Facebook Privacy: FTC Settlement, EU Fires
While Facebook settles with the FTC, the EU commission starts firing at its business model; http://eicker.at/FacebookPrivacy
While Facebook settles with the FTC, the EU commission starts firing at its business model; http://eicker.at/FacebookPrivacy
Cubilovic: Logging out of Facebook is not enough; maybe fixed. – Arrington: brutal dishonesty; http://eicker.at/FacebookCookies
Arrington: “‘Facebook does not track users across the web,‘ – A Facebook spokesperson on September 25, 2011 and ‘Generally, unlike other major Internet companies, we have no interest in tracking people.‘ – Facebook employee on September 25, 2011 v. ‘A method is described for tracking information about the activities of users of a social networking system while on another domain.‘ – Facebook Patent application dated September 22, 2011 – Whoops”
Cubrilovic: “[L]ogging out of Facebook only de-authorizes your browser from the web application, a number of cookies [including your account number] are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page [that integrate facebook] you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions. … To clarify, I first emailed this issue to Facebook on the 14th of November 2010. I also copied the email to their press address to get an official response on it. I never got any response. … I have been sitting on this for almost a year now. The renewed discussion about Facebook and privacy this weekend prompted me to write this post.”
Cubrilovic: “My goal was to both identify bugs in the logout process and see that they are fixed, and to communicate with Facebook in getting some of the unanswered questions answered so that the Facebook using public can be informed of how cookies are used on the site – especially with regard to third-party requests. – In summary, Facebook has made changes to the logout process and they have explained each part of the process and the cookies that the site uses in detail. … Facebook has changed as much as they can change with the logout issue. They want to retain the ability to track browsers after logout for safety and spam purposes, and they want to be able to log page requests for performance reasons etc. I would still recommend that users clear cookies or use a separate browser, though. I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe. – I discovered a lot of other issues and interesting areas ripe for further investigation while researching the cookie logout issue – and I will be taking each one of them up on the blog here in the near future.”
BBC: “Facebook has said that it has ‘fixed’ cookies that could have tracked users after they logged out of the site. … In a statement, the firm told the BBC that it had done nothing wrong. ‘There was no security or privacy breach-Facebook did not store or use any information it should not have. Like every site on the internet that personalises content and tries to provide a secure experience for users, we place cookies on the computer of the user.’ … Most cookies perform basic tasks like storing your login details or personal preferences. – But some track the sites users visit, which means that they may be presented with adverts for products or services they researched on the web once they visit other unrelated sites. Consumer concerns over this type of cookie led to a new EU directive, with online firms across Europe currently working out how they can allow users to opt out of these bits of code.”
SEW: “It was recently discovered that some Facebook cookies were left in-tact after logout. While the issue has since been resolved, select data is still tracked and recent Facebook patent information indicates that all logged-out tracking may be intentional. … Facebook reports that the remaining cookies exclude personal identifiers and are completely benign in nature; they serve functions such as generating timestamps, contributing to Facebook’s page reporting, and helping to keep public computers secure. … Facebook isn’t the only one facing privacy and tracking issues, either. Marketers should give note to a couple other stories, including The Wall Street Journal’s recently revised privacy policy (which permits WSJ to track personally identifiable behavior without user consent) and the FTC probe into undeletable ‘supercookies‘ used by Hulu and MSN.com.”
SMH: “On Friday, 10 public interest groups asked the US Federal Trade Commission to investigate Facebook’s tracking of internet users after they log off. They urged the commission to examine whether Facebook’s new ticker and timeline features increased privacy risks for users by combining biographical information in an easily accessible format. … The lawsuit – filed by Perrin Aikens Davis, of Illinois – seeks class status on behalf of other Facebook users in the US. Davis seeks unspecified damages and a court order blocking the tracking based on violations of federal laws, including restrictions on wiretapping, as well as computer fraud and abuse statutes. – ‘We believe this complaint is without merit and we will fight it vigorously,’ Andrew Noyes, a Facebook spokesman, said in a statement.“
Google launches Google Wallet on Sprint: checkout wirelessly via Citi MasterCard, Pepaid Card; http://eicker.at/GoogleWallet
Google: “In May we announced Google Wallet – an app that makes your phone your wallet – with Citi, MasterCard, Sprint and First Data. With Google Wallet, you can tap, pay and save using your phone and near field communication (NFC). – We’ve been testing it extensively, and today we’re releasing the first version of the app to Sprint. That means we’re beginning to roll out Google Wallet to all Sprint Nexus S 4G phones through an over-the-air update – just look for the ‘Wallet’ app. … Google Wallet enables you to pay with your Citi MasterCard credit card and the Google Prepaid Card, which can be funded with any of your existing plastic credit cards. As a thanks to early adopters, we’re adding a $10 free bonus to the Google Prepaid Card if you set it up in Google Wallet before the end of the year.”
Google: “Google Wallet is a mobile app that will make your phone your wallet. It stores virtual versions of your existing plastic cards on your phone, along with your coupons, and eventually, loyalty and gift cards. Our intention is that Google Wallet will be an open mobile wallet holding all the cards and coupons you keep in your leather wallet today. … NFC is a wireless technology that enables data transmission between two objects when they are brought within a few inches of each other. Smartphones enabled with NFC technology can exchange data with other NFC enabled devices or read information from smart tags embedded in posters, stickers, and other products. … Google Checkout is a service that enables merchants to accept and process online payments. Google Wallet, on the other hand, is a mobile app that enables users to tap and pay at physical, brick and mortar stores. … The Google Prepaid Card allows you to use Google Wallet even if you don’t have an eligible Citi MasterCard. It is a virtual card powered by MasterCard and Money Network. You can fund this prepaid card with any of your existing plastic credit cards. And since it’s purely virtual, you won’t get a physical plastic card in the mail. You can tap and pay immediately after funds are added.”
TC: “Bummed by the limited launch? Don’t be. This somewhat-cautious approach is really the only way they could do it: NFC is still a relatively new technology, with a complicated network of partners, and, most importantly, involves your money. Google is really the first company with the power to move the world towards NFC – but even for them, it’s going to be something of an uphill battle, and they’ll have to take things one small step at a time. – Fortunately, Google also just announced their next (small step) huge leap: support for Visa, Discover, and American Express cards.”
pC: “For the moment, Google Offers is only available in cities in the U.S. That means the purchase of the Daily Deal site could give Google an easy route to ramping up the service in Europe as well. … In May, when Wallet and Offers were announced by Stephanie Tilenius, Google’s VP of commerce, she described how Wallet would be about more than just payments, and would also be used for loyalty programs, check-ins and other transactions. … Google is not the only one working in these areas: on the deals front it is already competing against dominant Groupon, big LivingSocial, and fast-rising Amazon, among many others.”
The EU E-Privacy Directive and cookies: making companies less competitive or more transparent? http://eicker.at/PrivacyCookies
BBC: “From 25 May, European laws dictate that ‘explicit consent’ must be gathered from web users who are being tracked via text files called ‘cookies’. … The changes are demanded by the European e-Privacy directive which comes into force in the UK in late May. – The section of the directive dealing with cookies was drawn up in an attempt to protect privacy and, in particular, limit how much use could be made of behavioural advertising. – This form of marketing involves people being tracked across websites, with their behaviour used to create a profile that dictates the type of adverts they see. … The exact steps that businesses have to go through to comply with the law and gain consent from customers and users are being drawn up by the Department for Culture, Media and Sport (DCMS).”
TC: “As if European startups weren’t already at a notional disadvantage in addressing smaller markets, having access to less venture capital and being geographically spread out, a new EU-wide law proposes to hobble its innovation companies by slapping big privacy warning signs all over their sites. … Although businesses are being urged to work out how they gain ‘consent’ from users, this is bound to cause consternation. … Nick Halstead, CEO of Tweetmeme and new startup DataSift told me: ‘It clearly makes UK companies less competitive because sites we build will need to be plastered with warnings – and our competitors will not.‘
GigaOM: “It’s not a law. The EU is saying member states should enact their own legislation in this area to harmonize with each other, but each country gets to apply it in its own way. Britain’s government will have no impact on the French; the Spanish solution may be very different from the Italian, and so forth. – It doesn’t make opt-in compulsory yet. Because of the system, directives take a long time to become enforceable laws. So while the directive might come into force on May 25, it’s not going to be resulting in court cases for years. – It doesn’t ban cookies. It just asks that those sites which use cookies to track user behavior off site – usually to serve targeted ads – tell users that they’re doing so. Login cookies and shopping carts would be exempt. It’s not aimed at making businesses less competitive. It’s aimed at making them more transparent.”
TNW: “Even if it doesn’t drive startups or their users elsewhere, it’s still sure to be annoying. I’ve had my current computer for three months and I already have 5000 cookies stored on it. Even if only a fraction of those are from European sites, the idea of approving hundreds of ‘explicit permissions’ per month is daunting.”
pC: “In any case, the member countries of the European Union have substantial leeway in how they implement the rule and work it into their national legal systems. Member countries have until May 25 to do that, but it’s not unusual for them to be late. – While U.S. regulators have also begun considering beefing-up online privacy, including various ‘Do Not Track’ measures, no politician stateside has gone as far as the UK Information Commissioner went by suggesting that an explicit opt-in for standard HTTP cookies should be required.”
Heise: “Die Bundesregierung will die neuen Leitlinien zur Handhabung von Cookies und weiterer ‘Schnüffel-Software’ nicht so bald umsetzen. … Ein Sprecher des Bundesdatenschutzbeauftragten Peter Schaar erklärte gegenüber heise online, dass seine Behörde im Gegensatz zur Bundesregierung einen Umsetzungsbedarf sehe. So sei ins Telemediengesetz eine Ergänzung einzufügen, dass Cookies nur dann gesetzt werden dürften, wenn eine Einwilligung des Nutzer erfolge. … Man setze nun darauf, dass eine solche Bestimmung im parlamentarischen Beratungsverfahren der Reform der TK-Regeln noch eingeführt werde.”
The EU cookie controversy has been an issue ever since e-Privacy Directive was amended in November 2009. At the cippguide.org, we take a look at privacy issues worldwide. We also help prepare candidates for the CIPP certification. Check out our blog post that discusses the EU e-Privacy Directive and the development of the cookie problem.
According to comScore, the Web is slightly more popular than apps among mobile users; http://eicker.at/WebOrApp
Borthwick on net neutrality, FCC: Access to broadband [is] the single most important driver of innovation; http://eicker.at/NN
WSJ: Google increasingly is promoting some of its own content over that of rival websites; http://eicker.at/GoogleSelfPromotion
WSJ: “The Internet giant is displaying links to its own services – such as local-business information or its Google Health service – above the links to other, non-Google content found by its search engine. … Critics include executives at travel site TripAdvisor.com, health site WebMD.com and local-business reviews sites Yelp.com and Citysearch.com, among others. … The EU received a complaint from a shopping-search site that claimed it and other similar sites saw their traffic drop after Google began promoting its own Product Search service above conventional search results. … The issue isn’t entirely new. The company for several years has used prominent links to services such as Google Finance and Google Maps to boost their popularity, with varying results.”
Google: “When someone searches for a place on Google, we still provide the usual web results linking to great sites; we simply organize those results around places to make it much faster to find what you’re looking for. For example, earlier this year we introduced Place Search to help people make more informed decisions about where to go. Place pages organize results around a particular place to help users find great sources of photos, reviews and essential facts. This makes it much easier to see and compare places and find great sites with local information.”
SEL: “The question of Google’s right to refer traffic to its own sites is once again in the center of policy debate. The European Commission is looking at this issue as part of its larger anti-trust investigation against Google. It’s also a question at the heart of the federal regulatory review of the ITA acquisition. … What are or should be Google’s ‘obligations’ to third party publishers? This is the central question it seems to me. – These are all very difficult issues and become extremely problematic at the level of execution. If regulators start intervening in Google’s ability to control its algorithm and its own SERP it sets a bad precedent and compromises Google’s ability to innovate and maybe even compete over time. … It has also been held by courts that the content of SERPs is an ‘editorial’ arena protected by the First Amendment. So hypothetically Google could only show Google-related results and still be within the law. … Google’s dominance of the market may decline in a few years. I’m not a laissez-faire, free-market lover but the market may take care of itself. Facebook and others are working on ways to discover content that don’t require conventional search-engine usage.”
TC: “Displaying local results this way is a little less in your face, but the end result is the same. In both cases, the main link still goes to the businesses’ own websites, but the Google Places links are also prominent. Either way, the message is clear to local businesses: list your profile in Google Places and you will have a better shot at appearing at the top of the first search results page. – Are these results better for users? It depends on how good are the Google Places listings. Some of them are very good, I will admit. But try any local search and I bet you will consistently get Google Places results, sometimes taking up most of page – not always at the very top, but always as a block. They can’t all be better than results for businesses which don’t happen to have a Google Places listing. Remember, Google Places is still fairly new and developing.“
Ofcom: Britons, a nation of early technology adopters, spend more online than any other European country; http://eicker.at/UK
The European Parliament goes Metaverse: Citzalia is its virtual world and social networking forum; http://j.mp/b1N3gh
Künast: Freedom can comprise anonymity. Jarvis: Yes, but freedom also comprises publicness; http://j.mp/cP0bm8
May I request if you could include me in your mailing list or send me an article related to the publicness of volunteering which is my topic for my doctoral dissertation. Thank you very much.
Sorry, but there’s no specific mailing list. You can subscribe to all new posts via Feedburner.
Gerrit Eicker 11:50 on 30. November 2011 Permalink |
FTC: “The social networking service Facebook has agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers’ express consent before their information is shared beyond the privacy settings they have established. … The proposed settlement bars Facebook from making any further deceptive privacy claims, requires that the company get consumers’ approval before it changes the way it shares their data, and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years. – Specifically, under the proposed settlement, Facebook is: barred from making misrepresentations about the privacy or security of consumers’ personal information; required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences; required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account; required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected. – The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.”
ATD: “Facebook has agreed to 20 years of privacy audits in response to complaints by the U.S. Federal Trade Commission that it unfairly deceived users about the privacy of their personal information, as was anticipated. The settlement, which is not particularly punitive and comes years after some of the incidents in question, shames Facebook for promising users that their information was kept private while it was in fact shared with advertisers and outside applications that the users or their friends installed. … Facebook’s punishment is in line with what its competitors Twitter and Google have already agreed to: Clearer privacy policies that are audited every two years for the next 20 years.”
AdAge: “Facebook has settled with the Federal Trade Commission on charges that it rolled out upgrades that overrode users’ privacy settings without obtaining their consent and shared their private information with third-party apps and advertisers. – The settlement marks the first time that the FTC has taken action against the social network, though its European counterparts have been more aggressive in attempts to regulate Facebook and others. The European Commission reportedly intends to amend data-protection laws to ban targeted advertising unless users explicitly opt in, and Facebook would be subject to fines if it fails to comply. … Like the settlement reached with Google over its now-defunct social-networking Buzz product in March, the settlement carries no financial penalty. Facebook is subject to a $16,000 fine per violation per day if it fails to comply with the terms of the order.”
SEL: “[T]he FTC settlement is also a reminder that privacy is alive and well. It’s also concrete proof that there are consequences for being cavalier about privacy. – This is even more true in Europe, where governments and regulators take privacy 10x more seriously that we do in the US. There are several investigations pending in Europe; and proposed legislation to be introduced early next year by the European Commission would place disclosure requirements and other constraints around Facebook’s ad targeting capabilities.”
NYT: “Several privacy bills are pending in Congress, and Internet companies have stepped up their lobbying efforts. The F.T.C., meanwhile, has ratcheted up its scrutiny of Internet companies. This year alone, it has reached settlement orders with some of the giants of Silicon Valley, including Google. – The order comes amid growing speculation about Facebook’s preparations for an initial public offering, which could be valued at more than $100 billion. The settlement with the F.T.C., analysts say, could potentially ease investors’ concerns about government regulation by holding the company to a clear set of privacy prescriptions.”
VB: “Now with third party audits required for the next two decades, including the FTC’s new ability to monitor Facebook’s compliance with the settlement (standard record-keeping procedure), Facebook users will be much more informed and kept up-to-date with any changes the platform might make that has the potential to distribute or share a consumer’s private information without his or her express permission. Or that’s the hope, right?”
Zuckerberg, Facebook: “I founded Facebook on the idea that people want to share and connect with people in their lives, but to do this everyone needs complete control over who they share with at all times. – This idea has been the core of Facebook since day one. When I built the first version of Facebook, almost nobody I knew wanted a public page on the internet. That seemed scary. … Overall, I think we have a good history of providing transparency and control over who can see your information. – That said, I’m the first to admit that we’ve made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done. … I’m committed to making Facebook the leader in transparency and control around privacy. … Recently, the US Federal Trade Commission established agreements with Google and Twitter that are helping to shape new privacy standards for our industry. Today, the FTC announced a similar agreement with Facebook. These agreements create a framework for how companies should approach privacy in the United States and around the world. … Even before the agreement announced by the FTC today, Facebook had already proactively addressed many of the concerns the FTC raised. … In addition to these product changes, the FTC also recommended improvements to our internal processes. … As part of this, we will establish a biannual independent audit of our privacy practices to ensure we’re living up to the commitments we make. … Erin Egan will become Chief Privacy Officer, Policy. … Michael Richter will become Chief Privacy Officer, Products. … These two positions will further strengthen the processes that ensure that privacy control is built into our products and policies. I’m proud to have two such strong individuals with so much privacy expertise serving in these roles. – Today’s announcement formalizes our commitment to providing you with control over your privacy and sharing…”
RWW: “Since the settlement, Zuckerberg has penned a blog post outlining the Facebook features that the site has launched, which include friend lists, the ability to review tags before they appear on a profile, mobile versions of privacy controls, amount other notable updates. … According to the Sophos Security Blog, in addition to the privacy audits, if the settlement proceeds, Facebook also must stop misrepresenting its security and privacy policies, obtain consent when handing personal data, establish a stronger privacy program and, perhaps most importantly, prevent people from accessing information from deleted/deactivated accounts 30 days after they have been closed.”
GigaOM: “Not surprisingly, Facebook appears keen to put the FTC incident in the past. CEO Mark Zuckerberg on Tuesday addressed the settlement with a lengthy company blog post in which he noted that it is ‘a similar agreement’ to those the FTC has previously reached with Google and Twitter. He also said Facebook has been proactive in bolstering privacy prior to today’s announced settlement with a number of product updates enacted in the past 18 months.”
RWW: “On the one hand: As any IT security manager knows, the way to implement privacy control in an organization is not to make the private data available in the first place. Modern information security policies are never about per-instance restrictions to the otherwise free flow of information. The same level of controls can, and perhaps should, be provided for directing flow in the opposite direction. That is to say, share nothing by default, and opt in to services that other users and even apps may request. – On the other hand: Facebook’s responsibility for the protection of data provided by users of their own free will, and without any binding contract other than the implied consent agreement, is somewhat limited. The FTC made clear to cite Facebook for misrepresenting its services from the outset, and that misrepresentation gives the government the leverage it needed to force Facebook to change its policies (even though Zuckerberg implies no such change is necessary now). But had that misrepresentation not existed, the FTC may not have had much ground to stand on. It’s hard to establish a standard of care for property that so many millions of individuals willingly give for free.”
TC: “Zuckerberg Loves That The FTC Wants You To ‘Like’ Them On Facebook – You know what Zuck (and around 400 Facebook employees including PR rep Caryn Marooney) do take lightly, according to this comment thread on a Facebook internal network? The fact that the FTC ironically asks readers to ‘Like’ them on Facebook at the bottom of the release statement outlining today’s Facebook settlement. – My favorite part of this? ‘This would make a great public post.’ Be careful what you wish for.”
Telegraph: “Facebook faces a crackdown on selling users’ secrets to advertisers – The European Commission is planning to stop the way the website ‘eavesdrops’ on its users to gather information about their political opinions, sexuality, religious beliefs – and even their whereabouts. – Using sophisticated software, the firm harvests information from people’s activities on the social networking site – whatever their individual privacy settings – and make it available to advertisers. – However, following concerns over the privacy implications of the practice, a new EC Directive, to be introduced in January, will ban such targeted advertising unless users specifically allow it. … Viviane Reding, the vice president of European Commission, said the Directive would amend current European data protection laws in the light of technological advances and ensure consistency in how offending firms are dealt with across the EU. – ‘I call on service providers – especially social media sites – to be more transparent about how they operate. Users must know what data is collected and further processed (and) for what purposes. Consumers in Europe should see their data strongly protected, regardless of the EU country they live in and regardless of the country in which companies which process their personal data are established.’ … A spokesman for the UK Information Commissioner said: ‘Facebook should ensure that any data it collects should be used in the manner that its users expect. If personal data is being passed on to a third party or used for targeted advertising then this should be made clear to the user when they sign up to the site and reinforced when users are invited to use an application.'”
SEL: “A new directive by the European Commission may stop advertisers from leveraging users’s information when advertising on Facebook. … The new laws would require that users would need to approve more than the standard 4,000 word contract if their personal information was to be used in ad targeting. … If Facebook does not conform to the new rules laid out by the EC, they could face legal action or a ‘massive fine.’”
VB: “Facebook’s entire business model is under fire in the EU – Facebook (and just about every other free Web service) has built a business on that saying and its implications, and the European Commission is taking the social network to task for it. The EU is considering a ban on Facebook’s practice of selling demographic data to marketers and advertisers without specific permission from users. … Facebook is on track for $4.27 billion in revenue this year, largely due to its wildly successful ad platform. The company also has a full 16.3 percent of the overall share of U.S. online display ad revenue.”