Posted on July 30 2019
FTC v Facebook
Apologies I thought I had hit the publish button last week when (an hour after the Mueller hearing commenced) the Justice Department published the $5,000,000,000.00 Facebook fine. Note the time date stamp of the DOJ announcement via Twitter:
Facebook Agrees to Pay $5 Billion and Implement Robust New Protections of User Information in Settlement of Data-Privacy Claims https://t.co/1FWDe0bghK— Justice Department (@TheJusticeDept) July 24, 2019
As a painful and awkward reminder let’s not forget Zuck’s Congressional Hearing “moments” - the Washington Post created this excellent mashup:
It has always bothered me that Facebook’s PWC Audits were never discussed at length. I could be wrong but the premise of the FTC consent decree was to force Facebook to execute tighter controls on data and user Privacy. Meaning one could and should infer that the annual audits should have detected unauthorized extraction of user data by a third party. It’s not like I didn’t link to the FTC Facebook FOIA docket that contains all their audits. So in case you missed the previously embedded link, you can pull the audits down via this (public) link.
Setting aside the ever growing Facebook & Cambridge Analytical mess, which was previously discussed here and their FTC woes, discussed here and State Attorneys General. Letter to Facebook discussed here and the Cook County State’s Attorney Lawsuit, discussed here - the Class Action Complaint regarding Facebook’s storage of pictures and push for facial recognition, found here. It is refreshing to read actual Enforcement Actions. Granted you might disagree with me but I personally think the FTC & DOJ fine was incredibly weak, as further explained below.
Facebook Fined & 2012 FTC Case re-opened
At a certain point you have to wonder why users are still on Facebook. If the past is really prologue then Facebook should be regulated into financial insolvency. The one priceless commodity that can rarely ever be recaptured is “customer trust” - Facebook has repeatedly violated their customers trust and yet they continue to make minimal efforts to remedy their actions.
The Government alleges that Facebook violated an administrative order issued by the FTC in 2012 by misleading users about the extent to which third-party application developers could access users’ personal information. The complaint further alleges that Facebook violated the Federal Trade Commission Act by deceiving users about their use of this and additional sensitive information.
As reflected in the stipulated order filed with the complaint, Facebook has agreed to settle these allegations by paying a $5 billion civil penalty and implementing robust, new compliance measures that will change how Facebook prioritizes and approaches user privacy issues. These new compliance measures include appointment of an independent assessor to monitor Facebook’s conduct, privacy reviews for all new or modified Facebook products, establishment of a new Independent Privacy Committee on Facebook’s Board of Directors, annual compliance certifications by Facebook CEO Mark Zuckerberg, and various reporting and record-keeping requirements. Under the stipulated order, the Department of Justice and FTC will share responsibility for monitoring and enforcing Facebook’s compliance.
The Government refiled their Complaint on July 25, 2019. I’ve taken the liberty of uploading to my public google drive found here, Upon re-read the Complaint I noticed on pages 3 & 4 - paragraph # 7 what appears to be a new data point. As previously discussed the FTC 2012 Consent Decree required Facebook to implement processes to ensure the privacy of their users. This also required Facebook to make clear and concise disclosures - yet four months after the 2012 FTC Order Facebook (without notice) removed the following disclosure:
..added a disclaimer to its Privacy Settings page, warning users that information shared with Facebook Friends could also be shared with the apps those Friends used. However, four months after the 2012 Order was finalized, Facebook removed this disclaimer—even though it was still sharing Affected Friends data with third-party developers and still using the same separate opt-out setting that undermined users’ privacy choices before entry of the Commission Order.
As the Complaint alleges on April 30, 2014 at Facebook’s F8 2014: Stability for Developers & More Control for People - Facebook designated a “whitelist developer” as part of their “private arrangements” - these arrangements were not disclosed to Facebook Users and it allowed Facebook’s Private Arraignments to continue scrapping user data until June 2018.
Of the rampant “deceptive practices” Facebook used - (see paragraph # 13) from November 2015 to at least March 2018 used personal information solicited from their users under the guise of “improving security” via the implementation of a two-step authentication process - which included users mobile numbers and Facebook used that information to (I assume) better target advertising.
As you might recall in April of 2018 Facebook made a series of announcements informing their users that they rolled out facial recognition. These announcements caused many to sound the alarm and launched at least two class action complaints (previously discussed here). Those concerns were knocked down by Facebook but as paragraph #14 clearly explains - the concerns were real and illustrated Facebook’s violation of the FTC 2012 Order:
Keep in mind - yes a $5 billion fine is a new record but to put that fine in to better context: in 2018 all of Facebook’s $55.8 billion in revenues came from advertising. So that fine looks relatively small when compared to advertising revenues. As previously mentioned this new Action was a two for one. Below are the various filings which have now been added to the FTC Facebook Docket:
One really important datapoint is this is a new the FTC’s new 20-year settlement order completely overhauls and supersedes the previous 20-year Order (originally executed in 2012) to the term of the new order expires in 2039. This also gives the FTC and DOJ better (and far more improved) areas of Enforcement. Therefore holding Facebook with heighten transparency and enforcement requirements. With a much weightier emphasis on Facebook’s privacy policies and decisions. The increased transparency of decision coupled with a separate component of Facebook’s board of directors oddly defanged some of Zuckerberg’s power. Specifically this new order:
establishes an independent privacy committee of Facebook’s board of directors, removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy
Moreover this order requires Members of the (new) privacy committee must be:
”independent and will be appointed by an independent nominating committee. Members can only be fired by a supermajority of the Facebook board of directors.”
Below are a few new and nonnegotiable terms and conditions of the FTC Facebook Order. The order imposes significant new privacy requirements, including the following:
Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
Facebook must establish, implement, and maintain a comprehensive data security program;
Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
Becky...you got PNG by the FTC
Did you think I forgot about our (not) friend Cambridge Analytica? Nope I did not and guess who else didn’t forget? The F.T.C.
At this very moment I wonder just how Becky with the shittyhair is freaking out - on a scale of 0 to 100? I’m going with 93...
Federal Trade Commission filed an administrative complaint against data analytics company Cambridge Analytica, and filed settlements for public comment with Cambridge Analytica’s former chief executive and an app developer who worked with the company, alleging they employed deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting.
the GSRApp told app users:
In this part, we would like to download some of your Facebook data using our Facebook app. We want you to know that we will NOT download your name or any other identifiable information – we are interested in your demographics and likes.
the FTC alleges that Cambridge Analytica falsely claimed until at least November 2018 that it was a participant in the EU-U.S. Privacy Shield framework, even though the company allowed its certification to lapse in May 2018.
The FTC Cambridge Analytica Settlement has yet to be ratified but the following restrictions just delight the bleep out of me:
As part of the proposed settlement with the FTC, Kogan and Nix are prohibited from making false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information, as well as the purposes for which they collect, use, share, or sell such information. In addition, they are required to delete or destroy any personal information collected from consumers via the GSRApp and any related work product that originated from the data.
You can read the FTC full docket of the aforementioned Cambridge Analytica defendants via the embedded links below:
At the end of the day - if you are not paying for a product then you need to accept that you are the product. Meaning every status update, every picture, every like and every comment that you’ve willingly gave to Facebook - it’s partly your responsibility. Granted that’s not applicable to if your data was impermissibly scraped by Cambridge or via a third party app. The bottom line is you should always read the terms and conditions for any digital service you use.
ps one should start to wonder how soon the SEC files action against Facebook...yes I’m going there.
While you're here, throw us a bone.
Mad Dog is thrilled to have Spicy in our PAC(k). We are proud to provide a space for her tireless, hard hitting, in-depth investigations. But we can’t do it without you.
Our numbers are growing. Our voices are being heard. Our campaigns are making a difference. Help us, and Spicy, continue to fight the good fight. Consider a donation to help support the work of Mad Dog PAC today.