Story first appeared in USA TODAY.
Facebook on Tuesday agreed to a Federal Trade Commission order that bars Facebook from deceiving consumers about its privacy practices and requires it to submit to monitoring for 20 years.
The sanction stems from privacy setting changes that Facebook made in December 2009, without asking users' permission. The company told users they could keep their information on Facebook private, when, in fact, it repeatedly allowed information to be shared and made public.
Facebook CEO Mark Zuckerberg insisted in a blog posting that the company has a good history of providing transparency and control over who can see your information, but acknowledged that they've made a bunch of mistakes.
The FTC's sanction comes as Facebook readies itself for a high-profile initial public offering of stock, expected next spring. Meanwhile, the company has come under rising criticism in the U.S. and Europe for using Like buttons embedded on millions of websites to monitor Web surfing.
Facebook compiles tracking logs of the webpages viewed by each of its 800 million members, and millions more non-members, the company disclosed in exclusive USA TODAY interviews.
New federal laws are needed to help consumers protect their personal information from companies surreptitiously collecting and using that personal information for profit, says Sen. Jay Rockefeller, D-W.V., sponsor of a Do Not Track law that would restrict online tracking.
Rockefeller commended the FTC's action. Consumer privacy is a right, not a luxury, he says. This action against Facebook is just the first step toward protecting consumer privacy.
Facebook improperly disclosed information to advertisers and continued to display photos and videos even after the accounts were deactivated, according to the FTC.
The consent order, which must be approved by a judge, requires Facebook to:
•Obtain express consent before overriding users' privacy preferences.
•Cut off access to a user's material within 30 days after deletion of an account.
•Establish a comprehensive privacy program covering new and existing products and services.
•Submit to privacy program audits within 180 days and every two years after that for the next 20 years. Monitoring would be handled by an independent professional yet to be named.
Even after the consent order takes effect, Facebook users may not notice anything different.
It's not clear how the FTC's order could affect Facebook's plans for new services, including Timeline, which digitally maps everything a user has ever done on the popular social network, and "Open Graph" applications designed to broadcast user's surfing patterns and interests widely across the social network.
Chris Conley, a tech and civil liberties attorney at the ACLU'S Northern California chapter, notes that Facebook's privacy settings make no reference to Like button tracking.
There's no setting for (the) user to control that, says Conley. It's questionable if something that doesn't have a privacy setting today is covered by the FTC's order.
The FTC stopped short of ordering Facebook to restore the more rigorous privacy settings it had prior to December 2009, noted Marc Rotenberg of Electronic Privacy Information Center.
EPIC and nine other non-profit groups filed the complaint that triggered the FTC probe. If it was unfair to change the privacy settings, then the right response would be to change the settings back.
The order is expected to give technologists and privacy advocates a new, more effective tool to monitor Facebook's privacy practices, says Jeff Chester, executive director of the non-profit Center for Digital Democracy.
Federal lawmakers focusing on privacy issues will also be closely monitoring the aftermath of the FTC's order, says Rep. Mary Bono Mack, R-Calif.