Public fear over online privacy has been ramping up, and for Julie Brill, a commissioner at the Federal Trade Commission, the increased attention is warranted. In an informal talk at the Stanford Law School, Commissioner Brill said the FTC is focusing increasing attention on the privacy policies of cyber companies from Facebook to the latest smart-phone applications.
“We have been really active over the past year or so in terms of enforcement and probably the matter that… in many ways could be considered the most important is the Facebook settlement,” Brill said. “I think Facebook, and to a certain extent the Google proposed settlement, are significant because for the first time we are calling on companies…. by order from us, to institute a comprehensive privacy program.”
The FTC has taken actions against Facebook, Google and Twitter and has proposed settlements for all three. The major components of the settlements with Facebook and Google include: “having in place personnel who are primarily responsible for privacy” and “having in place governance structures throughout the corporate entity that are thinking about privacy,” Brill said. “We also put in place auditing requirements… that last for 20 years.”
In the case of Facebook, Brill also mentioned that the FTC is specifically concerned with the transparency and clarity of their privacy rules.
“Just simply having something down somewhere in a very complicated document, we have taken the position that… it will not absolve a company of potential problems if consumers wouldn’t have expected to find that very salient information in the place where the company put it. That was one issue that came up in the Facebook matter.”
Facebook is accused of deceiving “consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” according to an FTC press release. Of the three major Silicon Valley companies to face action from the FTC, the action against Facebook contained the most numerous and diverse complaints. The complaints range from changing the company’s privacy policies without notifying consumers, to several instances of misrepresenting such policies.
For example, the FTC complaint claims that, “in many instances, Facebook has shared information about users with platform advertisers by identifying to them the users who clicked on their ads, despite stating explicitly that Facebook never shares data. After relaxing privacy policies in Dec. 2009, “platform advertisers potentially could take steps to get detailed information about individual users, including profile picture, gender, current city, friend list, pages and networks.”
In 2011, Google and the FTC finalized an agreement stemming from an FTC case brought in 2010. The Google case was over the well-publicized Google Buzz fiasco, in which Google tried to create a social network based around users’ Gmail accounts.
According to the FTC website, “the options for declining or leaving the social network were ineffective”; and “for users who joined the Buzz network, the controls for limiting the sharing of their personal information were confusing and difficult to find.”
The FTC case against Twitter focused on data security, not privacy practices, and alleged that Twitter had not taken thorough enough security measures in 2009 when it was hacked twice.
In all three actions, the FTC has brought what is called an “administrative complaint,” which is not a formal charge of violating the law. The companies do not admit to breaking the law when they finalize their settlement agreements with the FTC, and the finalized agreements do not come with a penalty, although they do provide for future penalties if the agreement is broken.
Beyond bringing individual actions, last year the FTC created a proposal suggesting unique standards and practices to address privacy concerns online.
“We probably most famously sent out a call for industry, as well as policy makers, to consider developing ‘do not track’ features,” Brill said. “It is one mechanism to give users simplified notice and simplified choice about some of the ways that data is being collected and used online.”
The FTC proposal further suggests creating more strict disclosure rules for “third party” companies that collect data without direct interaction with the customer. The thinking is that a customer dealing directly with a vendor is aware that Amazon, for example, will have access to their personal data, but should be clearly notified if that data is collected by a third party as well. Brill said she expects the proposal to be finalized in the coming months, but for now it is open for comments.
The FTC has traditionally focused on data security, but when asked about last year’s discovery that patient information from Stanford Hospital, including names and diagnosis codes, was online for over a year, Commissioner Brill said it would not be the FTC that would handle the case. Instead, Health and Human Services will be taking action.
Brill did offer empathy for consumers over data security in general.
The consumer “has to trust that the company is engaging in good data security practices and when that falls down… the consumer is left on the sideline; but its their data.”
“That is one of the reasons that we focused for a long time on data security, and it is only more recently that we have moved more broadly into privacy,” she added.
The event was hosted by the Stanford Center for Internet and Society and was put on as a part of Data Privacy Day, an effort to raise awareness about privacy. The official Data Privacy Day is Jan. 28.