Federal Trade Commissioner Julie Brill publicly blasted Google and Facebook for violating user privacy during her talk Tuesday morning at a cybersecurity forum in Washington D.C., saying the companies “learned it the hard way” from the FTC that they should not change user privacy settings without getting expressed, affirmative approval from users.
Ironically, Brill’s comments were broadcast live to the Web on Facebook’s DC page, which was livestreaming the forum.
“We called Facebook out for promises it made but did not keep,” Brill said in her prepared statement, “It told users it wouldn’t share information with advertisers, and then it did; and it agreed to take down photos and videos of users who had deleted their accounts, and then it did not.”
“Our enforcement actions in the privacy area are also a call to industry to put important
privacy principles into practice,” Brill added.
Each company reached a separate but similar agreement with the FTC in 2011 to undergo 20-years of independent privacy audits for privacy scandals involving social networking.
Google was investigated by the FTC over its short-lived, failed Google Buzz social network, which automatically appeared in Gmail and shared way more information than many users were comfortable with. Facebook was investigated by the FTC over its 2009 redesign and privacy settings overhaul, which began publicly sharing more user information by default, including information users had previously set to private.
Both companies dodged fines or other harsher penalties for the privacy failures, but in addition to the audits, the FTC required each company to begin developing its own internal privacy program to ensure it would not violate user privacy going forward.
“The proposed FTC settlement with Facebook prohibits the company from misrepresenting the privacy and security settings it provides to consumers,” Brill said.
“Like Facebook, Google settled our complaint,” Brill went on. “And like Facebook, Google is also required to implement a comprehensive privacy program and to obtain periodic assessments that will examine how well the privacy program is put into practice.”
“Like others, we’ve followed what’s been announced in the press,” Brill said of Google’s recent changes, “We do have an outstanding consent order with Google, so it wouldn’t be appropriate for me to comment about it at this time. But it is something that is certainly of interest to us.”
Google in June 2011 confirmed that the FTC had launched a separate anti-trust investigation into the company, and Bloomberg this month reported that Google was being investigated over the recent Google Search Plus Your World changes.
Brill also laid-out an alarming vision of the near future where all social networking data could be scraped and sold to banks and insurers to allow them to determine a person’s likely behavior, and called upon Web companies that capture user data to develop a “one-stop shop” for users to be able to see and change that data.
As she wrote:
Analysts are undoubtedly working right now to identify certain Facebook or Twitter habits or activities as predictive of behaviors relevant to whether a person is a ― “good” or “trustworthy” employee, or is likely to pay back a loan. Might there not be a day very soon, when these analysts offer to sell information scraped from social networks to current and potential employers to be used to determine whether you’ll get a job or promotion? Or to the bank where you’ve applied for a loan, to help it determine whether to give you the loan, and on what terms?
I am calling on data brokers to take the transparency principle and put it into practice. Develop a user friendly one-stop shop where consumers can gain access to information that data brokers have amassed about them and, in appropriate circumstances, can correct that information. Data brokers need to get cracking now to put something like this into place.
The forum at George Washington University Law School was held in advance of “Data Privacy Day,” an annual international effort (“celebration”) by governments and tech companies held every January 28 to promote education and awareness of cybersecurity and data privacy.
The effort was launched in 2007 by the the Council of Europe, a diplomatic organization separate from the European Union, but has since expanded to many countries around the globe, including the United States.