FTC fines Facebook $5bn for making users believe they actually had control over their data

Privacy Board to keep tabs on potential naughtiness at the antisocial network

Evil empire Facebook's devil-may-care attitude to privacy has bitten it on the backside – the Federal Trade Commission has imposed a record $5bn penalty for "deceiving users" about their control over private data.

The FTC said the antisocial network violated a 2012 order by misleading members into thinking they were actually in the driving seat when it came to determining what happens to their own information.

The Department of Justice, on behalf of the commission, will lodge a complaint claiming that Facebook "repeatedly used deceptive disclosures and setting to undermine" individuals' privates. This included sharing data with third-party apps that were downloaded by users' "friends", a practice the FTC said was not known to members.

Zuckerberg photo Facebook

Facebook founder called trusting users dumb f*cks

READ MORE

This was brought to a head by whistleblower Chris Wylie, who made public the data analytics biz scandal involving Cambridge Analytica, which accessed the details of 87 million users and meant Facebook had not taken adequate steps with apps it knew were violating platform policies, the FTC said.

In another related move today, the FTC sued Cambridge Analytica and reached an out-of-court settlement with two defendants – former CEO Alexander Nix and app developer Aleksandr Kogan.

The fine against Facebook is 20 times greater than the largest privacy or data security payout to date – against Equifax – and one of the largest ever raised by the US government for any infraction, the consumer watchdog added.

"Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers' choices," said FTC chairman Joe Simons.

"The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook's entire privacy culture to decrease the likelihood of continue violations."

Some 2.38 billion monthly users use the platform each month, according to Facebook stats for Q1 2019. In the US and Canada, 185 million people use it daily. Facebook cashes in on user data to target adverts at the poor saps, and drummed up $55.8bn revenues in 2018.

20-year compliance order

In addition to the financial charge, Facebook will also face "unprecedented restrictions" and compliance requirements on its commercial operations, under a revamped 20-year-old settlement order. This is applicable to WhatsApp, Instagram and Facebook.

These orders mean Facebook will be forced to adopt a new attitude to privacy from the "corporate board-level down" and make its execs accountable for the decisions they make, the commission said.

This should involve "removing unfettered control" by Facebook CEO Mark Zuckerberg "over decisions affecting user privacy". Members of a new Privacy Board must be independent and brought on board by an independent nominating committee. The move is designed to create overlapping layers to catch non-compliance.

In order to control Facebook's future behaviour, the company needs to "designate" compliance officers to oversee the privacy programme, and one of these officers can only be kicked out by that independent privacy committee, not Zuck or other Facebook employees.

The Zuck and compliance officers must report quarterly and annual compliance certifications to the FTC, and any false certs will subject those individuals to civil and criminal penalties.

An independent third-party assessor – not PwC – will also be tasked with providing biennial evaluations of Facebook's privacy programme, including "fact-gathering, sampling and testing".

The assessor must not rely on lies information from Facebook management and will be required to report findings to the Privacy Board each quarter.

For each new or modified product released by the company, Facebook must undertake a privacy review and write up its decisions as they pertain to user privacy. And Facebook will also be ordered to detail events when 500 or more users' data has been compromised, along with its efforts to deal with the incident within 30 days of discovery.

The FTC also has new discovery tools to monitor Facebook's compliance with the order. Other privacy requirements are listed here.

All in all, this is long overdue and may finally help to curb Facebook's utter disregard for privacy. ®

Sponsored: How to get more from MicroStrategy by optimising your data stack

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019