Focusing public attention on emerging privacy and civil liberties issues

In re Facebook

Top News

  • FTC Responds to EPIC Complaint on WhatsApp and Privacy: The Federal Trade Commission has notified Facebook and WhatsApp that they must honor their privacy commitments to users. According to the letter from the Director of the FTC Bureau of Consumer Protection, "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the FTC Act and potentially the FTC's order against Facebook." The FTC letter followed a detailed complaint from EPIC and CDD concerning the privacy implications of the $19B sale to Facebook. WhatsApp had assured users of strong privacy safeguards prior to the sale. The FTC letter concludes "hundreds of millions of users have entrusted their personal information to WhatsApp. The FTC staff continue to monitor the companies' practices to ensure that Facebook and WhatsApp honor the promises they have made to those users." For more information, see EPIC: In re: WhatsApp, EPIC: In re: Facebook and EPIC: Federal Trade Commission. (Apr. 10, 2014)
  • Federal Trade Commission Backs Users in Facebook Privacy Case: The FTC has filed an amicus brief in a case before a federal appeals court concerning Facebook users. If a controversial settlement is approved, Facebook will display the images of users, including young children, in Facebook advertising without consent. Several Facebook users formally objected to the plan, arguing that it would violate state laws. A children's advocacy organization also objected, stating that the "settlement is actually worse than no settlement." The FTC brief explains that state privacy laws do prevent the display of children's images without consent. EPIC also filed an amicus brief in support of the users, explaining that the settlement is unfair and should be rejected. EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the Federal Trade Commission that eventually required Facebook to improve its privacy practices. For more information, see EPIC: In re Facebook and EPIC: Fraley v. Facebook. (Mar. 21, 2014)
  • WhatsApp Founder Responds to EPIC Privacy Complaint: Following Facebook's announced plan to purchase WhatsApp, a popular pro-privacy messaging services, EPIC urged the FTC to block the acquisition. EPIC explained to the Commission that Facebook incorporates user data from companies it acquires, and that WhatsApp users objected to the acquisition. WhatsApp founder Jan Koum has now published a blog post in response to the EPIC Complaint. Koum wrote, "Above all else, I want to make sure you understand how deeply I value the principle of private communication. For me, this is very personal." He added, "Make no mistake: our future partnership with Facebook will not compromise the vision that brought us to this point." For more information, see EPIC: In re WhatsApp, EPIC: Federal Trade Commission, and EPIC: In re Facebook. (Mar. 18, 2014)
  • EPIC Urges FTC Investigation of WhatsApp Sale to Facebook: EPIC has filed a complaint to the Federal Trade Commission concerning Facebook's proposed purchase of WhatsApp. WhatsApp is a messaging service that gained popularity based on its strong pro-privacy approach to user data. WhatsApp currently has 450 million active users, many of whom have objected to the proposed acquisition. Facebook regularly incorporates data from companies it has acquired.The Federal Trade Commission has previously responded favorably to EPIC complaints concerning Google Buzz, Microsoft Passport, Changes in Facebook Privacy Settings, and Choicepoint security practices. However, the FTC approved Google's acquisition of Doubleclick over EPIC's objection. Facebook is currently under a 20 year consent decree from the FTC that requires Facebook to protect user privacy and to comply with the US-EU Safe Harbor guidelines. For more information, see EPIC: In re Google Buzz, EPIC: Microsoft Passport, EPIC: In re Facebook, and Privacy? Proposed Google/DoubleClick Merger. (Mar. 6, 2014)
  • EPIC Files Amicus Brief in Facebook Consumer Privacy Case, Urges Rejection of Settlement: EPIC has filed a amicus brief urging a federal appeals court to overturn a controversial consumer privacy settlement. If the Fraley v. Facebook settlement is approved, Facebook will display the images of Facebook users, including young children, for commercial endorsement without consent. Facebook users opposed "Sponsored Stories" and several have formally objected to the settlement, including a children's advocacy organization which said that the "settlement is actually worse than no settlement." The MacArthur Foundation also withdrew stating it should not have been designated to receive funds. EPIC's amicus brief in support of the objectors explains that the settlement is unfair to Facebook users and should be rejected. EPIC also notes that Chief Justice Roberts expressed concerns about a similar privacy settlement involving Facebook. EPIC and a coalition of consumer privacy organizations filed an extensive complaint with the Federal Trade Commission that eventually required Facebook to improve its privacy practices. For more information, see EPIC: In re Facebook and EPIC: Fraley v. Facebook. (Feb. 21, 2014)
  • Instagram Retreats on Changes to Terms of Service, Cites User Opposition: Instagram announced that it would withdraw proposed changes to its terms of service announced earlier this week. Instagram backed off a plan to use the names, images, and photos of users for advertising purposes, pleading instead to "complete our plans, and then come back to our users and explain how we would like for our advertising business to work." Instagram's parent company, Facebook, is bound by the terms of a settlement with the Federal Trade Commission, initiated in 2009 by EPIC and other consumer privacy organizations, that prohibits the company from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. A recent letter to Facebook CEO Mark Zuckerberg from EPIC and the Center for Digital Democracy warned that Facebook's proposed changes would adversely affect Instagram users. For more information, see EPIC: Facebook, EPIC: In re Facebook, and EPIC: FTC. (Dec. 21, 2012)
  • Facebook Updates Privacy Controls, Removes Profiles Safeguard: Facebook announced changes to its privacy controls and the privacy settings of its users. The changes include settings that allow users to choose which information apps can access and disclose, and a privacy shortcuts menu. But Facebook also removed an option that allowed users to hide themselves from strangers through Facebook’s search function. The changes follow an election conducted by Facebook in which 88 percent of voters opposed changing the privacy policy and voting rights of users. EPIC previously wrote to the Federal Trade Commission regarding the blanket disclosure features of certain apps and the proposal to end the voting part of the site governance process Facebook. Facebook is currently subject to a settlement with the FTC over privacy violations. For more information, see EPIC: Facebook and EPIC: In re Facebook. (Dec. 13, 2012)
  • Judge Rejects Settlement in Facebook "Sponsored Stories" Case: A federal judge has rejected a proposed settlement in a class-action lawsuit about Facebook's unapproved use of user images for advertising purposes. The judge, who had previously expressed skepticism about the terms of the settlement, wrote that the plaintiffs had not justified the lack of direct monetary payments to Facebook users, nor had they explained how users will receive an economic benefit from being able to opt out of future endorsements. EPIC and several consumer privacy organizations opposed the settlement, saying that there was little benefit to Facebook users and that the cy pres allocation was not aligned with the interests of the class. In 2009 and 2010 EPIC and a coalition of consumer privacy organizations brought a successful complaint to the Federal Trade Commission that resulted in a significant consent order. In a letter to the court following the recent court order, EPIC explained that the FTC settlement had produced far greater benefits for Facebook users. For more information, see EPIC: In re Facebook. (Aug. 21, 2012)
  • FTC Finalizes Settlement with Facebook: The Federal Trade Commission has finalized the terms of a settlement with Facebook first announced in November of 2011. The settlement follows from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010 over Facebook’s decision to change its users' privacy settings in a way that made users' personal information more widely available to the public and to Facebook's business partners. The settlement bars Facebook from changing privacy settings without the affirmative consent of users or misrepresenting the privacy or security of users' personal information. In comments filed with the FTC, EPIC recommended strengthening the settlement by requiring Facebook to restore the privacy settings users had in 2009; giving users access to all of the data that Facebook keeps about them; preventing Facebook from creating facial recognition profiles without users’ consent; and publicizing the results of the government privacy audits. Although the FTC decided to adopt the settlement without any modifications, in a response to EPIC, the Commission said that facial recognition data is included within the settlement's definition of "covered information," that the audits would be publicly available to the extent permitted by law, and that the terms of the settlement "are broad enough to address misconduct beyond that expressly challenged in the complaint." Commissioner Rosch dissented from the final settlement, citing concerns that the provisions might not adequately cover deceptive statements made by Facebook apps. For more information, see EPIC: In re Facebook, and EPIC: Federal Trade Commission. (Aug. 10, 2012)
  • Judge Skeptical of Facebook Settlement: At a preliminary hearing on a proposed settlement involving Facebook "sponsored stories," Judge Seeborg expressed skepticism about the deal, wondering if there was any actual benefit to Facebook users. The deal, which had been endorsed by some groups funded by Facebook, was opposed by EPIC and several consumer privacy organizations. In 2009, EPIC and a coalition of consumer privacy organizations brought a successful complaint to the FTC that resulted in a significant consent order. For more information, see In re Facebook. (Aug. 3, 2012)

EPIC's Complaint in the News

Background

Facebook

Facebook is a social networking site founded in 2004 by Harvard student Mark Zuckerberg. The site “connects people with friends and others who work, study and live around them.” As of December 2009, Facebook has nearly 150 million users in the United States.

Facebook Platform

Facebook offers a service called Facebook Platform, referred to as “Facebook-enhanced” applications. Facebook Platform “enables anyone to build social applications on Facebook and the web” in order to “make the web more open and social.” The Facebook Platform allows Facebook to transfer user personal data to other entities without their knowledge or meaningful consent.

Facebook and Privacy

Facebook has had a controversial history with respect to privacy. In 2006, Facebook launched a feature called “News Feed” which allowed users to track their friends’ Facebook updates and activity in real time. Within 24 hours, hundreds of thousands of the site’s users protested the feature. One Facebook group, “Students against Facebook News Feed” grew to 284,000 members within just a few days. As a result of the widespread protest, Mark Zuckerberg wrote an open letter to Facebook users, apologizing for doing a “bad job of explaining what the new features were and an even worse job of giving you control of them." Facebook then updated its privacy settings to allow for more user control over the News Feed Feature.

In 2007, Facebook launched Facebook Beacon, which allowed a Facebook user’s purchases to be publicized on their friends’ News Feed after transacting with third-party sites. Users were unaware that such features were being tracked, and the privacy settings originally did not allow users to opt out. As a result of widespread criticism, Facebook Beacon was shut down in 2009.

In February 2009, Facebook changed its Terms of Service. The new TOS allowed Facebook to use anything a user uploads to the site for any purpose, at any time, even after the user ceased to use Facebook. Further, the TOS did not provide for a way that users could completely close their account. Rather, users could “deactivate” their account, but all the information would be retained by Facebook, rather than deleted. EPIC planned to file an FTC complaint, alleging that the new Terms of Service violated the FTC Act Section 5, and constituted “unfair and deceptive trade practices.” In response to this planned complaint, and user criticism, Facebook returned to its previous Terms of Service.

Privacy Settings Update

In response to a complaint prompted by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) and submitted to Canadian Privacy Commissioner Jane Stoddart, Facebook announced plans to change its privacy policies and settings to provide for more user control over information and stronger privacy settings for its users. The changes were introduced in November 2009, and each Facebook user was prompted to review and update his privacy settings. Facebook also made changes to its privacy settings, which included making certain information, such as name, gender, friends lists, and current city, publicly available, with no option to limit searchability. Facebook submitted a complaint to the Federal Trade Commission, alleging that Facebook engages in unfair and deceptive trade practices. The complaint "urges the Commission to investigate Facebook, determine the extent of the harm to consumer privacy and safety, require Facebook to restore privacy settings that were previously available as detailed below, require Facebook to give users meaningful control over personal information, and seek appropriate injunctive and compensatory relief." For more information, visit EPIC's FAQ page on Facebook's new privacy settings.

EPIC's FTC Complaint

EPIC’s FTC complaint is signed by a number of other organizations, including the American Library Association, the Center for Digital Democracy, the Consumer Federation of America, FoolProof Financial Education, Patient Privacy Rights, Privacy Activism, the Privacy Rights Now Coaltion, the Privacy Rights Clearinghouse, and the U.S. Bill of Rights Foundation. The complaint highlights several aspects of Facebook’s recent changes that threaten its users’ privacy. The complaint focuses on the unfair and deceptive trade practices of Facebook with respect to sharing of user information with third-party application developers. First, the complaint argues that Facebook’s mandatory disclosure of information is an unfair practice. Second, the complaint argues that Facebook’s policies regarding third-party developers are misleading and deceptive.

Facebook now requires mandatory disclosure of certain information. The site automatically makes some user information available to the public, including to third-party developers, without offering users a choice to opt-out. The new Facebook privacy policy states that “certain categories of information . . . are considered publicly available to everyone, including Facebook-enhanced applications, and therefore do not have privacy settings.” In other words, users cannot control who can view certain types of information and cannot prevent third-party applications from viewing certain types of information. These changes were made despite previous representations by the company acknowledging their understanding that its users “may not want everyone in the world to have the information you share on Facebook.” The Chief Privacy Officer of Facebook testified in June 2009, “Users have extensive and precise controls available to choose who sees what among their networks and friends, as well as tools that give them the choice to make a limited set of information available to search engines and other outside entities.” According to the new Facebook policies, however, users no longer have the choice to make certain information available - it is mandatory, and users cannot opt out of allowing certain information to be publicly searchable.

EPIC’s complaint argues that policies regarding third-party developers are unclear and confusing. Further, the updated privacy policy provides for more sharing of information, and less user control over information. Third-party applications on Facebook have access to user information at the moment a user accesses an application website. According to Facebook, “to help those applications and sites operate, they receive publicly available information automatically when you visit them, and additional information when you formally authorize or connect your Facebook account with them.” Facebook explains that some information is automatically set to “Everyone,” which means the information is publicly available. According to Facebook’s privacy policy, you can “choose to opt-out of Facebook Platform and Facebook Connect altogether through your privacy settings.” Under Facebook’s new privacy settings, Facebook represents that users have control over what types of information a friend’s application can access.

Facebook does not allow for an easy way to opt out of Facebook Platform, or opt out of having information shared when a friend uses an application. Even when a user unchecks all boxes, which should prohibit applications from accessing any user data, Facebook notes that “applications will always be able to access your publicly available information (Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages) and information that is visible to Everyone.” Therefore, the “Everyone” setting overrides the settings a user chooses for third-party applications and websites.

Under Facebook’s previous privacy settings, Facebook allowed for more control over personal information. Facebook users were able to choose not to share “any information about me” to third-party application developers. This opt-out button is no longer available under Facebook’s new privacy settings.

FTC Authority to Act

The FTC's primary enforcement authority with regards to privacy is derived from 15 U.S.C. ยง 45, commonly known as section 5 of the Federal Trade Commission Act (FTCA). Section 5 of the FTCA allows the FTC to investigate "unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce." This law provides a legal basis for the FTC to regulate business activities that threaten consumer privacy.

Legal Documents

News Stories and Blog Items

Frequently Asked Questions

For more information, visit EPIC's FAQ page on Facebook's new privacy settings.