"We've made a bunch of mistakes" on privacy, Facebook CEO Mark Zuckerberg has admitted.
It turns out Facebook is just as bad as Google when it comes to data-handling. And the result is to sit next to Mountain View on the Federal Trade Commission's naughty step by agreeing to a bi-annual privacy review for the next 20 years.
In a lengthy blog post, Zuckerberg responded to the FTC proposed settlement – which is now subject to public comment for the next 30 days before any consent from the Commission can be finalised – by listing a number of privacy screw-ups at the social network.
"In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done," he wrote.
"I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using any one service.
"Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected. It's important for people to think about this, and not one day goes by when I don't think about what it means for us to be the stewards of this community and their trust."
The FTC noted in its statement that Facebook had agreed to settle with the commission on charges that the dominant social network "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public".
Zuckerberg, unsurprisingly, was at pains to insist that his privately-held company – which could be worth as much as £100bn according to some estimates – was "committed to being transparent" about the user data it stores.
From now on in, under the agreement with the FTC, Facebook will be required to be clear about changes it makes to the website, including providing "prominent notice" to users.
The outfit will also be expected to obtain "express consent" before a user's information is shared beyond privacy settings already established by an individual connected to the network, the commission said.
An eight-count complaint (PDF) issued by the FTC against Facebook, held that the company "was unfair and deceptive, and violated federal law."
Here's a list of instances in which Facebook allegedly failed to keep promises it had made to its users about their data:
- In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance.
- Facebook represented that third-party apps that users had installed would have access only to the user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need.
- Facebook told users they could restrict sharing of data to limited audiences – for example with 'Friends Only'. In fact, selecting 'Friends Only' did not prevent their information from being shared with third-party applications their friends used.
- Facebook had a 'Verified Apps' program, which claimed it certified the security of participating apps. It didn't.
- Facebook promised users that it would not share their personal information with advertisers. It did.
- Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
- Facebook claimed that it complied with the US - EU Safe Harbor Framework that governs data transfer between the US and the European Union. It didn't.
Zuckerberg, in his mea culpa, said that "privacy principles" recently developed by the company were "written very deeply into our code."
He added: "We do privacy access checks literally tens of billions of times each day to ensure we're enforcing that only the people you want see your content."
The Facebook boss, whose story was dramatised in the Hollywood movie The Social Network, said that the company had already fixed many of the privacy cock-ups users had complained about.
"Even before the agreement announced by the FTC today, Facebook had already proactively addressed many of the concerns the FTC raised. For example, their complaint to us mentioned our Verified Apps Program, which we canceled almost two years ago in December 2009," Zuckerberg defensively noted.
"The same complaint also mentions cases where advertisers inadvertently received the ID numbers of some users in referrer URLs. We fixed that problem over a year ago in May 2010."
The Facebook co-founder and CEO said that he would have two existing employees on his books who would focus on his commitments to protect information shared on the site "better than any other company in the world".
Zuckerberg said he was looking forward to working with the FTC on implementing terms of the proposed settlement.
In the early days of Facebook, it was a very different story. Zuckerberg once described his then fledgling stalkerbase as "dumb fucks" for trusting him with sharing their data online. How things have changed, right? ®