In re Facebook II
- In Facebook Case, Ninth Circuit Ignores Privacy Risks of Visits to Healthcare Websites: In a surprisingly brief opinion, the Ninth Circuit has upheld a decision to dismiss a privacy suit against Facebook concerning the collection of sensitive medical data. In Smith v. Facebook, users alleged that the company tracked their visits to healthcare websites, in violation of the websites' explicit privacy policies. In a little less than five pages, the Ninth Circuit decided that Facebook was not bound by the promises made not to disclose users' data to Facebook because Facebook has a provision, buried deep in its own policy, that allows Facebook to secretly collect such data. The court actually wrote that searches for medical information are not sensitive because the "data show only that Plaintiffs searched and viewed publicly available health information..." EPIC filed an amicus brief in the case, arguing that "consent is not an acid rinse that dissolves common sense." In 2011 Facebook settled charges with the FTC that it routinely changed the privacy settings of users to obtain sensitive personal data. The consent order resulted from detailed complaints brought by EPIC and several other consumer organizations. (Dec. 7, 2018)
- Facebook's Response to Congress Provides More Evidence of Consent Order Violations: Late Friday afternoon, Facebook submitted over 700 pages of responses to questions from members of Congress following Mark Zuckerberg's testimony in April. Facebook has now admitted that it provided developers and device makers access to personal data despite publicly stating that it had discontinued the practice. In April EPIC submitted a detailed letter to Congress, explaining that the Cambridge Analytica breach could have been avoided if the FTC had enforced the 2011 Consent Order. That Consent Order was the result of extensive complaints EPIC and consumer organizations filed with the FTC in 2009 and 2010. In March, the Acting Director of the FTC stated "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions." (Jul. 2, 2018)
- EPIC Urges Appeals Court to Protect Consumers Against Invasive Cookie Tracking Practices: EPIC has filed an amicus brief with the Ninth Circuit Court of Appeals in In re: Facebook, Inc. Internet Tracking Litigation. At issue is whether Facebook violated the privacy rights of users by tracking their web browsing even after they logged out of the platform. EPIC explained that cookies "no longer serve the interests of users" and instead "tag, track, and monitor users across the Internet." EPIC said a lower court wrongly concluded that users should develop countermeasures to assert their privacy rights. EPIC responded that it would be absurd to expect users to compete in a "technical arms race" when "Facebook's tracking techniques are designed to escape detection and the company routinely ignores users' privacy protections." EPIC first identified the privacy risks of cookie tracking in a 1997 report "Surfer Beware: Personal Privacy and the Internet." EPIC frequently participates as amicus curiae in consumer privacy cases, including hiQ Labs v. LinkedIn and Eichenberger v. ESPN. (Jun. 27, 2018)
- US Consumer Groups Urge FTC To Examine 'Deceived by Design' Practices: EPIC and a coalition of consumer organizations sent a letter to the FTC about recent tactics by Facebook and Google to trick users into disclosing personal data. "We urge you to investigate the misleading and manipulative tactics of the dominant digital platforms in the United States, which steer users to 'consent' to privacy-invasive default settings," the letter states. The letter highlights a report by the Norwegian Consumer Council entitled "Deceived by Design," which details how companies employ numerous tricks and tactics to nudge users into selecting the least privacy-friendly options. EPIC and consumer privacy organizations previously filed complaints with the FTC when Facebook undermined users' privacy settings and Google automatically opted users into Google Buzz. In both cases, the FTC determined that the companies had engaged in "unfair and deceptive trade practices." Both Facebook and Google settled with the FTC and were then subject to 20 year consent orders that were intended to prevent the companies from engaging in similar practices in the future. (Jun. 27, 2018)
- At Senate Hearing, Former FTC CTO States That Facebook Violated FTC Consent Order: In a Senate Commerce Committee hearing today on Facebook and data privacy, former FTC CTO Ashkan Soltani stated that Facebook violated the 2011 FTC Consent Order by transferring personal data to Cambridge Analytica and device makers contrary to user privacy expectations. Soltani said that Facebook continued to misrepresent the extent to which users could control their privacy settings and allowed device makers to override users' privacy settings. Senator Blumenthal and other members of Congress had previously said the company violated the Consent Order, which was the result of complaints filed by EPIC in 2009 and 2010. In a statement to the Committee in advance of the hearing, EPIC urged the Senate to focus on the FTC's failure to enforce the Consent Order with Facebook. (Jun. 19, 2018)
- EPIC Urges Senate Committee to Focus on Consent Order with Facebook: EPIC has sent a statement to the Senate Commerce Committee outlining the FTC's failure to enforce the 2011 Consent Order with Facebook. The statement from EPIC is for a hearing on "Cambridge Analytica and Other Facebook Partners: Examining Data Privacy Risks." In 2009, EPIC and several consumer groups pursued a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook's data practices. The FTC established a Consent Order in 2011, but failed to enforce the Order even after EPIC sued the agency in a related matter. In the statement to the Senate this week, EPIC contends that the FTC could have prevented the Cambridge Analytica debacle and Facebook's secret arrangements with device makers if the agency enforced the 2011 Order. (Jun. 19, 2018)
- Facebook Overrode Users’ Privacy Settings And Allowed Device Makers To Access Personal Data: Facebook had secret arrangements with at least 60 device makers granting them access to users' personal data, according to a report by the New York Times. Facebook overrode users privacy settings to allow companies to access sensitive information that users' had explicitly set to private. These arrangements directly contradict Facebook's previous statements that it cut off third party access to user data in 2015. Facebook is already under FTC investigation for violating a 2011 Consent Order that EPIC and consumer privacy organizations obtained. The Order bars Facebook from disclosing data to third parties without explicit consent. EPIC recently urged the FTC to enforce the Consent Order following revelations that Facebook allowed Cambridge Analytica to access the data of 87 million users. In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions." (Jun. 5, 2018)
- EPIC Obtains Partial Release of 2017 Facebook Audit: EPIC has obtained a redacted version of the 2017 Facebook Assessment required by the 2012 Federal Trade Commission Consent Order. The Order required Facebook to conduct biennial assessments from a third-party auditor of Facebook's privacy and security practices. In March, EPIC filed a Freedom of Information Act request for the 2013, 2015, and 2017 Facebook Assessments as well as related records. The 2017 Facebook Assessment, prepared by PwC, stated that "Facebook's privacy controls were operating with sufficient effectiveness" to protect the privacy of users. This assessment was prepared after Cambridge Analytica harvested the personal data of 87 million Facebook users. In a statement to Congress for the Facebook hearings last week, EPIC noted that FTC Commissioners represented that the Consent Order protected the privacy of hundreds of millions of Facebook users in the United States and Europe. (Apr. 20, 2018)
- Senator Blumenthal Calls On FTC To Enforce Consent Order Against Facebook: Senator Richard Blumenthal (D-CT) has called for "monetary penalties that provide redress for consumers and stricter oversight" in a letter to the Federal Trade Commission. Senator Blumenthal focused on the FTC's 2011 Consent Order that EPIC, and a coalition of consumer groups obtained, after preparing a detailed complaint in 2009. Referring to the Cambridge Analytica scandal, Senator Blumenthal wrote that "three of the FTC's claims concerned the misrepresentation of verification and privacy preferences of third-party apps." Senator Blumenthal also raised questions about the FTC's monitoring of the consent order, noting that "even the most rudimentary oversight would have uncovered these problematic terms of service." And the Senator stated, "The Cambridge Analytica matter also calls into question Facebook's compliance with the consent decree's requirements to respect privacy settings and protect private information." EPIC and other consumer groups recently urged the FTC to reopen the investigation. The FTC has confirmed that an investigation of Facebook is now underway. (Apr. 20, 2018)
- EPIC Urges Senate to Focus on FTC Consent Order with Facebook: In advance of a joint hearing about Facebook's failure to protect the personal data of users, EPIC has sent a comprehensive statement to the Senate Committee on the Judiciary and the Senate Committee on Commerce. EPIC is urging the Senators to focus on the 2011 Consent Order between Facebook and the Federal Trade Commission. In 2009, EPIC and a coalition of consumer groups presented the FTC with a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook. The FTC adopted a Consent Order in 2011, based on EPIC's Complaint, but failed to enforce the Order even after EPIC sued the agency in a related matter. In numerous comments to the FTC, EPIC and others urged the FTC to enforce its consent order. In the statement to the Senate this week, EPIC contends that the Cambridge Analytica debacle could have been prevented if the FTC enforced the Order. (Apr. 9, 2018)
In the complaint, EPIC asks the FTC to open an investigation into Facebook, to compel Facebook to allow users to choose whether to link and publicly disclose personal information, to compel Facebook to restore its previous requirement that developers retain user information for no more than 24 hours, and to compel Facebook to make its data collection practices clearer and more comprehensible. The following organizations signed onto the complaint:
- The Electronic Privacy Information Center
- The Bill of Rights Defense Committee
- The Center for Digital Democracy
- The Center for Financial Privacy and Human Rights
- Center for Media and Democracy
- Consumer Federation of America
- Consumer Task Force for Automotive Issues
- Consumer Watchdog
- FoolProof Financial Education
- Patient Privacy Rights
- Privacy Activism
- Privacy Journal
- The Privacy Rights Clearinghouse
- The U.S. Bill of Rights Foundation
- U.S. PIRG
Facebook is a social networking site founded in 2004 by Harvard student Mark Zuckerberg. The site “connects people with friends and others who work, study and live around them.” As of December 2009, Facebook has nearly 150 million users in the United States.
Facebook and Privacy
Facebook has had a controversial history with respect to privacy. In 2006, Facebook launched a feature called “News Feed” which allowed users to track their friends’ Facebook updates and activity in real time. Within 24 hours, hundreds of thousands of the site’s users protested the feature. One Facebook group, “Students against Facebook News Feed” grew to 284,000 members within just a few days. As a result of the widespread protest, Mark Zuckerberg wrote an open letter to Facebook users, apologizing for doing a “bad job of explaining what the new features were and an even worse job of giving you control of them." Facebook then updated its privacy settings to allow for more user control over the News Feed Feature.
In 2007, Facebook launched Facebook Beacon, which allowed a Facebook user’s purchases to be publicized on their friends’ News Feed after transacting with third-party sites. Users were unaware that such features were being tracked, and the privacy settings originally did not allow users to opt out. As a result of widespread criticism, Facebook Beacon was shut down in 2009.
In February 2009, Facebook changed its Terms of Service. The new TOS allowed Facebook to use anything a user uploads to the site for any purpose, at any time, even after the user ceased to use Facebook. Further, the TOS did not provide for a way that users could completely close their account. Rather, users could “deactivate” their account, but all the information would be retained by Facebook, rather than deleted. EPIC planned to file an FTC complaint, alleging that the new Terms of Service violated the FTC Act Section 5, and constituted “unfair and deceptive trade practices.” In response to this planned complaint, and user criticism, Facebook returned to its previous Terms of Service.
EPIC's Previous Facebook Complaint
EPIC filed a supplemental complaint regarding several Facebook services, including Facebook Connect and iPhone syncing. EPIC alleged that Facebook's representations regarding Facebook Connect and iPhone syncing were unfair and deceptive because users who employ the services are not informed beforehand that they will no longer have control over their information.
To date, the FTC has failed to take any action regarding these complaints.
EPIC’s FTC complaint is signed by a number of other organizations, including the Bill of Rights Defense Committee, the Center for Digital Democracy, the Center for Financial Privacy and Human Rights, the Center for Media and Democracy, the Consumer Federation of America, the Consumer Task Force for Automotive Issues, Consumer Watchdog, FoolProof Financial Education, Patient Privacy Rights, Privacy Activism, Privacy Journal, the Privacy Rights Clearinghouse, the U.S. Bill of Rights Foundation, and U.S. PIRG.
The complaint highlights several aspects of Facebook’s most recent changes that threaten its users’ privacy. The complaint focuses on Facebook's unfair and deceptive trade practice of sharing of user information with the public and with third-party application developers. First, the complaint argues that Facebooks decision to force users to make previously protected information "publicly available" is an unfair practice. Second, the complaint argues that Facebook’s new social plugins and instant personalization are misleading and deceptive. Third, Facebook deceives users by not clearly informing them about cookies which Facebook uses to track users' internet activity. Fourth, Facebook's decision to allow developers to maintain user information indefinitely contradicts its previous policies and assurances to users.
Facebook now requires mandatory disclosure of even more information, including users' music, film, television, and literature preferences, employment information, educational information, current city, hometown, activities, interests, and likes and dislikes. Facebook forced users to convert information that had previously been protected under privacy settings into "links," which are "publicly available" information. Users were not given a choice to opt-out of this process. Users could either convert profile information into "links" or Facebook would remove the information from that user's profile. These changes contradict earlier assurances made by the company that users would be empowered to protect their information because, as Facebook stated, "you may not want everyone in the world to have the information you share on Facebook.”
The changes also contradict users' reasonable expectation about their privacy. Facebook allows users to adjust their privacy settings, but these adjustments have no practical effect on the public availability of information such as pages, links, employment information, and film and music preferences. Even if a user adjusts her settings so this information is limited to "friends only," the information may not be visible on the user's profile, but it is still publicly available elsewhere.
EPIC's complaint also alleges that Facebook's social plugin program is unfair and deceptive. Facebook has also developed a social plugin program that encourages users to interact with websites across the internet. “Social plugins” are buttons or boxes that appear on third party websites that prompt a Facebook user to click on or comment on items of interest. For example, is a user chooses to "Like" a news article by clicking on a "Like" button, this action is displayed on the third party website, disclosed to the user's friends and appears on the user's Facebook profile. This interaction results in user information being shared with those websites and the user's interaction being published to her friends on her "news feed." This sharing of information is not apparent to users, though, because all that users see when they navigate to a social plugin site is a small "like" or "recommend" button. There is nothing about the button which indicates the vast underlying exchange of information that occurs when a user clicks on it.
Facebook has also changed its developer data retention rule in a way that profoundly affects users, without ever gaining users' consent. Previously, Facebook had limited developers data retention by mandating that developers delete user information after 24 hours. That rule was abolished to allow developers to maintain user information indefinitely.
These changes together amount to a massive disclosure of user information that had previously been protected under users' privacy settings. This information has now been disclosed to third parties and can be retained indefinitely.
The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.
- EPIC's FTC Complaint in In re Facebook (filed May 5, 2010).
- EPIC's Previous FTC Complaint in In re Facebook (filed December 17, 2009).
- EPIC's Previous Supplemental Complaint in In re Facebook (filed January 14, 2010).
- Federal Trade Commission, LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States That Identity Theft Prevention and Data Security Claims Were False (March 9, 2010).
- Federal Trade Commission, ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress (December 6, 2006).
- United States v. ChoicePoint, No. 06-CV-0198 (N.D. Ga. Feb. 10, 2006).
- Federal Trade Commission, Microsoft Settles FTC Charges alleging False Security and Privacy Provisions (August 8, 2002).
- In re Microsoft Corp. (Fed. Trade Comm'n Dec. 20, 2002).
- Federal Trade Commission: Section 5 Enforcement Actions
- Ryan Singel, Privacy Flare-Up Prompts Facebook Meetings with Congress, Employees, Wired (May 13, 2010).
- Christopher Breen, Why I Left Facebook, PC World (May 13, 2010).
- Ian Paul, Facebook Plans a Privacy Summit, PC World (May 13, 2010).
- Mike Pearson, European Authorities Join Facebook Privacy Dogpile, Tech News World (May 12, 2010).
- Nick O'Neill, Facebook Calls All Hands Meeting on Privacy All Facebook (May 12, 2010).
- Facebook Executive Answers Readers Questions, The New York Times Blog (May 11, 2010).
- Lee Goessi, Facebook prepares to defend privacy policies: Several Facebook complaints filed with FTC, Helium (May 11, 2010).
- Nicholas Carlson, Facebook Users' Names, Email, Location, And Photos Exposed On Yelp, San Francisco Chronicle (May 11, 2010).
- Ki Mae Heussner, Quitting Facebook: What Happens When You Deactivate, ABC (May 11, 2010).
- Dylan Tynan, How Facebook Pulled a Privacy Bait and Switch, PC World (May 11, 2010).
- How to Put Facebook on a Privacy Lockdown, San Francisco Chronicle (May 11, 2010).
- Chloe Albanesius, Facebook Denies Hiring Former FTC Chief Muris, PC Magazine (May 10, 2010).
- Scott M. Fulton, III, Facebook to Fight Privacy Complaint with Help of Former FTC Chairman, Beta News (May 10, 2010).
- Steve O'Hear, Facebook’s Byzantine Privacy Controls Produce More Confusion,Tech Crunch (May 10, 2010).
- Avanti Kumar, Facebook's International Users Share Privacy Concerns, PC World (May 9, 2010).
- By Jennifer Valentino-DeVries, Visualizing Your Privacy on Facebook, The Wall Street Journal (May 7, 2010).
- Privacy groups take Facebook complaint to US regulators, AFP (May 7, 2010).
- Jacqui Cheng, Privacy Groups Complain to FTC over Facebook Privacy Tweaks, Ars Technica (May 7, 2010).
- Congress Asked to Push Facebook Probe, UPI.com (May 7, 2010).
- Mark Hachman, Facebook Targeted by New FTC Complaint, PC Magazine (May 7, 2010).
- Alison Diana, Facebook Faces FTC Complaint, Information Week (May 7, 2010).
- Ian Paul, Facebook Privacy Complaint, A Complete Breakdown, PC World (May 6, 2010).
- Douglas MacMillan, Facebook Policies Draw Criticism From Privacy Groups, Business Week (May 6, 2010).
- Wendy Davis, EPIC Files Complaint About New Facebook Features, Media Post (May 5, 2010).
- Jenna Wortham, Facebook Glitch Brings New Privacy Worries, New York Times (May 5, 2010).
- Dan Yoder, 10 Reasons To Delete Your Facebook Account, Business Insider (May 3, 2010).
- Caroline McCarthy, Activist Groups Launch New Facebook Offensive, CNET (Apr. 30, 2010)
- Mike Swift, Facebook Slammed Over Privacy Concerns, Mercury News (Apr. 28, 2010).
- Riva Richmond, Facebook Stirs Privacy Concerns Again, New York Times (Apr. 27, 2010).
- Michael Liedtke, Senators See Privacy Problem in Facebook Expansion, The Sydney Morning Herald (Apr. 27, 2010).
- Gerrick D. Kennedy Senators Urge Facebook to Protect User Privacy, Los Angeles Times, Comments Blog (Apr. 27, 2010).
- Ben Elowitz, Facebook's Like Button: A Force Powerful Enough to Save Media from Google Search Huffington Post (Apr. 27, 2010).
- Irene North, People concerned over more Facebook privacy changes, The Daily Censored (Apr. 26, 2010).
- Chloe Albanesius, Schumer Asks FTC to Investigate Privacy of Facebook, Other Sites, PC Magazine (April 26, 2010).
- Kristin Burnham, Facebook Privacy Changes: 5 Can’t-Miss Facts, CIO (Apr. 23, 2010).
- Gina Trapani, Time to Audit Your Facebook Privacy Settings, Here’s How, Fast Company Magazine (Apr. 23, 2010).
- Rob Pegoraro, As Facebook users fret over its wider reach, Post readies opt-out, Faster Forward, The Washington Post (Apr. 23, 2010).
- Riva Richmond, How to Opt Out of Facebook’s Instant Personalization, Gadgetwise Blog, The New York Times (Apr. 23, 2010).
- Kurt Opsahl, How to Opt Out of Facebook’s Instant Personalization, Deeplink Blog (Apr. 22, 2010).
- Mathew Ingram, Your Mom’s Guide to Those Facebook Changes, and How to Block Them, Gigaom (Apr. 22, 2010.
- Kurt Opshal, How to Opt Out of Facebook’s Instant Personalization Deeplinks Blog, (Apr. 22, 2010).
- Christina Warren, Facebook Open Graph: What it Means for Privacy, Mashable (Apr. 21, 2010).
- Maurice Cacho, Toss out your privacy as Facebook becomes more stalker-ish, MSN Tech & Gadgets (Apr. 21, 2010).