social networking sites. This investigation is being conducted as the Parliament prepares to review the Personal Information Protection and Electronic Documents Act. Stoddart plans to examine “issues that we feel pose a serious challenge to the privacy of consumers, now and in the near future,” and to foster discussions about "the impact of these technological developments on privacy." This is not the first time the Commissioner has investigated the information practices of Facebook. In August 2009, Facebook made several changes to its privacy policy, following recommendations by the Commissioner and a complaint filed by the Canadian Internet Policy and Public Interest Clinic. For more information, see EPIC: Facebook Privacy and EPIC: Social Networking Privacy. (Jan. 19, 2010)
  • EPIC Defends Privacy of Facebook Users: Files Complaint with the Federal Trade Commission: EPIC has filed a complaint with the Federal Trade Commission, urging the FTC to open an investigation into Facebook’s revised privacy settings. The EPIC complaint, signed by nine other privacy and consumer organizations, states that the  "changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations." EPIC cites widespread opposition from Facebook users, security experts, bloggers, and news organizations. A previous EPIC complaint to the FTC, concerning the data broker industry, produced the largest settlement in the FTC's history.  For more information, see EPIC: In re Facebook, Frequently Asked Questions Regarding EPIC's Facebook Complaint, and EPIC Facebook Privacy. EPIC PRESS RELEASE. (Dec. 17, 2009)
  • Facebook to Drop Regional Networks, Change Privacy Settings: Facebook announced that it intends to eliminate regional networks, which allow users to restrict information shared with others based geography. The social networking service will also modify the site's privacy settings and require users to update the rules governing who can access their data. In February, revisions to Facebook's terms of service prompted users to revolt and Facebook to rescind the changes hours before EPIC planned to file a complaint with the Federal Trade Commission. Prior changes to the service resulted in disclosure of Facebook users' video rental records without their permission, prompting federal lawsuits. For more, see EPIC Facebook Privacy and Social Networking Privacy (Dec. 4, 2009)
  • Facebook to End Beacon, Establish Privacy Foundation: Facebook has entered into a proposed agreement to end Beacon, the controversial advertising technique that broadcast user purchases in their public profile. EPIC and other privacy advocates objected to Beacon’s privacy implications and successfully persuaded Facebook to adopt opt-in for the service. Under the terms of a class-action lawsuit in California, Facebook will now terminate Beacon and contribute $9.5 million towards the creation of a foundation dedicated to protecting online privacy. A class-action lawsuit concerning Beacon is also pending in Texas. For more information, see EPIC Facebook Privacy and EPIC Testimony on the "Impact and Policy Implications of Spyware on Consumers and Businesses." (Sep. 22, 2009)
  • Following Canadian Investigation, Facebook Upgrades Privacy: The Canadian Privacy Commissioner issued a report last month raising concerns over Facebook business practices. The Office asked the social networking firm to cease the sharing of user information with application developers, clarify the policy on deactivation and deletion of accounts, protect the personal information of non-users, and "memorialize" the account of deceased users. In complying with the Commissioner's report, Facebook will include new notifications, update its Privacy Policy, and implement technical changes to enable more user control over information accessed by third-party applications. EPIC had previously raised similar concerns about the use of Facebook data by application developers. See also EPIC Facebook and EPIC Social Network Privacy. (Aug. 28, 2009)
  • Canadian Privacy Commissioner's Deadline for Facebook Arrives, Some Changes are Made at the Social Network Company: In mid-July, the Canadian Privacy Commissioner released a report recommending several changes to Facebook's business practices. The Commissioner's Office advised the social networking firm to limit application developers' access to user information, and inform users specifically about the nature and use of shared information. The Office also said that deactivated account information should be deleted, and that the privacy policy be amended to include all intended uses of personal information. Facebook was given 30 days. Facebook updated its privacy policy last week and has asked application developers to respect user privacy settings. See also EPIC Facebook and EPIC Social Network Privacy. (Aug. 17, 2009)
  • EPIC Forces Disclosure of Government Contracts with Social Media Companies, Privacy Terms Missing: In response to an EPIC Freedom of Information Act Request, the Government Services Administration released several contracts between the federal government and web 2.0 companies, including agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace. EPIC also obtained amendments to agreements with Facebook, Slideshare.net, Vimeo.com, and AddThis.com. The contracts do not address the privacy obligations of social media companies. The GSA letter to EPIC explained that “no specific Web 2.0 guidance currently exists,” but provided EPIC with Training Slides that raise privacy issues. The GSA Agreement with Google actually states that, “to the extent any rules or guidelines exist prohibiting the use of persistent cookies in connection with Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google.” Some of the agreements also permit companies to track users of government web sites for advertising purposes. For more information see EPIC Social Network Privacy, EPIC Facebook, and EPIC Cloud Computing. (Aug. 12, 2009)
  • Canadian Privacy Commissioner Holds that Facebook Must Strengthen Privacy Safeguards: The Office of the Privacy Commissioner of Canada today released a Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic against Facebook Inc. The complaint, filed under the Personal Information Protection and Electronic Documents Act, contained twenty-four allegations concerning a range of Facebook business practices, including Default Privacy Settings, Advertising, and Third-Party Applications. The Commissioner found that Facebook has taken some steps to address privacy, but that more safeguards are necessary. Facebook has 30 days to respond. See EPIC Facebook Privacy and EPIC Social Networking Privacy. (Jul. 16, 2009)
  • EPIC LiveTweeting Sotomayor Hearing: EPIC Executive Director Marc Rotenberg, a former counsel to the Senate Judiciary Committee, is tweeting the Sotomayor nomination hearing this week. The tweets cover #privacy #sotomayor and #scotus. Recap and updates available at @privacy140. EPIC has prepared an extensive background page on Judge Sotomayor. See EPIC Nomination of Judge Sotomayor. (Jul. 16, 2009)
  • Facebook to Change User Privacy Settings: Facebook announced planned changes to user privacy controls today. Chris Kelly, Facebook's Chief Privacy Officer, stated that the new policy will promote "control, simplicity and connection" for user data. The announcement states there will be no changes in term of "the information Facebook provides to advertisers" but does not address concerns about the information provided by Facebook to app developers. In June, European Privacy Commissioners warned about the secondary use of personal data collected by social network services. The officials issued an opinion requiring robust security, privacy-friendly default settings, and the application of European privacy law. In April, EPIC supported the adoption of the new Facebook Terms of Service when Facebook said that "users own and control their information." See EPIC Social Networking Privacy. (Jul. 1, 2009)
  • European Advisory Group Issues Opinion on Social Networking : The European expert group on data protection and privacy issued a guidance to Social Network Service providers on measures needed to ensure compliance with EU law. The key concern of the group is the dissemination and use of information available on such networks for secondary, unintended purposes. The opinion recommended robust security and privacy-friendly default settings. Topics included processing of sensitive data and images, advertising and direct marketing, and data retention. In January, EPIC suggested regulation of Social Network Service partners, including advertisers and application developers. See EPIC's Page on Social Networking Privacy. (Jun. 17, 2009)
  • EPIC Urges Privacy Protections for Government's Use of Social Media: The DHS Privacy Office is seeking public comments on developing best practices on the government's use of social media. EPIC submitted comments on the benefits, issues and privacy best practices. EPIC recommended Privacy Act protections to the data collected, prohibit commercialization and sharing, and the use of a model certification system. See also EPIC's page on Social Networking Privacy, Network Advertising Initiative, and Deep Packet Inspection and Privacy.. (Jun. 3, 2009)
  • EPIC Seeks Government Agreements with Social Networking Companies: EPIC submitted a Freedom of Information Act request to the Government Services Administration seeking agency records concerning agreements the GSA negotiated between federal agencies and social networking services, including Flickr, YouTube, Vimeo, Blip.tv, and Facebook. In the FOIA request, EPIC is asking for the public release of the contracts and any legal opinions concerning the application of the Privacy Act of 1974 and Freedom of Information Act to the services that collect information on citizens. For more information see EPIC’s pages Social Networking, Facebook, and Cloud Computing. (Apr. 30, 2009)
  • Facebook Gets Ready to Adopt Terms of Service: Facebook has announced the results of the vote on site governance. The initial outcome indicates that approximately 75 percent of users voted for the new terms of service which includes the new Facebook Principles and Statement of Rights and Responsibilities. Under the new Principles, Facebook users will "own and control their information." Facebook also took steps to improve account deletion, to limit sublicenses, and to reduce data exchanges with application developers. EPIC supports the adoption of the new terms. For more information, see EPIC's page on Social Networking Privacy. (Apr. 24, 2009)
  • Facebook Seeks Vote on Site Governance: In February, Facebook announced that it was opening its site governance to user voting after the new Terms of Service were widely criticized, and were to be the subject of an EPIC complaint to the Federal Trade Commission. Facebook restored the old terms and sought user feedback on the new Facebook Principles and the Statement of Rights and Responsibilities. These governing documents have now been updated to reflect feedback from users and experts. The voting to adopt the new terms or to maintain the previous terms is now open till April 23, 11:59 a.m. PDT. For more, see the efforts of People Against the New Terms of Service, and EPIC's Social Networking Privacy page. (Apr. 20, 2009)
  • Facebook Announces Governing Principles, Statement of Rights and Responsibilities: Today, Facebook proposed guidelines and a statement of rights and responsibilities governing its relationship with users. The social networking service called for user comment on the principles, which include "Ownership and Control of Information" and "Transparent Process." Facebook further committed to "open up Facebook so that users can participate meaningfully in our policies and our future." Facebook's announcement follows last week's abandonment of changes to its Terms of Service on the eve of an EPIC complaint to federal regulators. For more and see the efforts of People Against the New Terms of Service, and EPIC's "Social Networking Privacy" page. (Feb. 26, 2009)
  • On Eve of EPIC Trade Commission Complaint, Facebook Backs Down on Revised Terms of Service: Hours before EPIC planned to file a complaint with the Federal Trade Commission regarding changes to Facebook's Terms of Service, the social network service announced that it will restore the original policy. The new Terms of Service were announced on Feb. 4, were widely criticized, and were to be the subject of the EPIC complaint. Facebook users observed that, under the revised policies, Facebook asserted broad, permanent, and retroactive rights to users' personal information - even after they deleted their accounts. The EPIC complaint was supported by more than a dozen consumer and privacy organizations. Previous EPIC Complaints at the FTC have concerned Choicepoint, Microsoft Passport, and the Google-Doubleclick merger. For more, see EPIC's "Social Networking Privacy" page. Support EPIC's efforts to maintain your privacy in the social networking world. (Feb. 18, 2009)
  • European Network Security Agency Recommends Security Protections For Social Networks.The European Network and Information Security Agency (ENISA) has issued a position paper on Security Issues And Recommendations for Social Networks. The paper concludes that social networks are a clear benefit to society; however, the study warns of the danger that new face recognition or other new technologies pose in a world were there may be a false sense of intimacy created by social networks. The agency grouped security threats into 4 categories: privacy, traditional network, identity and social threats. The paper recommends government and corporate policy changes, technical and research recommendation, such as increasing transparency of data handling practices, and encouraging social networking education rather than the banning of social networking sites in schools. (Oct. 1, 2007)
  • Facebook Responds to Users' Demands. In response to the negative reactions of so many of its users, Facebook put new privacy controls on the News Feed feature into operation. Mark Zuckerberg, the CEO of Facebook, published an open letter on the Web site on September 8th apologizing for not having consulted with users prior to introducing feature, which notified users of all their contacts' activities, such as profile changes from "in a relationship" to "single." However, the change is simply an opt-out and puts the burden on Facebook users to protect their privacy. Over 700,000 users signed an online petition demanding the company discontinue the feature, stating that this compromised their privacy. (Sept. 25, 2006)
  • Outcry Over New Facebook Feature. When social networking Web site Facebook introduced their new News Feed feature on September 5, the company was accused of invading the privacy of its' users and facilitating stalking. The goal of the new feature was to make it easier for users to keep up to date with the latest happenings in the lives of their online friends. However, user upset at its introduction sparked debate over how much control users expect to have over the information they place on these Web sites, and also whether the means of dissemination of this information matters. (Sept. 5, 2006)