Facebook still has incredible control over your data
- Facebook is now required to implement changes that boost consumer transparency, alter the way it shares data with third parties, and increase digital security.
- But privacy advocates don't think the measures go far enough, particularly because they don't impact how Facebook collects and monetize user information.
- Much of the power remains in Facebook's hands, and the new rules don't do anything to change the financial motivation the company has to collect and monetize user data.
- Visit Business Insider's homepage for more stories.
As part of its settlement with the Federal Trade Commission, Facebook will have to make a number of sweeping changes that are designed to boost transparency with its users, revamp the way the firm handles consumer privacy, and hold the social media giant accountable for its decisions.
But some privacy advocates aren't convinced the FTC's measures go far enough when it comes to protecting user data and changing the circumstances that led to Facebook's previous privacy mishaps in the first place.
As a result of the settlement, Facebook must exercise greater oversight over third-party apps that plug into its platform. It's also prohibited from using phone numbers gathered for security purposes for advertising purposes, required to provide clear and conspicuous notice when facial recognition is being used, and it must establish and maintain a comprehensive data-security program, among other requirements.
But the changes that the FTC is requiring Facebook to make won't sufficiently safeguard consumers for three key reasons, the Electronic Frontier Foundation's Adam Schwartz outlined in a post on Wednesday.
It doesn't limit how Facebook collects, shares, and uses personal information, it doesn't provide public transparency about how Facebook handles consumer data, and it doesn't address Facebook's dominant presence in the social media and advertising industries.
"These deficiencies are not cured by the $5 billion fine against Facebook," Schwartz wrote. "For a company the size of Facebook, this is not an effective deterrent against future violations of user privacy."
A spokesperson for Facebook did not immediately reply to a request for comment.
The American Civil Liberties Union also criticized the FTC's terms for failing to limit Facebook's ability to collect information. Neema Singh Guliani, the ACLU's senior legislative counsel, called the settlement "woefully inadequate" in a comment to Business Insider.
"While there is no way to adequately provide restitution to the over 87 million people whose rights were violated, this settlement doesn't even come close to preventing such violations from occurring again," Guliani said in an emailed comment. "In exchange for modest changes to Facebook's internal structure, the settlement shields the company from responsibility for violations that may not even be known."
The comments echo the dissenting opinion of Commissioner Rohit Chopra, who wrote that the settlement gives Facebook "a lot to celebrate."
The FTC is requiring Facebook to create processes for protecting user data from third-party apps as well as its own new products, practices, and services. But it still leaves the power in Facebook's hands, and doesn't do anything to address its core business model which relies on monetizing consumer data, according to Chopra.
"Instead, the order allows Facebook to decide for itself how much information it can harvest from users and what it can do with that information, as long as it creates a paper trail," Chopra wrote.
The requirements also fail to provide guidelines on what counts as a justified reason for third-party developers to collect user data, as Chopra points out.
Facebook will also be required to designate compliance officers that will be responsible for overseeing the company's privacy program as part of the FTC's new rules. Facebook CEO Mark Zuckerberg and these compliance officers will have to submit quarterly certifications to the FTC to prove that the company is complying with the mandated privacy program, and the compliance officers will also have to generate a quarterly privacy report to be shared with Zuckerberg, an independent assessor, and the FTC.
However, according to Fouad Khalil, the vice president of compliance at cybersecurity firm Security Scorecard, quarterly check-ins may be too infrequent. "To me, that doesn't cut it," he told Business Insider. "It's critical to know that ongoing assessment is taking place because every second, every minute, things are changing. Especially with a cloud-based solution like Facebook."
That's not to say the settlement terms do nothing to protect consumer privacy. As the EFF's Schwartz writes, the fact that Facebook is required to delete facial-recognition templates and is prohibited from using consumers' phone numbers for advertising purposes are both positive outcomes. Zuckerberg also said in a post on Facebook that the company has a "responsibility" to protect its users privacy. "We already work hard to live up to this responsibility, but now we're going to set a completely new standard for our industry," he wrote.
But while adding more safety protocols can solve some of the privacy issues Facebook has experienced, it doesn't address the reality that, for most people, there's no true alternative to Facebook's services, whether you consent to its policies or not. "And this is why we need to move away from this idea of consent," said Nancy Kim, a distinguished professor of internet studies and professor of law at California Western School of Law."We need to really kind of assess what has happened to our society as a result of Facebook's privacy practices."