In re Facebook II

Top News

  • UPDATE - EPIC, Consumer Groups Urge FTC to Investigate Facebook's Use of Facial Recognition: EPIC and a coalition of consumer groups have filed a complaint with the FTC, charging that Facebook's use of facial recognition techniques threaten user privacy and "in multiple ways" violate the 2011 Consent Order with the Commission. "The scanning of facial images without express, affirmative consent is unlawful and must be enjoined," the groups wrote. Last week the organizations urged the Federal Trade Commission to reopen the 2009 investigation of Facebook, arguing that the disclosure of user data to Cambridge Analytica violated the consent order, and noting that the order also prohibited Facebook from "making misrepresentations about the privacy or security of consumers' personal information." In 2011 EPIC and consumer groups urged the FTC to investigate Facebook’s facial recognition practices. In 2012 EPIC advised the FTC "Commercial actors should not deploy facial techniques until adequate safeguards are established. As such safeguards have not yet been established, EPIC would recommend a moratorium on the commercial deployment of these techniques." EPIC President Marc Rotenberg said today, "Facebook should suspend further deployment of facial recognition pending the outcome of the FTC investigation." (Apr. 6, 2018)
  • EPIC, Consumer Groups to Urge Federal Trade Commission to Investigate Facebook's Use of Facial Recognition: EPIC and a coalition of consumer groups will file a complaint with the FTC on Friday charging that Facebook's use of facial recognition techniques threaten user privacy and violate the 2011 Consent Order with the Commission. "The scanning of facial images without express, affirmative consent is unlawful and must be enjoined," the groups wrote. Last week the organizations urged the Federal Trade Commission to reopen the 2009 investigation of Facebook, arguing that the disclosure of user data to Cambridge Analytica violated the consent order, and noting that the order also prohibited Facebook from "making misrepresentations about the privacy or security of consumers' personal information." The FTC has confirmed that an investigation is now underway. The FTC said, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements." Facebook CEO Mark Zuckerberg will testify next week before the Senate Judiciary Committee and the House Commerce Committee. In 2011 EPIC urged the FTC to investigate Facebook's facial recognition practices. In 2012 EPIC advised the FTC "Commercial actors should not deploy facial techniques until adequate safeguards are established. As such safeguards have not yet been established, EPIC would recommend a moratorium on the commercial deployment of these techniques." (Apr. 5, 2018)
  • State AGs Launch Facebook Investigation: A bipartisan group of 37 State Attorneys General is investigating Facebook's business practices and lack of privacy protections. "Businesses like Facebook must comply with the law when it comes to how they use their customers' personal data," Pennsylvania Attorney General Josh Shapiro said. "State Attorneys General have an important role to play in holding them accountable." The Federal Trade Commission also announced today that it is investigating Facebook. Senate Judiciary Chairman Grassley has also said there will be hearings on the Facebook matter when Congress returns. (Mar. 26, 2018)
  • FTC Confirms Investigation Into Facebook about 2011 Consent Order: The Federal Trade Commission has confirmed an investigation into Facebook for the company's failure to protect the personal data obtained by Cambridge Analytica. Facebook likely violated the FTC's 2011 Consent Order with the company. Last week, EPIC and a coalition of consumer organizations urged the FTC to reopen the investigation. EPIC and other consumer organizations brought the complaint that led to the FTC's 2011 Order. Thomas Pahl, the Acting Director of the FTC's Bureau of Consumer Protection stated today, "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent article for Techonomy, EPIC President Marc Rotenberg emphasized that "the transfer of 50 million user records to the controversial data mining and political consulting firm could have been avoided if the Federal Trade Commission had done its job." (Mar. 26, 2018)
  • EPIC FOIAs FTC, Seeks Facebook's Privacy Assessments: EPIC has submitted an urgent Freedom of Information Act request to the Federal Trade Commission, seeking the privacy assessments required by the FTC's 2012 Consent Order. Facebook is required to produce independent privacy assessments every two years for the next 20 years. Each assessment should "identify Facebook's privacy controls maintained during the reporting period, explain the appropriateness of these controlsin relation to Facebook's activities and sensitivity of information, as well as explain how these controls meet or exceed the protections" required in the 2012 Consent Order. Facebook is also required to identify an independent privacy auditor, approved by the FTC. EPIC previously obtained the 2012 Initial Compliance Report as well as the 2013 Initial Assessment through an earlier FOIA request. EPIC is now seeking the 2015 and 2017 reports which cover the period for the data transfers to Cambridge Analytica. (Mar. 20, 2018)
  • EPIC, Consumer Groups Urge FTC To Investigate Facebook: In a statement issued today, EPIC and a coalition of consumer groups have called on the Federal Trade Commission to determine whether Facebook violated a 2011 Consent Order when it facilitated the transfer of personal data of 50 million Facebook users to the data mining firm Cambridge Analytica. The groups had repeatedly urged the FTC to enforce its own legal judgements. EPIC even sued the agency in 2012 for its failure to enforce a consent order against Google. "The FTC's failure to act imperils not only privacy but democracy as well," the groups warned. Between 2009 and 2011 EPIC and other consumer groups undertook extensive work to document Facebook's privacy abuses that led to the consent order in 2011. (Mar. 20, 2018)
  • Facebook "Breach" Highlights Failure of FTC to Enforce Consent Orders: In 2009, EPIC and a coalition of US consumer privacy organizations petitioned the Federal Trade Commission to establish comprehensive privacy safeguards after Facebook changed user privacy settings and secretly transferred user data to third parties. In 2011, the FTC agreed with the privacy groups and established a far-reaching settlement with the company, that prevented such disclosures, prohibited deceptive statements, and required annual reporting. But the FTC failed to enforce its consent order, even after EPIC sued the agency and consumer groups repeatedly urged the Commission to act. This weekend the Washington Post and the New York Times reported that Facebook disclosed the personal data of 50 million users without their consent to Cambridge Analytica, the controversial British data mining firm that sought to influence the 2016 presidential election. (Mar. 19, 2018)
  • EPIC Offers Recommendations for Future of FTC Ahead of Senate Hearing on Nominees: In advance of a Senate hearing on four nominees to the Federal Trade Commission, EPIC recommended 10 steps for the FTC to safeguard American consumers. EPIC explained that the FTC's failure to address the data protection crisis has contributed to unprecedented levels of data breach and identity theft in the United States. EPIC helped establish the FTC's authority for consumer privacy and has urged the FTC to safeguard American consumers in cases involving Microsoft, Google, Facebook, Uber, Samsung and others. EPIC also filed a lawsuit against the FTC when it failed to enforce a consent order against Google. (Feb. 13, 2018)
  • EPIC Calls for Greater FTC Enforcement: In advance of a Senate Commerce hearing on consumer privacy, EPIC called for more action by the Federal Trade Commission to protect American consumers. In a statement for the Committee, EPIC said that "the FTC is simply not doing enough to safeguard the personal data of American consumers." EPIC explained that "the FTC's privacy framework - based largely on 'notice and choice' - is simply not working." EPIC also warned that consumers "face unprecedented threats of identity theft, financial fraud, and security breach." EPIC has fought for consumer privacy rights at the FTC for more than two decades, filing landmark complaints about privacy violations by Uber, Microsoft, Facebook, Google, and even suing the Commission when it has failed to enforce its own orders. (Sep. 28, 2017)
  • EPIC Urges Public Comments on FTC Settlement with Uber: EPIC is urging the public to comment on the proposed FTC settlement with Uber regarding consumer privacy. (Federal Register Notice). The FTC settlement follows EPIC's 2015 complaint, which detailed Uber's secretive tracking of customers and surreptitious collection of user data. The proposed settlement requires regular privacy audits of Uber by third parties but fails to make substantial changes in the companies business practices or require the company to delete the personal data that was wrongfully obtained. The deadline to file a comment with the FTC is September 15, 2017. The FTC is required to consider public comments before finalizing a proposed settlement. EPIC has previously pursued FTC complaints concerning Google, Facebook, WhatsApp, and Snapchat. EPIC also recently filed an FTC complaint to stop Google from tracking in-store purchases. (Sep. 6, 2017)

Summary of EPIC's Facebook Complaint

On May 7, 2010, EPIC and fourteen other organizations filed a complaint with the Federal Trade Commission, alleging that Facebook has engaged in unfair and deceptive trade practices. The complaint addresses Facebook's latest round of changes, including linking profile information, abolishing the 24 hour data retention limit for developers, instituting social plugins and "Instant Personalization," and the use of cookies by Facebook to track users' internet activity.

In the complaint, EPIC asks the FTC to open an investigation into Facebook, to compel Facebook to allow users to choose whether to link and publicly disclose personal information, to compel Facebook to restore its previous requirement that developers retain user information for no more than 24 hours, and to compel Facebook to make its data collection practices clearer and more comprehensible. The following organizations signed onto the complaint:

  • The Electronic Privacy Information Center
  • The Bill of Rights Defense Committee
  • The Center for Digital Democracy
  • The Center for Financial Privacy and Human Rights
  • Center for Media and Democracy
  • Consumer Federation of America
  • Consumer Task Force for Automotive Issues
  • Consumer Watchdog
  • FoolProof Financial Education
  • Patient Privacy Rights
  • Privacy Activism
  • Privacy Journal
  • The Privacy Rights Clearinghouse
  • The U.S. Bill of Rights Foundation
  • U.S. PIRG

Background

Facebook

Facebook is a social networking site founded in 2004 by Harvard student Mark Zuckerberg. The site “connects people with friends and others who work, study and live around them.” As of December 2009, Facebook has nearly 150 million users in the United States.

Facebook and Privacy

Facebook has had a controversial history with respect to privacy. In 2006, Facebook launched a feature called “News Feed” which allowed users to track their friends’ Facebook updates and activity in real time. Within 24 hours, hundreds of thousands of the site’s users protested the feature. One Facebook group, “Students against Facebook News Feed” grew to 284,000 members within just a few days. As a result of the widespread protest, Mark Zuckerberg wrote an open letter to Facebook users, apologizing for doing a “bad job of explaining what the new features were and an even worse job of giving you control of them." Facebook then updated its privacy settings to allow for more user control over the News Feed Feature.

In 2007, Facebook launched Facebook Beacon, which allowed a Facebook user’s purchases to be publicized on their friends’ News Feed after transacting with third-party sites. Users were unaware that such features were being tracked, and the privacy settings originally did not allow users to opt out. As a result of widespread criticism, Facebook Beacon was shut down in 2009.

In February 2009, Facebook changed its Terms of Service. The new TOS allowed Facebook to use anything a user uploads to the site for any purpose, at any time, even after the user ceased to use Facebook. Further, the TOS did not provide for a way that users could completely close their account. Rather, users could “deactivate” their account, but all the information would be retained by Facebook, rather than deleted. EPIC planned to file an FTC complaint, alleging that the new Terms of Service violated the FTC Act Section 5, and constituted “unfair and deceptive trade practices.” In response to this planned complaint, and user criticism, Facebook returned to its previous Terms of Service.

EPIC's Previous Facebook Complaint

In late 2009, Facebook rolled out another round of changes which required mandatory disclosure of profile information that had previously been protected by users' privacy settings. The site automatically made some user information, including users' names, profile pictures, friends lists, fan pages, gender, and networks, available to the public, including to third-party developers, without offering users a choice to opt-out. The new Facebook privacy policy stated that “certain categories of information . . . are considered publicly available to everyone, including Facebook-enhanced applications, and therefore do not have privacy settings.” Consequently, users could no longer control who views certain types of information and could not prevent third-party applications from viewing certain types of information. EPIC, along with several other organizations, filed a complaint and supplemental complaint, with the FTC, citing "unfair and deceptive trade practices," and urging the agency to investigate.

EPIC filed a supplemental complaint regarding several Facebook services, including Facebook Connect and iPhone syncing. EPIC alleged that Facebook's representations regarding Facebook Connect and iPhone syncing were unfair and deceptive because users who employ the services are not informed beforehand that they will no longer have control over their information.

To date, the FTC has failed to take any action regarding these complaints.

EPIC's FTC Complaint

EPIC’s FTC complaint is signed by a number of other organizations, including the Bill of Rights Defense Committee, the Center for Digital Democracy, the Center for Financial Privacy and Human Rights, the Center for Media and Democracy, the Consumer Federation of America, the Consumer Task Force for Automotive Issues, Consumer Watchdog, FoolProof Financial Education, Patient Privacy Rights, Privacy Activism, Privacy Journal, the Privacy Rights Clearinghouse, the U.S. Bill of Rights Foundation, and U.S. PIRG.

The complaint highlights several aspects of Facebook’s most recent changes that threaten its users’ privacy. The complaint focuses on Facebook's unfair and deceptive trade practice of sharing of user information with the public and with third-party application developers. First, the complaint argues that Facebooks decision to force users to make previously protected information "publicly available" is an unfair practice. Second, the complaint argues that Facebook’s new social plugins and instant personalization are misleading and deceptive. Third, Facebook deceives users by not clearly informing them about cookies which Facebook uses to track users' internet activity. Fourth, Facebook's decision to allow developers to maintain user information indefinitely contradicts its previous policies and assurances to users.

Facebook now requires mandatory disclosure of even more information, including users' music, film, television, and literature preferences, employment information, educational information, current city, hometown, activities, interests, and likes and dislikes. Facebook forced users to convert information that had previously been protected under privacy settings into "links," which are "publicly available" information. Users were not given a choice to opt-out of this process. Users could either convert profile information into "links" or Facebook would remove the information from that user's profile. These changes contradict earlier assurances made by the company that users would be empowered to protect their information because, as Facebook stated, "you may not want everyone in the world to have the information you share on Facebook.”

The changes also contradict users' reasonable expectation about their privacy. Facebook allows users to adjust their privacy settings, but these adjustments have no practical effect on the public availability of information such as pages, links, employment information, and film and music preferences. Even if a user adjusts her settings so this information is limited to "friends only," the information may not be visible on the user's profile, but it is still publicly available elsewhere.

EPIC's complaint also alleges that Facebook's social plugin program is unfair and deceptive. Facebook has also developed a social plugin program that encourages users to interact with websites across the internet. “Social plugins” are buttons or boxes that appear on third party websites that prompt a Facebook user to click on or comment on items of interest. For example, is a user chooses to "Like" a news article by clicking on a "Like" button, this action is displayed on the third party website, disclosed to the user's friends and appears on the user's Facebook profile. This interaction results in user information being shared with those websites and the user's interaction being published to her friends on her "news feed." This sharing of information is not apparent to users, though, because all that users see when they navigate to a social plugin site is a small "like" or "recommend" button. There is nothing about the button which indicates the vast underlying exchange of information that occurs when a user clicks on it.

Facebook's new Instant Personalization feature is also problematic. Instant personalization allows three partner websites - Microsoft Docs, Pandora, and Yelp - to use cookies and users' "publicly available" information to serve Facebook users a tailored "experience." Pandora, for example, uses information in a user's profile to serve him music based on his stated music preferences and his friends' music preferences. Facebook disclosed user information to these three partner sites without users ever granting their permission.

Facebook has also changed its developer data retention rule in a way that profoundly affects users, without ever gaining users' consent. Previously, Facebook had limited developers data retention by mandating that developers delete user information after 24 hours. That rule was abolished to allow developers to maintain user information indefinitely.

Facebook has also failed to be transparent regarding its use of cookies. Facebook uses cookies to track users across the internet, destroying their ability to surf the internet anonymously. EPICs complaint argues that the use of cookies is not obvious to Facebook users or controllable under the privacy settings.

These changes together amount to a massive disclosure of user information that had previously been protected under users' privacy settings. This information has now been disclosed to third parties and can be retained indefinitely.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.

Legal Documents

News Stories and Blog Items

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.

#Privacy