FTC's Privacy Settlement With Facebook Gets Pretty Much Everything Backwards; Probably Helps Facebook

from the guys-come-on dept

So, as was leaked a couple of weeks ago, the FTC has now made its $5 billion settlement with Facebook official. There’s quite a bit that’s interesting in the stipulated order that is worth reading. I’m actually glad to see that this wasn’t just about Cambridge Analytica, where I think the “breach” issue was much less concrete. Instead, it does include a bunch of other very real violations by Facebook, including:

  1. Storing passwords in plaintext
  2. Using phone numbers that were provided for security (two factor authentication) for advertising (a massively dangerous and stupid practice by Facebook)
  3. It’s questionable use of facial recognition without consent
  4. Sucking up logins to other services.

Frankly, all of those are much more serious breaches than what happened with Cambridge Analytica.

Separately, as I discussed two weeks ago, if you’re mad at the size of the fine, you’re missing the point. This is, by far, the largest fine the FTC has ever issued, and goes way beyond anything that it’s done before. The real problem is that this is basically all that the FTC can do. That’s the only weapon it has and it’s never going to be enough because the FTC isn’t really set up to handle modern privacy questions like this — and that would require a new mandate from Congress. This is in Congress’s court.

That said, my bigger concern, as always, is that everyone’s obsession over “protecting privacy” is going to mean significantly less competition. I raised this issue last year, soon after everyone freaked out about Cambridge Analytica, noting that I feared what would happen is that Facebook would be driven to lock down everyone’s data rather than making it more accessible to third party and competing services.

There are significant and important trade-offs here. For years now I’ve been talking about the real way to create more competition on the internet, and much of it involves pressuring the big internet companies into opening up. Have them create APIs that allow others to build services on top of their data so that we’re not so locked into the giant platforms. Enable more competition at the service level, rather than the data collection level.

But this agreement does the opposite. It is basically giving up and saying that the FTC and regulators now think that Facebook will be the dominant platform for ages, and therefore it needs to better police data and better lock it down. This is not a good solution (except if you’re Facebook). As former Facebook CSO Alex Stamos points out in a very thoughtful thread, while this is a slap on the wrist regarding Facebook’s problematic privacy practices, it actually helps stop future competition:

The real threat to the tech giants is competition, not regulation, and everybody is missing what really happened today: Facebook paid the FTC $5B for a letter that says “You never again have to create mechanisms that could facilitate competition.”

Facebook already has ~2.5B users. It has the world’s second largest ad network. It never again needs data from anybody else to make money or third parties to facilitate growth. This order doesn’t include the word competition or include any balancing tests. It’s fantastic for FB.

“You need to allow for 3rd party clients.”

Sorry, mean FTC won’t let us.

“Other companies can build on your graph.”

Sorry, mean FTC won’t let us.

“You need a real data export feature that allows users to move.”

Sorry, mean FTC won’t let us.

I can’t believe Facebook didn’t pay more for this. If the FTC offered to “order” Amazon to help consumers save money by offering house branded options in every top category, Bezos would leap across the table with a $10B check and a massive grin. This is a natural consequence of the shallow nature of the “techlash”. The US doesn’t have a substantive privacy law, and the FTC has to base work on what they consider unfair or misleading practices. If critics don’t understand the equities balance, they can’t balance equities. This isn’t binding on other companies, but it will be interesting to see if they use this as a reason to reduce APIs and favor their own apps. The data stolen and exported to the cloud (GPS, SMS, contacts, mail, calendar) from Android/iOS dwarfs SCL/CA.

This is part of the problem I keep trying to highlight. When your only focus is on punishing big tech companies like Facebook, be careful about how you do so, because there are so many important tradeoffs, that if you don’t pay attention to what you’re doing, all you really end up doing is locking them in as the dominant platforms.

And that’s really what’s happening there. Our lack of understanding about privacy or about data and “ownership” will lead people to a very dangerous place, where we make short term decisions — such as what happened here — that are focused on “punishing” one particular set of companies for one particular set of actions (many of which were really bad). But the end result is even worse. You’ve set up the system such that the only logical and reasonable way out of this bad situation is foreclosed.

The best way out of Facebook’s dominance is to have it give up total control over the data it collects. But, here, the FTC has done the reverse. It has given Facebook more control over the data it collects in the name of “protecting” privacy. This is backwards. Rather than saying that Facebook shouldn’t be the one protecting all that data, the FTC is just saying “protect it better, and don’t let any other service be allowed to come in and do anything.” And that includes the kinds of competitive services that are necessary to eat away at Facebook’s position.

I know a lot of people are mad the fine wasn’t larger, but the fine doesn’t matter. All that really matters is whether or not competitive services are enabled or not, and this agreement forecloses the best way to actually chip away at Facebook’s market position. And that’s the real shame.

Filed Under: , , , , , , , ,
Companies: facebook

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FTC's Privacy Settlement With Facebook Gets Pretty Much Everything Backwards; Probably Helps Facebook”

Subscribe: RSS Leave a comment
Menschen is my name in Sheboygan says:

Just exactly HOW privacy can be protected WITHOUT "lock down"?

That said, my bigger concern, as always, is that everyone’s obsession over "protecting privacy" is going to mean significantly less competition. I raised this issue last year, soon after everyone freaked out about Cambridge Analytica, noting that I feared what would happen is that Facebook would be driven to lock down everyone’s data rather than making it more accessible to third party and competing services.

I’ll not wait, as can’t be done.

You’ve outdone yourself this time.

Darkness Of Course (profile) says:

FTC is not consumer based

It is the Trade Commission. It only has two hammers, one is financial, the other is agreements that have little weight over extended periods. So their focus on a big fine is understandable. And wrong.

A federal law regulating exactly what privacy means, and how people own their own data is needed. With the lack of technology abilities in the legislature there is zero chance of that happening. Well, at least zero chance of it happening correctly.

Anonymous Coward says:

Re: FTC is not consumer based

FTC is a ponderous, ineffective, counter-productive Federal bureaucracy.

more Federal laws or regulations are not a solution

competition is indeed the solution — you achieve that by removing the existing barriers to competition

the primary barriers to competition are the massive existing government interventions into these markets

Federal/state/local governments have made a mess of things and will continue to do so if left to their own confusions

ECA (profile) says:

Iv seen more imagination...

In old games trying to protect themselves, then Much of the internet has remembered..
There are Many many imaginative things you can do to protect data from being seen, found, Hacked into then there are gods in the heavens..
And the only thing in all of this is that Someone gave the data.. not hacked it.
The Biggest problem in all of this is matching the data and the AMOUNTS of data.
Giving away addresses is 1 thing, giving away NAMES is another, Giving ALL OF IT, is giving away a persons identity in this country. this is more data then even the DOT/DMV requires..

Separating it, and spreading the data around, would help, scrambling is around to mis-match it would help, hiding it, and convoluting the data would help…
requiring a Specific program to be run under an alternative program to combine and put things back together, would be wonderful..

But Corps make money with DATA… and its the AMOUNT of data given. FB, being a social platform can create a Massive data base of all we say and do.. what we like and everything.. it could be used in many ways..
The problems are HOW MUCH DATA, HOW MUCH is Given, and who is buying for what purpose..

And I have said before that the old phone system had protections, and NOW thinking you have any is beyond stupid..
And it will force the major corps to do other stupid things, for reasons. All you data has escaped, your data is now free to anyone that can pay for it. Many Credit/debit cards are exposed and all your data being matched up..
so what can a Corp do to PROVE it was you that used your card??
Facial ID and a ChIp in your body..(starting to feel like a lost pet to a rich person) Corps and banks are going to have allot of fun, for the next few years..
Paying off the states to NOT restrict Facial ID, is going to cost them.
I hate being paranoid..

Urza9814 (profile) says:


I think you’ve got your logic a bit backwards.

Part of what this fine does is discourage harvesting so much data in the first place. That is good. And they should be fined — massively and repeatedly — for any data that leaks out, particularly when they didn’t necessarily need that data in the first place.

Any data collection and retention is a risk. The way to solve that risk is NOT to allow everyone to spread that data far and wide to anyone who wants it. The way to solve that risk is to make collection and retention of data so expensive that companies won’t do it unless absolutely necessary. What we want is for companies to be saying "How can we do this without the data ever leaving the user’s device so that we don’t end up being liable if that data leaks?"

Also, how the heck are you conflating an end user retrieving their own data with companies sharing massive marketing portfolios of other peoples’ information? Are you TRYING to spread misinformation or are you just not thinking?

ECA (profile) says:

Re: Backwards...

because this is 1 event in a Huge number that have happened..
And 1 was the Social sec Site when first created, and the major credit Bureau..
A ton of medical sites have been hit.

And this is locking the Door after the horse has gone.
its already happened.
The Laws of privacy have not been enforced..let alone the demand from sites is getting Stupid, for data needed just to create accounts.

Anonymous Coward says:

Re: Re: Re: Backwards...

I heard that Robert Mueller is going to run for president, with Mark Zuckerberg as his running mate, focused on an agenda of establishing basic minimum guaranteed income, but actually fronting for the Russians to forward their diabolical agenda. Think about it – if Zuckerberg got universal basic income passed through Congress, people would have more money to buy things ON FACEBOOK! That’s diabolical, isn’t it?

Anonymous Coward says:

Re: Re: Re:3 Do you smell toast?

Look, I watched Mueller today, he was compelling, organized, insightful, and ready to take on this president and put an end to his obvious and open collusion with the Russians. He can’t collude with the Russians, that’s Hillary’s job! SHE PAID THE RUSSIANS! A LOT!

And Facebook took money from the Russians, too! They SAID SO, in Court! RUSSIAN MONEY FOR FACEBOOK. Billions and Billions of Rubles (how much is that, by the way?) Well, Russian money made it’s way to Facebook, that’s for sure, and they used it to pay off the FDA! OR maybe the FTC! Or the CIA, FBI, CBS, News at 5. All the same.


Stroke, smoke, you are a lunatic if you don’t think Facebook published Russian Dis-Information and Mueller had Hilary’s attorney on his team! What does that tell you?

Now you’re embarrassed, aren’t you? I have always believed that facts have a power all of their own and they can speak for themselves.


urza9814 says:

Re: Re: Re: Backwards...

Alright, I may have misread your article a bit and come away thinking you opposed any such regulation, rather than merely wanting the consequences to be different.

But I still don’t see what consequences you think would help. Facebook has no incentive right now to promote open access to their data. At one point in time they did, as that is what drove the adoption and spread of the platform in the first place. And maybe in certain markets (games, for example) they still try to allow limited sharing in order to keep ahead of the competition that they haven’t yet defeated. But they have no reason to open up free access to most of their data. They have no reason to allow a competitor to simply pull my data and mirror my profile elsewhere. I don’t see any way to create that incentive without making the mere collection and storage of that data a significant financial risk. What, exactly, would you propose instead?

urza9814 (profile) says:

Re: Re: Re:3 Backwards...

So in that post, he argues that one of the major reasons why companies might want to voluntarily break up the platform and build a protocol instead is to avoid liability — which is exactly what I think this ruling does, as I’ve explained above. And yet in this post, he seems to also be arguing against the current attempts to hold these platforms liable for their behavior. Apparently they don’t need fines, they need competition, and they’ll be motivated to create systems that enable that competition when they’re held liable for their actions through….some undefined consequence that is not fines, apparently? Or fines for other behavior that is not currently illegal through some unspecified law? I don’t see where that argument is supposed to be going.

If you want protocols instead of platforms, then you want to discourage collection of the data in the first place. Punishing a corporation for spreading their massive database of other peoples’ information is not the same as discouraging decentralized systems. It’s an entirely different kind of sharing. What we need to punish — and what this ruling DOES punish in part — is the centralized collection of data. You can’t get sued for giving away data if you don’t possess the data in the first place. Anything that increases the potential liability for those compiling these huge datastores is a great step forward IMO.

Thad (profile) says:

Re: Re:

It weakens trust. In the same way that HP pushing "security updates" that disable third-party ink cartridges weakens trust.

If you tell customers that you’re doing something for security purposes, then you had damn-well better only use it for security purposes. If customers feel that they have been misled by claims that a company is doing something for security purposes, then they’re less likely to trust similar claims in the future. Maybe they won’t use 2FA next time. Maybe they won’t install that security update next time.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...