In re Facebook

• EPIC's Complaint in the News |
• Background |
• EPIC’s FTC Complaint |
• FTC’s Authority to Act |
• Legal Documents |
• News Stories and Blog Items |
• Frequently Asked Questions |
• In re Facebook II

Top News

• Court Rules D.C. Attorney General's Lawsuit Against Facebook Will Proceed: The D.C. Superior Court denied Facebook's motion to dismiss the complaint filed by D.C. Attorney General over the privacy practices that led to Cambridge Analytica. The D.C. Attorney General alleged that Facebook failed to monitor third-party use of personal data and failed to ensure users' data was deleted. The lawsuit seeks financial penalties, and an injunction to establish safeguards to protect users' data. The court ruled that the case could proceed because "District of Columbia residents' widespread utilization of, and repeated exchange of personal information through Facebook's online social networking service, constitute 'transactions.'" EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. Facebook anticipates a $3-5 billion fine from the FTC. (Jun. 3, 2019)
• Facebook Anticipates $3B-$5B Fine: According to news reports, Facebook has budgeted $3 billion for in its first-quarter earnings report, saying it expected the FTC to fine the company between $3-$5 billion. In January, EPIC and a coalition of consumer and civil rights groups sent a letter to the FTC calling on the Commission to enforce the order against Facebook by 1) imposing substantial fines; 2) establishing structural remedies; 3) requiring compliance with Fair Information Practices; 4) reforming hiring and management practices; and 5) restoring democratic governance. Also, EPIC's Freedom of Information Act request revealed that there are there are over 26,000 complaints pending against Facebook. In the eight years since the FTC announced the consent order barring Facebook from making any misrepresentation about user privacy, the FTC has not taken a single enforcement action against the company. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. (Apr. 26, 2019)
• Senator Blumenthal Calls on FTC to Unwind Big Tech Mergers: In a Senate Judiciary Committee hearing earlier this week, Senator Richard Blumenthal said that antitrust enforcers must consider unwinding anticompetitive mergers. “Over the past decade tech companies have in effect been given a free pass by antitrust regulators,” Senator Blumenthal said. "Facebook perhaps should never been allowed to acquire Instagram, Google to acquire DoubleClick. I have come to the conclusion that maybe post merger, some of these transactions should be challengeable, rarely done, but still challengeable, especially when the merger is approved on conditions that are then violated.” Earlier this year, EPIC joined a coalition of groups urging the FTC to unwind the Facebook-WhatsApp merger, citing promises the companies made at time of the merger. (Mar. 7, 2019)
• Senators Urge FTC to Act Against Facebook: In a letter to the Federal Trade Commission, Senators Ed Markey and Richard Blumenthal pushed the Commission to take swift action against Facebook, despite the government shutdown. "While we have repeatedly expressed concerns about the pace of this investigation, we fear that the current government shutdown further threatens the FTC's ability to complete this investigation," the Senators wrote. "When Americans' privacy is breached, they deserve a speedy and effective response." The letter comes nearly ten months after the FTC announced it would reopen an investigation into Facebook after EPIC's urging. Since then, EPIC has urged the Commission to act and has repeatedly highlighted Facebook's violations of the 2011 consent order in statements to Congress. The 2011 consent order followed an extensive complaint filed by EPIC and a coalition of consumer privacy organizations in 2009. (Jan. 18, 2019)
• In Facebook Case, Ninth Circuit Ignores Privacy Risks of Visits to Healthcare Websites: In a surprisingly brief opinion, the Ninth Circuit has upheld a decision to dismiss a privacy suit against Facebook concerning the collection of sensitive medical data. In Smith v. Facebook, users alleged that the company tracked their visits to healthcare websites, in violation of the websites' explicit privacy policies. In a little less than five pages, the Ninth Circuit decided that Facebook was not bound by the promises made not to disclose users' data to Facebook because Facebook has a provision, buried deep in its own policy, that allows Facebook to secretly collect such data. The court actually wrote that searches for medical information are not sensitive because the "data show only that Plaintiffs searched and viewed publicly available health information..." EPIC filed an amicus brief in the case, arguing that "consent is not an acid rinse that dissolves common sense." In 2011 Facebook settled charges with the FTC that it routinely changed the privacy settings of users to obtain sensitive personal data. The consent order resulted from detailed complaints brought by EPIC and several other consumer organizations. (Dec. 7, 2018)
• Facebook's Response to Congress Provides More Evidence of Consent Order Violations: Late Friday afternoon, Facebook submitted over 700 pages of responses to questions from members of Congress following Mark Zuckerberg's testimony in April. Facebook has now admitted that it provided developers and device makers access to personal data despite publicly stating that it had discontinued the practice. In April EPIC submitted a detailed letter to Congress, explaining that the Cambridge Analytica breach could have been avoided if the FTC had enforced the 2011 Consent Order. That Consent Order was the result of extensive complaints EPIC and consumer organizations filed with the FTC in 2009 and 2010. In March, the Acting Director of the FTC stated "Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook." In a recent memo, FTC Commissioner Rohit Chopra stated that "FTC orders are not suggestions." (Jul. 2, 2018)
• EPIC Urges Appeals Court to Protect Consumers Against Invasive Cookie Tracking Practices: EPIC has filed an amicus brief with the Ninth Circuit Court of Appeals in In re: Facebook, Inc. Internet Tracking Litigation. At issue is whether Facebook violated the privacy rights of users by tracking their web browsing even after they logged out of the platform. EPIC explained that cookies "no longer serve the interests of users" and instead "tag, track, and monitor users across the Internet." EPIC said a lower court wrongly concluded that users should develop countermeasures to assert their privacy rights. EPIC responded that it would be absurd to expect users to compete in a "technical arms race" when "Facebook's tracking techniques are designed to escape detection and the company routinely ignores users' privacy protections." EPIC first identified the privacy risks of cookie tracking in a 1997 report "Surfer Beware: Personal Privacy and the Internet." EPIC frequently participates as amicus curiae in consumer privacy cases, including hiQ Labs v. LinkedIn and Eichenberger v. ESPN. (Jun. 27, 2018)
• US Consumer Groups Urge FTC To Examine 'Deceived by Design' Practices: EPIC and a coalition of consumer organizations sent a letter to the FTC about recent tactics by Facebook and Google to trick users into disclosing personal data. "We urge you to investigate the misleading and manipulative tactics of the dominant digital platforms in the United States, which steer users to 'consent' to privacy-invasive default settings," the letter states. The letter highlights a report by the Norwegian Consumer Council entitled "Deceived by Design," which details how companies employ numerous tricks and tactics to nudge users into selecting the least privacy-friendly options. EPIC and consumer privacy organizations previously filed complaints with the FTC when Facebook undermined users' privacy settings and Google automatically opted users into Google Buzz. In both cases, the FTC determined that the companies had engaged in "unfair and deceptive trade practices." Both Facebook and Google settled with the FTC and were then subject to 20 year consent orders that were intended to prevent the companies from engaging in similar practices in the future. (Jun. 27, 2018)
• At Senate Hearing, Former FTC CTO States That Facebook Violated FTC Consent Order: In a Senate Commerce Committee hearing today on Facebook and data privacy, former FTC CTO Ashkan Soltani stated that Facebook violated the 2011 FTC Consent Order by transferring personal data to Cambridge Analytica and device makers contrary to user privacy expectations. Soltani said that Facebook continued to misrepresent the extent to which users could control their privacy settings and allowed device makers to override users' privacy settings. Senator Blumenthal and other members of Congress had previously said the company violated the Consent Order, which was the result of complaints filed by EPIC in 2009 and 2010. In a statement to the Committee in advance of the hearing, EPIC urged the Senate to focus on the FTC's failure to enforce the Consent Order with Facebook. (Jun. 19, 2018)
• EPIC Urges Senate Committee to Focus on Consent Order with Facebook: EPIC has sent a statement to the Senate Commerce Committee outlining the FTC's failure to enforce the 2011 Consent Order with Facebook. The statement from EPIC is for a hearing on "Cambridge Analytica and Other Facebook Partners: Examining Data Privacy Risks." In 2009, EPIC and several consumer groups pursued a complaint, containing detailed evidence, legal theories, and proposed remedies to address growing concerns about Facebook's data practices. The FTC established a Consent Order in 2011, but failed to enforce the Order even after EPIC sued the agency in a related matter. In the statement to the Senate this week, EPIC contends that the FTC could have prevented the Cambridge Analytica debacle and Facebook's secret arrangements with device makers if the agency enforced the 2011 Order. (Jun. 19, 2018)

EPIC's Complaint in the News

• Notable Commentary on EPIC's Facebook Complaint
• Chloe Albanesius, FTC Examines Privacy Complaint Against Facebook, PC Mag (January 19, 2010).
• Peter Kafka, Feds to Facebook Privacy Critics: Let's Talk, All Things Digital (January 19, 2010).
• John Letzing, FTC has 'particular interest' in Facebook Privacy, MarketWatch (January 19, 2010).
• Frank Reed, Facebook Gets the Attention of the FTC, Marketing Pilgrim (January 19, 2010).
• Wendy Davis, FTC Probes Facebook's EPIC Privacy Fail, Mediapost (January 18, 2010).
• Benny Evangelista, As Facebook Thrives, Does Privacy Have to Fade?, San Francisco Chronicle (December 30, 2009).
• Scott Duke Harris, Facebook: Social Networking Giant Extends Reach, Plans to Grow More in 2010, Chicago Tribune (December 24, 2009).
• Jacqui Cheng, FTC Complaint says Facebook's Privacy Changes are Deceptive, Ars Technica (December 21, 2009).
• Rahul Chatterjee, Facebook Faces Privacy Backlash with FTC Complaint, EBrandz (December 21, 2009).
• Jenna Greene, Privacy Advocates Target Facebook, Law.com (December 21, 2009).
• Lesly Simmons, EPIC Files FTC Complaint against Facebook over Latest Privacy Changes, BlackWeb 2.0 (December 21, 2009).
• Brian Prince, Facebook Privacy: Just How Much do Users Want?, eWeek (December 20, 2009).
• Wendy Grossman, Little Black Facebook, Pelican Crossing (December 19, 2009).
• Mark Hefflinger, Privacy Groups File FTC Complaint over Changes to Facebook, Digital Media Wire (December 18, 2009).
• Alexei Oreskovic, Facebook Privacy Backlash in FTC's Hands, Reuters (December 18, 2009).
• Lalee Sadighi, Facebook Faces FTC Complaint, Red Herring (December 18, 2009).
• Justin Sorkin, EPIC Complains to FTC about Facebook's Changes to Privacy Policy, Top News (December 18, 2009).
• Lora Bentley, Watchdog Files FTC Complaint on Facebook Privacy Changes, IT Business Edge (December 17, 2009).
• Larry Dignan, Privacy Groups File Complaint with FTC over Facebook Settings, ZDNet (December 17, 2009).
• Fox 5 Top 5, Fox 5 News (December 17, 2009).
• Kashmir Hill, Did Facebook Break the Law when it Changed Privacy Settings?, True Slant (December 17, 2009).
• Tim Jones, The World Reacts to the New Facebook, EFF News Roundup (December 17, 2009).
• Peter Kafka, Next Step in Facebook Privacy Blowback: The FTC Complaint. The Real Question: Will Advertisers Care?, All Things Digital (December 17, 2009).
• Scott Kleinberg, Privacy has Facebook in Hot Water, Chicago Now (December 17, 2009).
• Richard Koman, FTC Complaint Escalates Facebook's Privacy Woes, Newsfactor (December 17, 2009).
• John Letzing, Privacy Groups File FTC Complaint against Facebook, MarketWatch (December 17, 2009).
• Paul McDougall, Facebook Hit with FTC Complaint, InformationWeek (December 17, 2009).
• Robert McMillan, Privacy Groups Bring Facebook Complaints to FTC, Computerworld (December 17, 2009).
• Barbara Ortutay, Privacy Watchdog Files Complaint against Facebook, Washington Post (December 17, 2009).
• Privacy Groups Complain to FTC about Facebook, Silicon Valley/San Jose Business Journal (December 17, 2009).
• JC Raphael, Facebook Privacy Complaint Ignites War of Words, PC World (December 17, 2009).
• Mark Sachoff, Privacy Group Files FTC Complaint about Facebook, WebProNews (December 17, 2009).
• Ryan Singel, Facebook Privacy Changes Break the Law, Privacy Groups Tell FTC, Wired (December 17, 2009).
• EPIC files FTC Complaint over Facebook's New Privacy Policy, Slashdot (December 17, 2009).
• Brad Stone, Privacy Group Files Complaint on Facebook Changes, N.Y. Times (December 17, 2009).
• Berin Szoka, Facebook Privacy Controls Change & EPIC's FTC Complaint, The Technology Liberation Front (December 17, 2009).
• Joseph Tartakoff, Groups File Complaint with FTC over Facebook's New Privacy Settings, paidContent (December 17, 2009).
• Jessica Vascellaro, Privacy Groups File Complaint on Facebook to FTC, Wall Street Journal (December 17, 2009).
• Mark Walsh, Follow the Bouncing Valuation, MediaPost (December 17, 2009).

Background

Facebook

Facebook is a social networking site founded in 2004 by Harvard student Mark Zuckerberg. The site “connects people with friends and others who work, study and live around them.” As of December 2009, Facebook has nearly 150 million users in the United States.

Facebook Platform

Facebook offers a service called Facebook Platform, referred to as “Facebook-enhanced” applications. Facebook Platform “enables anyone to build social applications on Facebook and the web” in order to “make the web more open and social.” The Facebook Platform allows Facebook to transfer user personal data to other entities without their knowledge or meaningful consent.

Facebook and Privacy

Facebook has had a controversial history with respect to privacy. In 2006, Facebook launched a feature called “News Feed” which allowed users to track their friends’ Facebook updates and activity in real time. Within 24 hours, hundreds of thousands of the site’s users protested the feature. One Facebook group, “Students against Facebook News Feed” grew to 284,000 members within just a few days. As a result of the widespread protest, Mark Zuckerberg wrote an open letter to Facebook users, apologizing for doing a “bad job of explaining what the new features were and an even worse job of giving you control of them." Facebook then updated its privacy settings to allow for more user control over the News Feed Feature.

In 2007, Facebook launched Facebook Beacon, which allowed a Facebook user’s purchases to be publicized on their friends’ News Feed after transacting with third-party sites. Users were unaware that such features were being tracked, and the privacy settings originally did not allow users to opt out. As a result of widespread criticism, Facebook Beacon was shut down in 2009.

In February 2009, Facebook changed its Terms of Service. The new TOS allowed Facebook to use anything a user uploads to the site for any purpose, at any time, even after the user ceased to use Facebook. Further, the TOS did not provide for a way that users could completely close their account. Rather, users could “deactivate” their account, but all the information would be retained by Facebook, rather than deleted. EPIC planned to file an FTC complaint, alleging that the new Terms of Service violated the FTC Act Section 5, and constituted “unfair and deceptive trade practices.” In response to this planned complaint, and user criticism, Facebook returned to its previous Terms of Service.

Privacy Settings Update

In response to a complaint prompted by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) and submitted to Canadian Privacy Commissioner Jane Stoddart, Facebook announced plans to change its privacy policies and settings to provide for more user control over information and stronger privacy settings for its users. The changes were introduced in November 2009, and each Facebook user was prompted to review and update his privacy settings. Facebook also made changes to its privacy settings, which included making certain information, such as name, gender, friends lists, and current city, publicly available, with no option to limit searchability. Facebook submitted a complaint to the Federal Trade Commission, alleging that Facebook engages in unfair and deceptive trade practices. The complaint "urges the Commission to investigate Facebook, determine the extent of the harm to consumer privacy and safety, require Facebook to restore privacy settings that were previously available as detailed below, require Facebook to give users meaningful control over personal information, and seek appropriate injunctive and compensatory relief." For more information, visit EPIC's FAQ page on Facebook's new privacy settings.

EPIC's FTC Complaint

EPIC’s FTC complaint is signed by a number of other organizations, including the American Library Association, the Center for Digital Democracy, the Consumer Federation of America, FoolProof Financial Education, Patient Privacy Rights, Privacy Activism, the Privacy Rights Now Coaltion, the Privacy Rights Clearinghouse, and the U.S. Bill of Rights Foundation. The complaint highlights several aspects of Facebook’s recent changes that threaten its users’ privacy. The complaint focuses on the unfair and deceptive trade practices of Facebook with respect to sharing of user information with third-party application developers. First, the complaint argues that Facebook’s mandatory disclosure of information is an unfair practice. Second, the complaint argues that Facebook’s policies regarding third-party developers are misleading and deceptive.

Facebook now requires mandatory disclosure of certain information. The site automatically makes some user information available to the public, including to third-party developers, without offering users a choice to opt-out. The new Facebook privacy policy states that “certain categories of information . . . are considered publicly available to everyone, including Facebook-enhanced applications, and therefore do not have privacy settings.” In other words, users cannot control who can view certain types of information and cannot prevent third-party applications from viewing certain types of information. These changes were made despite previous representations by the company acknowledging their understanding that its users “may not want everyone in the world to have the information you share on Facebook.” The Chief Privacy Officer of Facebook testified in June 2009, “Users have extensive and precise controls available to choose who sees what among their networks and friends, as well as tools that give them the choice to make a limited set of information available to search engines and other outside entities.” According to the new Facebook policies, however, users no longer have the choice to make certain information available - it is mandatory, and users cannot opt out of allowing certain information to be publicly searchable.

EPIC’s complaint argues that policies regarding third-party developers are unclear and confusing. Further, the updated privacy policy provides for more sharing of information, and less user control over information. Third-party applications on Facebook have access to user information at the moment a user accesses an application website. According to Facebook, “to help those applications and sites operate, they receive publicly available information automatically when you visit them, and additional information when you formally authorize or connect your Facebook account with them.” Facebook explains that some information is automatically set to “Everyone,” which means the information is publicly available. According to Facebook’s privacy policy, you can “choose to opt-out of Facebook Platform and Facebook Connect altogether through your privacy settings.” Under Facebook’s new privacy settings, Facebook represents that users have control over what types of information a friend’s application can access.

Facebook does not allow for an easy way to opt out of Facebook Platform, or opt out of having information shared when a friend uses an application. Even when a user unchecks all boxes, which should prohibit applications from accessing any user data, Facebook notes that “applications will always be able to access your publicly available information (Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages) and information that is visible to Everyone.” Therefore, the “Everyone” setting overrides the settings a user chooses for third-party applications and websites.

Under Facebook’s previous privacy settings, Facebook allowed for more control over personal information. Facebook users were able to choose not to share “any information about me” to third-party application developers. This opt-out button is no longer available under Facebook’s new privacy settings.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. § 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.

Legal Documents

• EPIC's Supplemental Complaint in In re Facebook (filed January 14, 2010).
• EPIC's FTC Complaint in In re Facebook (filed December 17, 2009).
• Federal Trade Commission, ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress (December 6, 2006).
• United States v. ChoicePoint, No. 06-CV-0198 (N.D. Ga. Feb. 10, 2006).
• Federal Trade Commission, Microsoft Settles FTC Charges alleging False Security and Privacy Provisions (August 8, 2002).
• In re Microsoft Corp. (Fed. Trade Comm'n Dec. 20, 2002).
• Federal Trade Commission: Section 5 Enforcement Actions

News Stories and Blog Items

• Jason Kincaid, Facebook Suggests You Lie, Break Its Own Terms Of Service To Keep Your Privacy, Washington Post (December 16, 2009).
• Julia Angwin, How Facebook Is Making Friending Obsolete, Wall Street Journal (December 15, 2009).
• Taylor Buley, Facebook's Privacy Success, Forbes (December 15, 2009).
• Ed Felten, Another Privacy Misstep from Facebook, Freedom to Tinker Blog (December 14, 2009).
• Brian Prince, 7 Facebook Privacy Facts to Remember, eWeek (December 13, 2009).
• Shelly Palmer, Facebook Privacy: An Oxymoron, Shelly Palmer Blog (December 13, 2009).
• Ian Paul, Facebook's Privacy Settings: 5 Things You Should Know, ABC News (December 12, 2009).
• Brian Womack, Facebook's New Information-Sharing Options Attract Criticism, Bloomberg (December 12, 2009).
• Joseph Bonneau, Facebook Tosses Graph Privacy into the Bin (December 11, 2009).
• E.B. Boyd, The Week in Privacy: Google and Facebook Fall on their Faces, Bay Newser (December 11, 2009).
• Larry Downes, Note to Silicon Valley: How Not to Manage Privacy, CNet (December 11, 2009).
• Scott Fulton, Google, Facebook, and our Privacy: We're All in Denial, BetaNews (December 11, 2009).
• David Gelles, Facebook Draws Criticism for Privacy Changes, Financial Times (December 11, 2009).
• Riva Richmond, The New Facebook Privacy Settings: A How-To, N.Y. Times Blog (December 11, 2009).
• Danny Sullivan, Now Is It Facebook’s Microsoft Moment? (December 11, 2009).
• Graham Cluley, Facebook privacy settings: What you need to know (December 10, 2009).
• Facebook Faces Criticism on Privacy Change, BBC News (December 10, 2009).
• Facebook Unveils Privacy Changes, CNN (December 10, 2009).
• Gemma Fox, Facebook Faces Widespread Criticism Over Privacy Changes, Digital Journal (December 10, 2009).
• Kashmir Hill, Either Mark Zuckerberg got a whole lot less private or Facebook’s CEO doesn’t understand the company’s new privacy settings, True Slant (December 10, 2009).
• Stefanie Hoffman, Facebook Info Exposed on Web with 'Everyone' Setting, Channel Web (December 10, 2009).
• Renay San Miguel, Facebook App Devs Can See Your Privacy Parts, Tech News World (December 10, 2009).
• Patrick Miller, Protect Your Privacy Settings with the New Facebook Settings, PC World (December 10, 2009).
• Rafe Needleman, How to Fix Facebook's New Privacy Settings, CNet (December 10, 2009).
• Ryan Singel, Facebook Will Never Get Privacy Right, ZD Net (December 10, 2009).
• Robert McMillan, Facebook Privacy Changes Draw Mixed Reviews, Computer World (December 9, 2009).
• Jennifer Leggio, New Privacy, Schmivacy - Facebook Photo Tagging Still a Big Fail, ZD Net (December 2, 2009).
• Brett Levy and Claudia Morales, TechBytes: Facebook Privacy Changes, ABC News (December 2, 2009).
• Katherine Noyes, Facebook Hones Privacy Settings, Scraps Regional Networks, Tech News Crunch (December 2, 2009).
• Jason Kincaid, Facebook to Roll out New Privacy Controls to its 350 Million Users, Kills Regional Networks, Washington Post (December 1, 2009).
• Caroline McCarthy, Facebook Ratchets Up Privacy Controls (Again), CNet (August 27, 2009).

Frequently Asked Questions

For more information, visit EPIC's FAQ page on Facebook's new privacy settings.