You are viewing a read-only archive of the Blogs.Harvard network. Learn more.

FACEBOOK Bows to Privacy Priorities!

In cyber language, a lot of news are not news. One of such is that Facebook has some privacy practices that users complain about. They not only allegedly sell or make available either directly or indirectly your private information, they also store and/or make public, private data about their users without first seeking the users’ consent. Thirdly and pretty annoyingly, they change their privacy policy arbitrarily without notifying the users, thereby giving users no opportunity to change their online behaviors to suit their needs in tune with the new policy.

There is a difference between the desirable and the available, especially whenever it concerns privacy practices. While we desire utmost privacy and the strictest frugal dissemination of our private information, we release as much information as we think is necessary to create a visible online profile, thereby making ourselves vulnerable.

What online companies do with that information depends on their policies which users agree to and what the privacy law in the country wherein they operate says. In the USA, the law of privacy is a creation of common law, pioneered by early works of Supreme Court Justices Earl Warren and Louis Brandeis – the latter an alumnus of Harvard Law School – who both wrote “The Right of Privacy” in 1890. The development of privacy laws over the years, especially with the advent of the cyberspace, has resulted in a standard requirement of “Full Disclosure Opt-Out”. By this, websites are under a duty to disclose to their users what information they obtain about them and how that information is used. Any user who does not want to be thus treated may Opt-Out by specifically requesting that he be excused from such a privacy practice. This is a default setting for most privacy policies, including Facebook’s.

Thus, in practice, Facebook has done nothing unlawful, since Facebook is an American company and have complied with the minimum standard requirement of “Full Disclosure Opt-Out”. Also, since the Terms of Use contain a clause that says Facebook can amend their Privacy Policy at anytime without first recourse to the users, they seemed to be within their right.

The situation in Europe is different, however. By the ePrivacy Directive approved by the European Commission in November, 2009, European Internet consumers can only have their private information tracked or stored if they choose to, as opposed to opting out if they do not want to. This is known as the “Full Disclosure Opt-In” requirement. I have described this earlier as “good for privacy, bad for business”. A US company willing to deal with European consumers may “self-certify” by enrolling into the US-EU Safe Harbor program hosted by the US government at their website. Thus, such a website offers a different level of protection to European consumers.

Another aspect of privacy law which deserves a mention in this peculiar case of FTC vs Facebook is the issue of government intervention in the privacy of individuals. Government has no business dictating to or directing an individual how he should live his private life. This was summarized by Justice Brandeis’ dissent in the case of Olmstead v. U.S., 277 U.S. 438, 478 (1928)  as the “right to be left alone”. In 1967, the US Supreme Court overturned its ruling in Olmstead and held that recording by police of conversation in public telephone booth was a violation of the Fourth Amendment, because the speaker had a reasonable expectation of privacy in the booth. See Katz v. U.S., 389 U.S. 347, 350 (1967). The Court quoted “right to be let alone” from Warren & Brandeis’ 1890 article, instead of from Brandeis’ dissent in Olmstead, a case on the same issue. Maybe the Court was embarrassed to reverse its earlier position in Olmstead. (Ronald Standler, 1997)

But while Congress cannot tell users how to live their private lives, the government has an obligation to provide protection to the vulnerable class of the society who may not be able to make informed decisions about the manner they live their private lives, especially as it concerns the public sphere. In other words, though the government is not allowed to invade the private sphere of their citizens, they have the duty to ensure that the public sphere is sane for everyone to co-habit. The cyberspace has been severally referred to as the public sphere, just as public parks, the highways, the airways and the waterways. Thus, as the government has the duty to ensure that every road user has equal rights to use the highways, they also have an obligation to ensure that Internet users enjoy their rights on the cyberspace. That is why the FTC has continuously taken measures to ensure that privacy practices on the Internet are within legal bounds, even if there is no regulation or enactment to the effect.

According to AP Technology Writer Barbara Ortutay, Google’s attempt to plant a social network called Buzz within its widely used Gmail service invited the FTC to crack down on the move eight months ago for alleged privacy abuses. Like Facebook, Google also agreed to improve its privacy practices and submit to external audits for the next 20 years. In fact, as a response, the Buzz is now an abandoned project and has been replaced with Google Plus.

The FTC also filed charges against Twitter, alleging that it didn’t do enough to protect users’ accounts from computer hackers. The online short-messaging service struck a settlement with the FTC in June 2010 to resolve the privacy concerns and improve its security of users’ private and personal information.

Facebook are the latest to suffer a similar fate, and so tow the same line. In vindication of Private Citizen’s position and displeasure at the indiscriminate manner in which companies change their privacy policies, the AP reports that much of the FTC’s complaint against Facebook centers on a series of changes that the company made to its privacy controls. The revisions automatically shared information and pictures about Facebook users, even if they previously programmed their privacy settings to shield the content. Among other things, people’s profile pictures, lists of online friends and political views were suddenly available for the world to see. They were also alleged to have shared users’ personal information with third-party advertisers from September 2008 through May 2010 despite several public assurances from company officials that it wasn’t passing the data along for marketing purposes. They reported further that FTC also alleged that Facebook displayed personal photos even after users deleted them from their accounts.

Although Facebook denied any wrongdoing, their agreement with the FTC requires the company to obey privacy laws or face a fine of $16,000 per day for each violation. As mentioned above, privacy law on the Internet is two-pronged. The “Full Disclosure Opt-Out” in the US and the “Full Disclosure Opt-In” requirement in European countries made accessible to American companies through the US-EU Safe Harbor program.

The agreement has been unanimously approved by FTC’s commissioners. The FTC is however accepting public comments through Dec. 30 before deciding whether to finalize the settlement, which is foreseeable.

What is in it for you?

The agreement, though in the interest of Facebook users, does not make Facebook overtly responsible to the user in a major way. Federal Trade Commission (FTC) lawyer Lesley Fair blogs that the Settlement merely requires Facebook to implement a comprehensive privacy program, complying with Privacy Laws (as unclear as that may connote) and submit to external audit of its privacy practices by the FTC for the next 20 years. More importantly, Facebook shall not misrepresent its privacy practices. Lesley Fair stated further that once a company abides by its privacy policies (no matter how good or bad such practice is) and does not misrepresent same, it is safe from an FTC crackdown. However, you can be sure to receive an e-mail from Facebook whenever they intend to change the privacy policy.

Going Forward

What would have been more desirable is for a positive enactment by the Congress that once and for all gives a code of conduct to online companies. We should not be too proud to follow the good examples laid by Europe. The US-EU Safe Harbor will be unnecessary if the laws have similar provisions. The energy deposed towards the Stop Online Piracy Act, E-PARASITE Act or the PROTECT-IP Act, and so on, which effort has been geared towards protecting the interest of a powerful minority Intellectual Property companies for over a decade, can be divested in something more productive that will benefit a greater number of people. Beneficial incentives, like those given to Internet Service Providers under the Digital Millennium Communications Act, can also be provided to online websites who practice flawless privacy policies. On the flip side, criminal responsibility can be meted out to bad practices.

A copy of the Settlement can be found here.

One Response to “FACEBOOK Bows to Privacy Priorities!”

  1. Sid Vel Says:

    Facebook had this coming!