This post first appeared in the San Jose Mercury News
by Larry Magid
Facebook CEO Mark Zuckerberg ought to consider adding members of the Federal Trade Commission to his holiday gift list. They wouldn’t be allowed to accept his gratuities, but he certainly owes them a great big thank-you for the settlement announced last week that will, among other things, require Facebook to “not misrepresent itself” when it comes to what information it collects and how it uses it.
The agreement also requires Facebook to obtain user consent before it makes any changes that override existing privacy preferences and to prevent anyone from accessing user content within 30 days if a user cancels his or her account.
The reason Zuckerberg ought to be thankful is the final part of the agreement, which requires Facebook to obtain “independent, third-party audits” that its privacy program “meets or exceeds the requirements of the FTC order,” and to “ensure that the privacy of consumers’ information is protected.”
Those privacy auditors might very well wind up on Zuckerberg’s best-friends list because, assuming Facebook lives up to its agreements, the audits will serve as government verification that it’s being honest about how it treats user information. It’s almost as if the FTC is putting its stamp of approval on Facebook’s future privacy policies.
I’m sure Zuckerberg wasn’t thrilled by the FTC complaint, which accuses the company and its executives of misleading statements. For example, the company is accused of sharing user information with app developers even though the user had restricted that information to “Only Friends” or “Friends of Friends.” The FTC claimed that Facebook apps installed by members were able to gather information on their Facebook friends, even though those friends never gave permission to share their information.
One of the biggest indictments in the complaint is the allegation that Facebook disclosed user information to advertisers despite consistent claims that it never did so. Facebook’s strategy is to deliver targeted ads directly to consumers. If an advertiser wishes to reach 35-year-old married women in Silicon Valley, Facebook will happily display their ad to that demographic, but says it won’t actually turn over the names of those members to the advertisers. Ethics aside, that business model makes sense because Facebook can make a lot more money in the long run by selling ads over and over again than it could be selling names just once.
Yet, according to the agency, “In many instances, Facebook has shared information about users with Platform Advertisers by identifying to them the users who clicked on their ads and to whom those ads were targeted.”
My first reaction to that accusation was anger toward Facebook. In some of my columns, I quoted Facebook’s claims that it didn’t sell user information and — at first glance — I felt that I had been used and mislead. But I read further and realized that the FTC’s claim was just a restatement of previously published news accounts about how Facebook, MySpace and numerous other websites had accidentally disclosed data to advertisers as a result of a flaw (or feature) in the Internet’s plumbing called a “referrer.”
As the FTC put it, “from at least September 2008 until May 26, 2010, Facebook designed and operated its website such that, in many instances, the User ID for a user who clicked on a Platform Ad was shared with the Platform Advertiser.” What the complaint didn’t say was that the reason the ID was being passed on was because browsers automatically pass on that information unless you engineer the service to avoid it.
According to OCLC.org (a nonprofit computer library service), “When the browser requests the new page, it sends along the URL of the previous page.” And when the user ID is part of that URL it gets passed on too, unless the website operator takes steps to avoid it.
In May 2010 Facebook engineer Matt Jones blogged that the company fixed this “unintentional oversight” and designed a redirector that removes the referrer. He also said that, “We have no reason to believe that any advertisers were exploiting this, and doing so would have been a violation of our terms. To our knowledge, none did.”
Going forward, Facebook, along with Google and Twitter, are under federal scrutiny for the next 20 years. That doesn’t mean that users don’t have to worry about privacy — there are still ways that personal information could be passed on to others, and there are privacy and security risks with any platform that supports third-party apps. Plus, there is always the possibility that a government or law enforcement agency could subpoena personal information stored on Facebook’s servers, which is why I recommend that you never post anything online that you would get you in trouble if it were made public, regardless of privacy settings.
Disclosure: Larry Magid is co-director of ConnectSafely.org, a non-profit Internet safety organization that receives financial support from Facebook.