The unflattering portrait of Facebook’s privacy practices emerged Tuesday in a Federal Trade Commission complaint alleging that Facebook exposed details about users’ lives without getting legally required consent.
In some cases, the FTC charged, Facebook allowed potentially sensitive details to be passed on to advertisers and software developers prowling for customers.
To avoid further legal wrangling, Facebook agreed to submit to government audits of its privacy practices every other year for the next two decades.
The company committed to getting explicit approval from its users – a process known as “opting in” – before changing their privacy controls.
The FTC’s truce with Facebook, along with previous settlements with Google and Twitter, is helping to establish more ground rules for online privacy expectations as Internet companies regularly vacuum up insights about their audiences in an effort to sell more advertising.
Though Facebook didn’t acknowledge any wrongdoing in the legal papers it signed with the FTC, co-founder and CEO Mark Zuckerberg was more contrite in a blog post Tuesday.
“I’m the first to admit that we’ve made a bunch of mistakes,” he wrote. “In particular, I think that a small number of high-profile mistakes ... have often overshadowed much of the good work we’ve done.”
Much of the FTC’s complaint centers on a series of changes the company made to its privacy controls in late 2009.
The revisions automatically shared information and pictures about Facebook users, even if they previously programmed their privacy settings to shield the content. Among other things, people’s profile pictures, lists of online friends and political views were suddenly available for the world to see, the FTC alleged.
The complaint also charges that Facebook shared its users’ personal information with third-party advertisers from September 2008 through May 2010 despite several public assurances from company officials that it wasn’t passing the data along for marketing purposes.
Facebook believes that happened only in limited instances, generally when users clicked on ads that appeared on their personal profile pages.
The FTC also alleged that Facebook displayed personal photos even after users deleted them from accounts.
“Facebook’s innovation does not have to come at the expense of consumer privacy,” FTC Chairman Jon Leibowitz said. “The FTC action will ensure it will not.”
Facebook’s stepped-up commitment to privacy wasn’t enough to satisfy Jeff Chester, the executive director for the Center for Digital Democracy, one of the privacy watchdog groups that prodded the FTC investigation. In a statement, Chester called on Zuckerberg and Facebook’s board of directors to resign so that the company could hire more trustworthy replacements.
“They misled consumers and should pay a price beyond a 20-year agreement to conduct their business practices in a more above-board fashion,” Chester said.
Facebook sought to downplay the gravity of the FTC’s allegations, maintaining that it had already addressed most of the privacy complaints. Zuckerberg said the website has added more than 20 new privacy features in the past 18 months.
To underscore its commitment, Facebook has created two new executive positions – Michael Richter as chief privacy officer of products and Erin Egan as chief privacy officer of policy.
“This means we’re making a clear and formal long-term commitment to do the things we’ve always tried to do and planned to keep doing – giving you tools to control who can see your information and then making sure only those people you intend can see it,” Zuckerberg wrote in his blog post.