A little over a week ago we learned that the Federal Trade Commission reached a settlement with Facebook, which the F.T.C. had charged with “unfair and deceptive” business practices. The grounds for the complaints against Facebook are familiar to anyone who has used the social network over the last several years: “Facebook, without warning its users or seeking consent, made public information that they had deemed to be private on their Facebook pages.” In essence, each of the counts in the complaint alleges a misrepresentation by Facebook about some aspect of its privacy policy, the effectiveness of the privacy settings it made available to users, or how much information it shared with advertisers.
Those of us who were on Facebook at the time the alleged misrepresentations occurred (mostly in 2009) remember fondly the viral status statements telling us, e.g., how we were now inviting Mark Zuckerberg into our homes to watch us shower, unless we immediately went and changed this or that setting. Facebook’s transition to its new system of privacy controls and settings did not go smoothly, apparently, and it was difficult for some users to understand how the new system worked. So maybe we should be glad that the F.T.C. cracked down on Facebook. After all, even Mark Zuckerberg, in a blog post made the same day as the settlement news broke, admitted that Facebook had made “a bunch of mistakes.”
After reading both the complaint and the settlement agreement (which contains the Consent Order), however, I think Facebook made a mistake. This “agreement” is a case of the punishment not fitting the crime — at all. As I said, the various counts of the complaint amount to misrepresentations Facebook allegedly made, either about its privacy policies or about the privacy controls it made available to users. Assuming the allegations were true, I would expect perhaps a fine to be levied, along with a threat of steeper fines in the future, should Facebook make similar misrepresentations.* Indeed, Part I of the Consent Order does say that Facebook “shall not misrepresent in any manner, expressly or by implication,” various things about its privacy policy. But the Order does not stop there. In Parts II-V of the Order we see that Facebook’s penalty, for misrepresentations it “expressly denies” making, is for it to give the F.T.C. total control over the substance of its privacy policies — for the next twenty years!
Part II of the order requires Facebook to get a user’s express consent before allowing the user’s data to be shared with a third party, when such sharing “materially exceeds the restrictions imposed by [the] user’s privacy setting(s).” Part III requires Facebook to make a user’s information, stored on Facebook’s servers, inaccessible to any third party, no longer than thirty days after the user has deleted either the information, or his entire account. But it is Part IV of the Consent Order that constitutes the real power grab by the F.T.C. It requires Facebook to establish a “comprehensive privacy program,” which must be “documented in writing.” The program must “contain controls and procedures appropriate to [Facebook’s] size and complexity, the nature and scope of [Facebook’s] activities,” and so on, as judged by (per Part V of the Order) an “independent third-party professional.” Except that said third-party professional can’t be completely independent: He must be “approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, in his or her sole discretion.” Said “independent third-party professional” is to prepare and submit reports on the substance of Facebook’s privacy policies, every two years for the next twenty years.
As I’ve argued numerous times elsewhere (e.g., here), and as I argue in my forthcoming book on privacy, I believe the best way to provide legal protection for states of privacy is by means of our individual rights to property and contract. In this manner, law would not only recognize how states of privacy are actually created, but it would also allow businesses and individuals the freedom to design privacy policies that suit their needs and preferences. If Facebook wants to set up a social network in which users have virtually no privacy protection for the material they share with others, why not let it? Just let the market decide. What Obama’s F.T.C. has done, via this Consent Order — and similar “agreements” with Twitter and Google — is establish itself as the de facto dictator of privacy policy for the major social media outlets. And it did so without even having to ram unpopular legislation down the throat of the American people, as was done with Obamacare.
I can’t understand why Facebook would have agreed to this, and further, why Zuckerberg would be so effusive about it in the above-linked blog post. The only plausible reason I can think of, is that Facebook was concerned that the government would not allow it to go through with its anticipated IPO. Whether it was for this pragmatic reason, or because Zuckerberg is, as he said in his blog post, truly looking forward to cooperating with big government bureaucracy in the running of his business, he and his partners will get what they deserve.** If the F.T.C. wants to find a way in which Facebook has violated this Consent Order, so that it may take even more control of Facebook’s operations in the future, it will.
MySpace, anyone?
*Of course in an ideal world the F.T.C. would not exist and all this would be done via lawsuits initiated by disgruntled users. But given the current legal context, this is what I would expect.
**Further reading: Sanction of the Victim.
Don't Let It Go 
he is essentially unconscious to big f***ing corrupt gov’t….that’s why they go along with it…..they scarred him…..and he fell for it…
I recommend posting your blog post, or an abbreviated version of it with a link to the full version, on facebook as a response to Zuckerberg’s blog post.
Good suggestion, thanks!
“I can’t understand why Facebook would have agreed to this, and further, why Zuckerberg would be so effusive about it in the above-linked blog post.”
It seems rather obvious to me. When a bully has a gun to your head, you agree to whatever he demands and pretend to like it. Especially when an enormous amount of money is on the line. There is no recourse or justice.
The government is trying every which way it can to muscle in on the Internet, and yes, they will go after the timid hearted who will not stand up for themselves under this type of bullying. Yes, I think FaceBook should warn one beforehand what it will make public, so that one can decided to post or not to post or to have anything to do with FB. However, FB has a reputation of doing that — of suddenly making some post public that one only wanted one’s friends to see. The only real option is to be careful what one posts and keep the private things to oneself on such a website. This is easily done and didn’t need the government getting involved. But, like I said, they want to rule over the internet, especially influential ones that make for good grass roots activism.
This is nothing but a very small victory in the outgoing war of keeping our online data secure.
I would have preffered to see the FTC give a way larger fine to Facebook for all of their “accidents” on privacy!
http://www.vectorash.ro/facebook-settles-with-ftc/