Focusing public attention on emerging privacy and civil liberties issues

Frequently Asked Questions Regarding EPIC's Facebook Complaint

What is EPIC?

The Electronic Privacy Information Center (“EPIC”) is a not-for-profit research center based in Washington, D.C. EPIC focuses on emerging privacy and civil liberties issues and is a leading consumer advocate before the Federal Trade Commission.

What is the Federal Trade Commission (FTC) and what authority does it have over this matter?

The FTC is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act. Its principal mission is "consumer protection” and the elimination and prevention of harmfully "anti-competitive" business practices. The FTC is “empowered and directed” to investigate and prosecute violations of Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices. Using this authority, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers’ personal information. The Commission has also used its unfairness authority to challenge information practices that cause substantial consumer injury.

Why did EPIC file the FTC complaint?

EPIC filed this complaint because Facebook’s revised privacy settings are unfair and deceptive to users. Facebook’s changes to users’ privacy settings disclose personal information to the public that was previously restricted. Facebook’s changes to users’ privacy settings also disclose personal information to third-party application developers that was previously not available. These changes violate user expectations, diminish user privacy, and contradict Facebook’s own representations.

What is an unfair and deceptive trade practice?

"Unfair" practices are those that cause, or are likely to cause, substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition. A practice is deceptive if it will likely mislead a consumer, acting reasonably under the circumstances, to that consumer's detriment.

What does EPIC hope to accomplish with this complaint?

EPIC is urging the FTC to investigate Facebook and determine the extent of the harm to consumer privacy and safety. EPIC is also asking the FTC to require Facebook to restore the previously available privacy settings that allowed users to keep their friends lists, profile pictures, and other personal information private. The FTC should require Facebook to give users meaningful control over personal information, and should seek appropriate injunctive and compensatory relief for users whose privacy was violated by Facebook.

What’s the difference between Facebook’s revised privacy settings and the old ones?

Under the revised privacy policy, Facebook now treats the following categories of personal data as “publicly available information:”

• users’ names,

• profile photos,

• lists of friends,

• pages they are fans of,

• gender,

• geographic regions, and

• networks to which they belong.

By default, Facebook discloses “publicly available information” to search engines, to Internet users whether or not they use Facebook, and others. According to Facebook, such information can be accessed by “every application and website, including those you have not connected with . . . .”

Prior to these changes, only the following items were mandatorily “publicly available information:”

• a user’s name and

• a user’s network.

Under the original privacy settings, users had a one-click option to prevent the disclosure of personal information to third party application developers. Under the revised privacy settings, this option is nonexistent.

I thought that Facebook’s had a privacy policy… why doesn’t this protect users?

Facebook’s privacy policy doesn’t actually protect users, it misleads users into believing that their information is safe, while the site actually discloses information to third-party application developers and the public. Facebooks’ revised privacy policy mandates the sharing of large amounts of personal information, whether or not users what to share that information.

What specific aspects of Facebook’s new settings are harmful to user privacy?

Facebook’s decision to make profile pictures, friends lists, fan information, names, and other personal information publicly available, harms users who would rather exercise control over their own information. The lack of third party application opt-out also takes control away from users. Facebook’s assertion that the revisions to the privacy policy will actually enhance user privacy is outright deception.

What’s so bad about friends lists being deemed “publicly available information?”

There are numerous real-life examples of friends list information being used in ways that are harmful to users. Based on profile data obtained from Facebook users’ friends lists, MIT researchers found that “just by looking at a person’s online friends, they could predict whether the person was gay.” Dozens of American Facebook users, who posted political messages critical of Iran, have reported that Iranian authorities subsequently questioned and detained their relatives. According to the Wall Street Journal, one Iranian-American graduate student received a threatening email that read, “we know your home address in Los Angeles,” and directed the user to “stop spreading lies about Iran on Facebook.” Another U.S. Facebook user who criticized Iran on Facebook stated that security agents in Tehran located and arrested his father as a result of the postings. One Facebook user who traveled to Iran said that security officials asked him whether he owned a Facebook account, and to verify his answer, they performed a Google search for his name, which revealed his Facebook page. His passport was subsequently confiscated for one month, pending interrogation.

What should Facebook do if it really wants to protect user privacy?

If Facebook is serious about protecting user privacy, it should allow users greater control over their own information. First, Facebook should restore the one-click opt out for third party applications. Second, it should stop treating personal user information as public information - users should be allowed to decide for themselves what information they want to share and what information they want to keep private.