EPIC - In re Facebook

In re Facebook

EPIC's Complaint in the News |
Background |
EPIC’s FTC Complaint |
FTC’s Authority to Act |
Legal Documents |
News Stories and Blog Items |
Frequently Asked Questions |
In re Facebook II

Top News

With New Policy Changes, Facebook Tracks Users Across the Web: Over the objections of consumer privacy organizations, Facebook has implemented policy changes that allow the company to track users across the web without consent. The Dutch data protection commissioner launched an investigation after the original announcement. This week the a German privacy agency announced a similar investigation. Last year, EPIC and a coalition of consumer privacy groups urged the FTC to halt Facebook's plan to collect web-browsing information from its users. Facebook is already under a 20 year consent decree for changing users' privacy settings. The consent decree resulted from complaints brought by EPIC and others in 2009 and 2010. (Feb. 4, 2015)
Facebook Revises Privacy Policy: Facebook has again revised its privacy policy. Despite the new graphics, Facebook continues to collect and disclose enormous amounts of user data without meaningful consent. The use of location data has expanded dramatically. "We collect information from or about the computers, phones, or other devices where you install or access our Services," states Facebook. These include "device locations, including specific geographic locations, such as through GPS, Bluetooth, or Wi-Fi signals." Facebook is currently under a 20 year consent decree with the Federal Trade Commission as a consequence of a complaint brought by EPIC and coalition of consumer privacy organizations when the company changed the privacy settings of users. More recently consumer organizations in the US and Europe have objected to Facebook's decision to track the web activities of users and to profile offline purchase. Privacy groups have also objected to Facebook's manipulation of user news feeds. For more information, see EPIC: Facebook and EPIC: In re Facebook. (Dec. 5, 2014)
Facebook Responds to EPIC Complaint About "Emotions Study": Facebook has announced revised guidelines concerning user data the company discloses to researchers. In 2012, Facebook subjected 700,000 users to an "emotional" test by manipulating their News Feeds. Facebook did not get users' permission to conduct this study or notify users that their data would be disclosed to researchers. In response, EPIC filed a formal complaint to the Federal Trade Commission. "The company purposefully messed with people's minds," states the EPIC complaint. EPIC has also asked the FTC to require that Facebook make public the News Feed algorithm. Facebook is also currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy, as a result of complaints brought by EPIC and a coalition of consumer privacy organizations in 2009 and 2010. The new guidelines have improved Facebook's research process, but they still raise questions about human subject testing by advertising companies. EPIC still believes the NewsFeed algorithm should be made public. For more information, see EPIC: In re: Facebook (Psychological Study) and EPIC: Federal Trade Commission. (Oct. 2, 2014)
European Facebook Users Privacy Lawsuit Moves Forward: A group of over 25,000 European Facebook users may proceed with their lawsuit against Facebook. The users, led by privacy activist Max Schrems, sued Facebook in a court in Vienna. The users charge Facebook with violating EU privacy law by improperly handling users' data. Now that the court has approved the class action suit, Facebook must respond to the complaints. In 2011, Schrems brought a similar lawsuit against Facebook in an Irish court. In the same year, Facebook signed a consent order with the Federal Trade Commission, following a complaint filed by EPIC and a group of American consumer privacy organizations. EPIC has also filed an amicus brief in a federal class action lawsuit, opposing Facebook's use of children's images for advertising purposes. In 2013, EPIC gave the International Privacy Champion Award to Max Schrems, calling him "an innovative and effective spokesperson for the right to privacy." For more information, see EPIC: In re Facebook. (Aug. 26, 2014)
Following EPIC Complaint, Senator Seeks Investigation of Facebook User Manipulation Study: Senator Mark Warner has asked the Federal Trade Commission to investigate the legality of Facebook's emotional manipulation study. In a letter to the Commission, Senator Warner stated that "it is not clear whether Facebook users were adequately informed and given an opportunity to opt-in or opt-out." He asked the FTC to conduct an investigation to see "if this 2012 experiment violated Section 5 of the FTC Act or the 2011 consent agreement with Facebook," two issues raised in EPIC's earlier complaint. "The company purposefully messed with people's minds," wrote EPIC in a complaint to the Commission. EPIC charged that Facebook violated a consent decree that required the company to respect user privacy and also engaged in a deceptive trade practice. EPIC has asked the FTC to require that Facebook make public the News Feed algorithm. For more information, see EPIC: In re Facebook, EPIC: In re Facebook (Psychological Study), and EPIC: FTC. (Jul. 17, 2014)
EPIC Challenges Facebook's Manipulation of Users, Files FTC Complaint: EPIC has filed a formal complaint to the Federal Trade Commission concerning Facebook's manipulation of users' News Feeds for psychological research. "The company purposefully messed with people's minds," states the EPIC complaint. EPIC has charged that the study violates a privacy consent order and is a deceptive trade practice. In 2012, Facebook subjected 700,000 users to an "emotional" test with the manipulation of News Feeds. Facebook did not get users' permission to conduct this study or notify users that their data would be disclosed to researchers. In the complaint, EPIC explained that Facebook's misuse of data is a deceptive practice subject to FTC enforcement. Facebook is also currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy. The consent decree resulted from complaints brought by EPIC and a coalition of consumer privacy organizations in 2009 and 2010. EPIC has asked the FTC to require that Facebook make public the News Feed algorithm. For more information, see EPIC: In re Facebook, EPIC: In re Facebook (Psychological Study), and EPIC: FTC. (Jul. 3, 2014)
EPIC Urges FTC to Protect Snapchat Users' Privacy: EPIC has submitted comments to the Federal Trade Commission, urging the agency to require Snapchat to safeguard consumer privacy. Following a 2013 EPIC complaint, the FTC signed a consent order with Snapchat, the publisher of a mobile app that encourages users to share intimate photos and videos. Snapchat claimed that pictures and videos would "disappear forever," but that was false. As EPIC explained, "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." EPIC expressed support for the findings in the proposed FTC Settlement with Snapchat. But EPIC recommended that the FTC require Snapchat to implement the Consumer Privacy Bill of Rights and make Snapchat's independent privacy assessments publicly available. EPIC pursued similar claims involving false promises about data deletion with AskEraser. EPIC has also made similar recommendation for other proposed FTC consumer privacy settlements. For more information, see EPIC: In re Google, EPIC: In re Facebook, and EPIC: FTC. (Jun. 10, 2014)
Federal Trade Commission Urges Court to Protect Student Privacy: The Federal Trade Commission is opposing the sale of student data in a bankruptcy proceeding for ConnectEDU. The company privacy policy promises it will give students "reasonable notice and an opportunity to remove personally identifiable information" from its website. The FTC said that the sale of student information "without reasonable notice to users and an opportunity to remove personal information would contradict the privacy statements originally made to users." The FTC letter also cites consent agreements with Snapchat, Google, and Facebook. Each of these consent orders was a result of an EPIC FTC complaint. Last year, EPIC filed an extensive complaint concerning Scholarships.com's business practices. The company encourages students to divulge sensitive medical, sexual, and religious information to obtain financial aid information. For more information, see EPIC: Student Privacy, EPIC: In re Google Buzz, EPIC: In re Facebook, and EPIC: Federal Trade Commission. (May. 29, 2014)
EU Court Rules Google Must Respect Right to Delete Links: The European Court of Justice has upheld the "right to be forgotten" and ruled that Google must delete links upon request concerning private life. The Court also determined that companies are subject to the EU Data Protection Directive and that jurisdiction extends to companies that set up a branch in an EU state. The Court said that since privacy is a fundamental right, it overrules the economic interests of the company and the public interest in access to the information. However this is not the case concerning one's activity in public life. EPIC has broadly supported the privacy rights of Internet users and the specific right to "expunge" information held by commercial firms. For more information, see EPIC - In re Facebook, EPIC - Expungement, and EPIC - G.D. v. Kenny. (May. 13, 2014)
EPIC's Snapchat Privacy Complaint Results in 20-Year FTC Consent Order: Following a 2013 EPIC complaint, the FTC has signed a consent order with Snapchat, the publisher of a mobile app that encourages user to share intimate photos and videos. Snapchat claimed that pictures and videos would "disappear forever." However, the images could be retrieved by others. As EPIC wrote in the complaint "Snapchat photos and videos remain available to others even after users are informed that the photos and videos have been deleted." In announcing the settlement, FTC Chairwoman Edith Ramirez said, "If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises. Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action." Under the settlement, Snapchat will be subject to 20 years of privacy audits, and will be prohibited from making false claims about its privacy policies. EPIC pursued similar claims involve false promises about data deletion with AskEraser. The FTC will be accepting Public Comments on the proposed Snapchat consent order. For more information, see EPIC: In re Google, EPIC: In re Facebook and EPIC: FTC. (May. 8, 2014)

EPIC's Complaint in the News

Notable Commentary on EPIC's Facebook Complaint
Chloe Albanesius, FTC Examines Privacy Complaint Against Facebook, PC Mag (January 19, 2010).
Peter Kafka, Feds to Facebook Privacy Critics: Let's Talk, All Things Digital (January 19, 2010).
John Letzing, FTC has 'particular interest' in Facebook Privacy, MarketWatch (January 19, 2010).
Frank Reed, Facebook Gets the Attention of the FTC, Marketing Pilgrim (January 19, 2010).
Wendy Davis, FTC Probes Facebook's EPIC Privacy Fail, Mediapost (January 18, 2010).
Benny Evangelista, As Facebook Thrives, Does Privacy Have to Fade?, San Francisco Chronicle (December 30, 2009).
Scott Duke Harris, Facebook: Social Networking Giant Extends Reach, Plans to Grow More in 2010, Chicago Tribune (December 24, 2009).
Jacqui Cheng, FTC Complaint says Facebook's Privacy Changes are Deceptive, Ars Technica (December 21, 2009).
Rahul Chatterjee, Facebook Faces Privacy Backlash with FTC Complaint, EBrandz (December 21, 2009).
Jenna Greene, Privacy Advocates Target Facebook, Law.com (December 21, 2009).
Lesly Simmons, EPIC Files FTC Complaint against Facebook over Latest Privacy Changes, BlackWeb 2.0 (December 21, 2009).
Brian Prince, Facebook Privacy: Just How Much do Users Want?, eWeek (December 20, 2009).
Wendy Grossman, Little Black Facebook, Pelican Crossing (December 19, 2009).
Mark Hefflinger, Privacy Groups File FTC Complaint over Changes to Facebook, Digital Media Wire (December 18, 2009).
Alexei Oreskovic, Facebook Privacy Backlash in FTC's Hands, Reuters (December 18, 2009).
Lalee Sadighi, Facebook Faces FTC Complaint, Red Herring (December 18, 2009).
Justin Sorkin, EPIC Complains to FTC about Facebook's Changes to Privacy Policy, Top News (December 18, 2009).
Lora Bentley, Watchdog Files FTC Complaint on Facebook Privacy Changes, IT Business Edge (December 17, 2009).
Larry Dignan, Privacy Groups File Complaint with FTC over Facebook Settings, ZDNet (December 17, 2009).
Fox 5 Top 5, Fox 5 News (December 17, 2009).
Kashmir Hill, Did Facebook Break the Law when it Changed Privacy Settings?, True Slant (December 17, 2009).
Tim Jones, The World Reacts to the New Facebook, EFF News Roundup (December 17, 2009).
Peter Kafka, Next Step in Facebook Privacy Blowback: The FTC Complaint. The Real Question: Will Advertisers Care?, All Things Digital (December 17, 2009).
Scott Kleinberg, Privacy has Facebook in Hot Water, Chicago Now (December 17, 2009).
Richard Koman, FTC Complaint Escalates Facebook's Privacy Woes, Newsfactor (December 17, 2009).
John Letzing, Privacy Groups File FTC Complaint against Facebook, MarketWatch (December 17, 2009).
Paul McDougall, Facebook Hit with FTC Complaint, InformationWeek (December 17, 2009).
Robert McMillan, Privacy Groups Bring Facebook Complaints to FTC, Computerworld (December 17, 2009).
Barbara Ortutay, Privacy Watchdog Files Complaint against Facebook, Washington Post (December 17, 2009).
Privacy Groups Complain to FTC about Facebook, Silicon Valley/San Jose Business Journal (December 17, 2009).
JC Raphael, Facebook Privacy Complaint Ignites War of Words, PC World (December 17, 2009).
Mark Sachoff, Privacy Group Files FTC Complaint about Facebook, WebProNews (December 17, 2009).
Ryan Singel, Facebook Privacy Changes Break the Law, Privacy Groups Tell FTC, Wired (December 17, 2009).
EPIC files FTC Complaint over Facebook's New Privacy Policy, Slashdot (December 17, 2009).
Brad Stone, Privacy Group Files Complaint on Facebook Changes, N.Y. Times (December 17, 2009).
Berin Szoka, Facebook Privacy Controls Change & EPIC's FTC Complaint, The Technology Liberation Front (December 17, 2009).
Joseph Tartakoff, Groups File Complaint with FTC over Facebook's New Privacy Settings, paidContent (December 17, 2009).
Jessica Vascellaro, Privacy Groups File Complaint on Facebook to FTC, Wall Street Journal (December 17, 2009).
Mark Walsh, Follow the Bouncing Valuation, MediaPost (December 17, 2009).

Background

Facebook

Facebook is a social networking site founded in 2004 by Harvard student Mark Zuckerberg. The site “connects people with friends and others who work, study and live around them.” As of December 2009, Facebook has nearly 150 million users in the United States.

Facebook Platform

Facebook offers a service called Facebook Platform, referred to as “Facebook-enhanced” applications. Facebook Platform “enables anyone to build social applications on Facebook and the web” in order to “make the web more open and social.” The Facebook Platform allows Facebook to transfer user personal data to other entities without their knowledge or meaningful consent.

Facebook and Privacy

Facebook has had a controversial history with respect to privacy. In 2006, Facebook launched a feature called “News Feed” which allowed users to track their friends’ Facebook updates and activity in real time. Within 24 hours, hundreds of thousands of the site’s users protested the feature. One Facebook group, “Students against Facebook News Feed” grew to 284,000 members within just a few days. As a result of the widespread protest, Mark Zuckerberg wrote an open letter to Facebook users, apologizing for doing a “bad job of explaining what the new features were and an even worse job of giving you control of them." Facebook then updated its privacy settings to allow for more user control over the News Feed Feature.

In 2007, Facebook launched Facebook Beacon, which allowed a Facebook user’s purchases to be publicized on their friends’ News Feed after transacting with third-party sites. Users were unaware that such features were being tracked, and the privacy settings originally did not allow users to opt out. As a result of widespread criticism, Facebook Beacon was shut down in 2009.

In February 2009, Facebook changed its Terms of Service. The new TOS allowed Facebook to use anything a user uploads to the site for any purpose, at any time, even after the user ceased to use Facebook. Further, the TOS did not provide for a way that users could completely close their account. Rather, users could “deactivate” their account, but all the information would be retained by Facebook, rather than deleted. EPIC planned to file an FTC complaint, alleging that the new Terms of Service violated the FTC Act Section 5, and constituted “unfair and deceptive trade practices.” In response to this planned complaint, and user criticism, Facebook returned to its previous Terms of Service.

Privacy Settings Update

In response to a complaint prompted by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) and submitted to Canadian Privacy Commissioner Jane Stoddart, Facebook announced plans to change its privacy policies and settings to provide for more user control over information and stronger privacy settings for its users. The changes were introduced in November 2009, and each Facebook user was prompted to review and update his privacy settings. Facebook also made changes to its privacy settings, which included making certain information, such as name, gender, friends lists, and current city, publicly available, with no option to limit searchability. Facebook submitted a complaint to the Federal Trade Commission, alleging that Facebook engages in unfair and deceptive trade practices. The complaint "urges the Commission to investigate Facebook, determine the extent of the harm to consumer privacy and safety, require Facebook to restore privacy settings that were previously available as detailed below, require Facebook to give users meaningful control over personal information, and seek appropriate injunctive and compensatory relief." For more information, visit EPIC's FAQ page on Facebook's new privacy settings.

EPIC's FTC Complaint

EPIC’s FTC complaint is signed by a number of other organizations, including the American Library Association, the Center for Digital Democracy, the Consumer Federation of America, FoolProof Financial Education, Patient Privacy Rights, Privacy Activism, the Privacy Rights Now Coaltion, the Privacy Rights Clearinghouse, and the U.S. Bill of Rights Foundation. The complaint highlights several aspects of Facebook’s recent changes that threaten its users’ privacy. The complaint focuses on the unfair and deceptive trade practices of Facebook with respect to sharing of user information with third-party application developers. First, the complaint argues that Facebook’s mandatory disclosure of information is an unfair practice. Second, the complaint argues that Facebook’s policies regarding third-party developers are misleading and deceptive.

Facebook now requires mandatory disclosure of certain information. The site automatically makes some user information available to the public, including to third-party developers, without offering users a choice to opt-out. The new Facebook privacy policy states that “certain categories of information . . . are considered publicly available to everyone, including Facebook-enhanced applications, and therefore do not have privacy settings.” In other words, users cannot control who can view certain types of information and cannot prevent third-party applications from viewing certain types of information. These changes were made despite previous representations by the company acknowledging their understanding that its users “may not want everyone in the world to have the information you share on Facebook.” The Chief Privacy Officer of Facebook testified in June 2009, “Users have extensive and precise controls available to choose who sees what among their networks and friends, as well as tools that give them the choice to make a limited set of information available to search engines and other outside entities.” According to the new Facebook policies, however, users no longer have the choice to make certain information available - it is mandatory, and users cannot opt out of allowing certain information to be publicly searchable.

EPIC’s complaint argues that policies regarding third-party developers are unclear and confusing. Further, the updated privacy policy provides for more sharing of information, and less user control over information. Third-party applications on Facebook have access to user information at the moment a user accesses an application website. According to Facebook, “to help those applications and sites operate, they receive publicly available information automatically when you visit them, and additional information when you formally authorize or connect your Facebook account with them.” Facebook explains that some information is automatically set to “Everyone,” which means the information is publicly available. According to Facebook’s privacy policy, you can “choose to opt-out of Facebook Platform and Facebook Connect altogether through your privacy settings.” Under Facebook’s new privacy settings, Facebook represents that users have control over what types of information a friend’s application can access.

Facebook does not allow for an easy way to opt out of Facebook Platform, or opt out of having information shared when a friend uses an application. Even when a user unchecks all boxes, which should prohibit applications from accessing any user data, Facebook notes that “applications will always be able to access your publicly available information (Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages) and information that is visible to Everyone.” Therefore, the “Everyone” setting overrides the settings a user chooses for third-party applications and websites.

Under Facebook’s previous privacy settings, Facebook allowed for more control over personal information. Facebook users were able to choose not to share “any information about me” to third-party application developers. This opt-out button is no longer available under Facebook’s new privacy settings.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.