With FTC Settlement, Expect Facebook to Violate Privacy Again and Again
Statement of Robert Weissman, President, Public Citizen
Note: Today, the Federal Trade Commission (FTC) released the details of its settlement with Facebook.
Facebook repeatedly violated its privacy policy. In 2011, it entered into a consent decree in which it promised not to violate its privacy policy again. But it did – over and over again.
At the end of the day, the FTC’s settlement amounts to Facebook remaking the promise to adhere to its own privacy policy, while reserving the right to change that policy at any time. Facebook users and the public should take no comfort in that.
In light of the company’s extraordinary record of privacy violations and its unparalleled reach across the globe and into users’ minds, elaborate procedural mechanisms that aim to ensure “compliance” are not going to do the trick.
Protecting Facebook users’ privacy requires structural change, substantive policies and impositions of liability to end Facebook’s improper and unprecedented corporate surveillance system.
The FTC settlement fails to deliver on those measures. It enables Facebook to escape genuine accountability for what it has done and leaves it likely that the company will betray its users yet again.
Structural change: Facebook has announced plans for two major shifts that pose massive risks to user privacy. The first is the integration of Facebook Messenger, Instagram and WhatsApp. The second is the launch of its new global, private currency, Libra. In light of Facebook’s atrocious privacy record, the FTC should have demanded it drop these two plans, each of which pose novel and unprecedented threats to consumers’ privacy.
Substantive policies: The bulk of the FTC settlement relies on elaborate processes to ensure Facebook complies with its own privacy policies. Based on Facebook’s record, and the general limitations of corporate “compliance” systems, there is every reason to be skeptical that this will make a difference. But even if Facebook “complies,” it is free to change its privacy policies unilaterally and at any time.
By contrast, the settlement does contain certain substantive requirements to protect user passwords. Other substantive provisions are, by and large, missing.
Commissioner Rohit Chopra explains that Facebook’s reliance on behavioral advertising – targeted advertising based on specific information about individual users’ actions – incentivizes Facebook to violate users’ privacy interests. In light of Facebook’s record of repeated privacy violations, the FTC settlement should have required an end to Facebook’s behavioral advertising system. The company would still be able to sell advertising in targeted ways – but it would not have the incentive to track every users’ click, every indication of their interests, thoughts, fantasies and proclivities.
Liability: The $5 billion fine imposed on Facebook is a large sum. But it is one readily absorbed by Facebook and not sufficient to deter the company from future wrongdoing. Equally important, it does not plainly disgorge from Facebook the ill-gotten gains resulting from its violations of its privacy policy and the 2011 consent decree.
As a company still led by its founder, who remains its largest shareholder, power at Facebook is concentrated in ways that are categorically different than other large, publicly traded corporations. Getting Facebook’s attention should have required an imposition of personal liability on Mark Zuckerberg – not just to make him liable in the future for improper certifications, but as part of this settlement.