FTC's Privacy Settlement With Facebook Gets Pretty Much Everything Backwards; Probably Helps Facebook
from the guys-come-on dept
So, as was leaked a couple of weeks ago, the FTC has now made its $5 billion settlement with Facebook official. There's quite a bit that's interesting in the stipulated order that is worth reading. I'm actually glad to see that this wasn't just about Cambridge Analytica, where I think the "breach" issue was much less concrete. Instead, it does include a bunch of other very real violations by Facebook, including:
- Storing passwords in plaintext
- Using phone numbers that were provided for security (two factor authentication) for advertising (a massively dangerous and stupid practice by Facebook)
- It's questionable use of facial recognition without consent
- Sucking up logins to other services.
Separately, as I discussed two weeks ago, if you're mad at the size of the fine, you're missing the point. This is, by far, the largest fine the FTC has ever issued, and goes way beyond anything that it's done before. The real problem is that this is basically all that the FTC can do. That's the only weapon it has and it's never going to be enough because the FTC isn't really set up to handle modern privacy questions like this -- and that would require a new mandate from Congress. This is in Congress's court.
That said, my bigger concern, as always, is that everyone's obsession over "protecting privacy" is going to mean significantly less competition. I raised this issue last year, soon after everyone freaked out about Cambridge Analytica, noting that I feared what would happen is that Facebook would be driven to lock down everyone's data rather than making it more accessible to third party and competing services.
There are significant and important trade-offs here. For years now I've been talking about the real way to create more competition on the internet, and much of it involves pressuring the big internet companies into opening up. Have them create APIs that allow others to build services on top of their data so that we're not so locked into the giant platforms. Enable more competition at the service level, rather than the data collection level.
But this agreement does the opposite. It is basically giving up and saying that the FTC and regulators now think that Facebook will be the dominant platform for ages, and therefore it needs to better police data and better lock it down. This is not a good solution (except if you're Facebook). As former Facebook CSO Alex Stamos points out in a very thoughtful thread, while this is a slap on the wrist regarding Facebook's problematic privacy practices, it actually helps stop future competition:
The real threat to the tech giants is competition, not regulation, and everybody is missing what really happened today: Facebook paid the FTC $5B for a letter that says "You never again have to create mechanisms that could facilitate competition."
Facebook already has ~2.5B users. It has the world's second largest ad network. It never again needs data from anybody else to make money or third parties to facilitate growth. This order doesn't include the word competition or include any balancing tests. It's fantastic for FB.
"You need to allow for 3rd party clients."
Sorry, mean FTC won't let us.
"Other companies can build on your graph."
Sorry, mean FTC won't let us.
"You need a real data export feature that allows users to move."
Sorry, mean FTC won't let us.
I can't believe Facebook didn't pay more for this. If the FTC offered to "order" Amazon to help consumers save money by offering house branded options in every top category, Bezos would leap across the table with a $10B check and a massive grin. This is a natural consequence of the shallow nature of the "techlash". The US doesn't have a substantive privacy law, and the FTC has to base work on what they consider unfair or misleading practices. If critics don't understand the equities balance, they can't balance equities. This isn't binding on other companies, but it will be interesting to see if they use this as a reason to reduce APIs and favor their own apps. The data stolen and exported to the cloud (GPS, SMS, contacts, mail, calendar) from Android/iOS dwarfs SCL/CA.
This is part of the problem I keep trying to highlight. When your only focus is on punishing big tech companies like Facebook, be careful about how you do so, because there are so many important tradeoffs, that if you don't pay attention to what you're doing, all you really end up doing is locking them in as the dominant platforms.
And that's really what's happening there. Our lack of understanding about privacy or about data and "ownership" will lead people to a very dangerous place, where we make short term decisions -- such as what happened here -- that are focused on "punishing" one particular set of companies for one particular set of actions (many of which were really bad). But the end result is even worse. You've set up the system such that the only logical and reasonable way out of this bad situation is foreclosed.
The best way out of Facebook's dominance is to have it give up total control over the data it collects. But, here, the FTC has done the reverse. It has given Facebook more control over the data it collects in the name of "protecting" privacy. This is backwards. Rather than saying that Facebook shouldn't be the one protecting all that data, the FTC is just saying "protect it better, and don't let any other service be allowed to come in and do anything." And that includes the kinds of competitive services that are necessary to eat away at Facebook's position.
I know a lot of people are mad the fine wasn't larger, but the fine doesn't matter. All that really matters is whether or not competitive services are enabled or not, and this agreement forecloses the best way to actually chip away at Facebook's market position. And that's the real shame.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: apis, competition, fines, ftc, openness, privacy, regulations, settlement, sharing
Companies: facebook
Reader Comments
Subscribe: RSS
View by: Time | Thread
Just exactly HOW privacy can be protected WITHOUT "lock down"?
I'll not wait, as can't be done.
You've outdone yourself this time.
[ link to this | view in thread ]
Interesting to see how that interacts with the mean GDPR that says they are required to have a data export feature. At least for Europeans.
[ link to this | view in thread ]
Re: Just exactly HOW privacy can be protected WITHOUT "lock down
You don't seem to understand the difference between "lock down" and "protected access". They are not the same thing and both protect privacy equally when done correctly. One just actually allows the user who owns the data to decide what to do with it.
[ link to this | view in thread ]
FTC is not consumer based
It is the Trade Commission. It only has two hammers, one is financial, the other is agreements that have little weight over extended periods. So their focus on a big fine is understandable. And wrong.
A federal law regulating exactly what privacy means, and how people own their own data is needed. With the lack of technology abilities in the legislature there is zero chance of that happening. Well, at least zero chance of it happening correctly.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Might also need to remove the space before the opening tag's "a"
[ link to this | view in thread ]
Iv seen more imagination...
In old games trying to protect themselves, then Much of the internet has remembered..
There are Many many imaginative things you can do to protect data from being seen, found, Hacked into then there are gods in the heavens..
And the only thing in all of this is that Someone gave the data.. not hacked it.
The Biggest problem in all of this is matching the data and the AMOUNTS of data.
Giving away addresses is 1 thing, giving away NAMES is another, Giving ALL OF IT, is giving away a persons identity in this country. this is more data then even the DOT/DMV requires..
Separating it, and spreading the data around, would help, scrambling is around to mis-match it would help, hiding it, and convoluting the data would help...
requiring a Specific program to be run under an alternative program to combine and put things back together, would be wonderful..
But Corps make money with DATA... and its the AMOUNT of data given. FB, being a social platform can create a Massive data base of all we say and do.. what we like and everything.. it could be used in many ways..
The problems are HOW MUCH DATA, HOW MUCH is Given, and who is buying for what purpose..
And I have said before that the old phone system had protections, and NOW thinking you have any is beyond stupid..
And it will force the major corps to do other stupid things, for reasons. All you data has escaped, your data is now free to anyone that can pay for it. Many Credit/debit cards are exposed and all your data being matched up..
so what can a Corp do to PROVE it was you that used your card??
Facial ID and a ChIp in your body..(starting to feel like a lost pet to a rich person) Corps and banks are going to have allot of fun, for the next few years..
Paying off the states to NOT restrict Facial ID, is going to cost them.
I hate being paranoid..
[ link to this | view in thread ]
Backwards...
I think you've got your logic a bit backwards.
Part of what this fine does is discourage harvesting so much data in the first place. That is good. And they should be fined -- massively and repeatedly -- for any data that leaks out, particularly when they didn't necessarily need that data in the first place.
Any data collection and retention is a risk. The way to solve that risk is NOT to allow everyone to spread that data far and wide to anyone who wants it. The way to solve that risk is to make collection and retention of data so expensive that companies won't do it unless absolutely necessary. What we want is for companies to be saying "How can we do this without the data ever leaving the user's device so that we don't end up being liable if that data leaks?"
Also, how the heck are you conflating an end user retrieving their own data with companies sharing massive marketing portfolios of other peoples' information? Are you TRYING to spread misinformation or are you just not thinking?
[ link to this | view in thread ]
Re: FTC is not consumer based
FTC is a ponderous, ineffective, counter-productive Federal bureaucracy.
more Federal laws or regulations are not a solution
competition is indeed the solution -- you achieve that by removing the existing barriers to competition
the primary barriers to competition are the massive existing government interventions into these markets
Federal/state/local governments have made a mess of things and will continue to do so if left to their own confusions
[ link to this | view in thread ]
Re: Just exactly HOW privacy can be protected WITHOUT "lock down
Just exactly HOW privacy can be protected WITHOUT "lock down"?
Let the users lock it down, rather than handing it over to a giant data-sucking machine. That means giving the users the control over the data, determining who can access it and for what reasons.
[ link to this | view in thread ]
Re: Re: FTC is not consumer based
_you achieve that by removing the existing barriers to competition
the primary barriers to competition are the massive existing government interventions into these markets_
What massive governmental barriers block access to starting a new social network?
[ link to this | view in thread ]
Re: Backwards...
because this is 1 event in a Huge number that have happened..
And 1 was the Social sec Site when first created, and the major credit Bureau..
A ton of medical sites have been hit.
And this is locking the Door after the horse has gone.
its already happened.
The Laws of privacy have not been enforced..let alone the demand from sites is getting Stupid, for data needed just to create accounts.
[ link to this | view in thread ]
Re: Backwards...
I think you've misunderstood his point. Mike is not arguing that Facebook should be allowed to spread user data around to anyone who wants it. He's arguing that users should be in control, and should have the ability to use third party tools to manage their data if they want to.
[ link to this | view in thread ]
Re: Re: Backwards...
Yes, this.
[ link to this | view in thread ]
Re: Just exactly HOW ignorant a motherfucker can you be?
Sup coward. Why won’t you answer questions?
[ link to this | view in thread ]
Re: Re: Re: Backwards...
I heard that Robert Mueller is going to run for president, with Mark Zuckerberg as his running mate, focused on an agenda of establishing basic minimum guaranteed income, but actually fronting for the Russians to forward their diabolical agenda. Think about it - if Zuckerberg got universal basic income passed through Congress, people would have more money to buy things ON FACEBOOK! That’s diabolical, isn’t it?
[ link to this | view in thread ]
Re: Do you smell toast?
I think you should probably call 911 as it sounds very much like you are having a stroke.
[ link to this | view in thread ]
Re: Re: Do you smell toast?
Look, I watched Mueller today, he was compelling, organized, insightful, and ready to take on this president and put an end to his obvious and open collusion with the Russians. He can’t collude with the Russians, that’s Hillary’s job! SHE PAID THE RUSSIANS! A LOT!
And Facebook took money from the Russians, too! They SAID SO, in Court! RUSSIAN MONEY FOR FACEBOOK. Billions and Billions of Rubles (how much is that, by the way?) Well, Russian money made it’s way to Facebook, that’s for sure, and they used it to pay off the FDA! OR maybe the FTC! Or the CIA, FBI, CBS, News at 5. All the same.
Hillary PAID FOR IT. The FBI PAID FOR IT! The American People PAID FOR IT! PAIDPAIDPAID!
Stroke, smoke, you are a lunatic if you don’t think Facebook published Russian Dis-Information and Mueller had Hilary’s attorney on his team! What does that tell you?
Now you’re embarrassed, aren’t you? I have always believed that facts have a power all of their own and they can speak for themselves.
Just ask Nunes! FACTS! FACTS! YOU’RE TOAST!
[ link to this | view in thread ]
Btc to dollar
https://www.bitcoinscashout.com/bitcoin-to-usd.php
Btc to dollar provides fastest exchange from bitcoins to cash in just few minutes, without any problem and authentication.You are supposed to visit our website for proper peace of mind and a secure transaction as well.
[ link to this | view in thread ]
I agree that this was massively stupid and unethical, but I don't quite see how it's dangerous. Can you elaborate?
[ link to this | view in thread ]
Re:
It weakens trust. In the same way that HP pushing "security updates" that disable third-party ink cartridges weakens trust.
If you tell customers that you're doing something for security purposes, then you had damn-well better only use it for security purposes. If customers feel that they have been misled by claims that a company is doing something for security purposes, then they're less likely to trust similar claims in the future. Maybe they won't use 2FA next time. Maybe they won't install that security update next time.
[ link to this | view in thread ]
Re: Re: Re: FTC is not consumer based
Facebook beating you over the head with the CFAA if you try to get at peoples' Facebook friend lists? Without expansive CFAA interpretations, all Facebook could do is sit and sulk.
[ link to this | view in thread ]
Re: Re: Re: Backwards...
Alright, I may have misread your article a bit and come away thinking you opposed any such regulation, rather than merely wanting the consequences to be different.
But I still don't see what consequences you think would help. Facebook has no incentive right now to promote open access to their data. At one point in time they did, as that is what drove the adoption and spread of the platform in the first place. And maybe in certain markets (games, for example) they still try to allow limited sharing in order to keep ahead of the competition that they haven't yet defeated. But they have no reason to open up free access to most of their data. They have no reason to allow a competitor to simply pull my data and mirror my profile elsewhere. I don't see any way to create that incentive without making the mere collection and storage of that data a significant financial risk. What, exactly, would you propose instead?
[ link to this | view in thread ]
Re: Re: Re: Re: Backwards...
Here's at least one of his ideas on how to improve the competitive landscape in social media:
https://www.techdirt.com/articles/20190309/00004641769/how-to-actually-break-up-big-tech.shtm l
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Backwards...
So in that post, he argues that one of the major reasons why companies might want to voluntarily break up the platform and build a protocol instead is to avoid liability -- which is exactly what I think this ruling does, as I've explained above. And yet in this post, he seems to also be arguing against the current attempts to hold these platforms liable for their behavior. Apparently they don't need fines, they need competition, and they'll be motivated to create systems that enable that competition when they're held liable for their actions through....some undefined consequence that is not fines, apparently? Or fines for other behavior that is not currently illegal through some unspecified law? I don't see where that argument is supposed to be going.
If you want protocols instead of platforms, then you want to discourage collection of the data in the first place. Punishing a corporation for spreading their massive database of other peoples' information is not the same as discouraging decentralized systems. It's an entirely different kind of sharing. What we need to punish -- and what this ruling DOES punish in part -- is the centralized collection of data. You can't get sued for giving away data if you don't possess the data in the first place. Anything that increases the potential liability for those compiling these huge datastores is a great step forward IMO.
[ link to this | view in thread ]