woensdag 30 november 2011

Facebook mag de wet niet meer overtreden

Precies acht maanden geleden schreef ik over de schikking die Google met de Federal Trade Commission (FTC) gesloten had over de misleidende privacy-beloften ten aanzien van Buzz. En gisteren maakte de FTC bekend een gelijksoortige schikking met Facebook te willen sluiten. De Commission heeft onder andere vastgesteld dat:

  • In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn't warn users that this change was coming, or get their approval in advance.
  • Facebook represented that third-party apps that users' installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users' personal data – data the apps didn't need.
  • Facebook told users they could restrict sharing of data to limited audiences – for example with "Friends Only." In fact, selecting "Friends Only" did not prevent their information from being shared with third-party applications their friends used.
  • Facebook had a "Verified Apps" program & claimed it certified the security of participating apps. It didn't.
  • Facebook promised users that it would not share their personal information with advertisers. It did.
  • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
  • Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn't.
In de voorgestelde schikking staat onder andere:
  • barred from making misrepresentations about the privacy or security of consumers' personal information;
  • required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
  • required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
  • required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
  • required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.
En er staan nog een paar interessante dingen in het persbericht. Het ene is dat in de schikking ook "standard record-keeping provisions" zijn opgenomen, die er voor moeten zorgen dat de FTC de komende jaren kan controleren of Facebook zich aan de afspraken houdt.
Het andere opvallende is dat de schikking nog slechts een "voorstel" is. Tot 30 december kan iedereen commentaar geven op de tekst van de schikking. Daarna zal de FTC de schikking pas definitief maken.
Opmerkingen kunnen digitaal ingediend worden en uiteraard ook analoog. Maar:
The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
Google, Buzz, privacy en liegen
Schaduwprofielen bij Facebook (en Google)

Plaatje: Facebook's privacy policy explained van Weisunc (naar aanleiding van
Facebook Privacy: A Bewildering Tangle of Options)

Geen opmerkingen:

Een reactie posten