FTC's Privacy Settlement With Facebook Gets Pretty Much Everything Backwards; Probably Helps Facebook

from the guys-come-on dept

So, as was leaked a couple of weeks ago, the FTC has now made its $5 billion settlement with Facebook official. There's quite a bit that's interesting in the stipulated order that is worth reading. I'm actually glad to see that this wasn't just about Cambridge Analytica, where I think the "breach" issue was much less concrete. Instead, it does include a bunch of other very real violations by Facebook, including:

  1. Storing passwords in plaintext
  2. Using phone numbers that were provided for security (two factor authentication) for advertising (a massively dangerous and stupid practice by Facebook)
  3. It's questionable use of facial recognition without consent
  4. Sucking up logins to other services.
Frankly, all of those are much more serious breaches than what happened with Cambridge Analytica.

Separately, as I discussed two weeks ago, if you're mad at the size of the fine, you're missing the point. This is, by far, the largest fine the FTC has ever issued, and goes way beyond anything that it's done before. The real problem is that this is basically all that the FTC can do. That's the only weapon it has and it's never going to be enough because the FTC isn't really set up to handle modern privacy questions like this -- and that would require a new mandate from Congress. This is in Congress's court.

That said, my bigger concern, as always, is that everyone's obsession over "protecting privacy" is going to mean significantly less competition. I raised this issue last year, soon after everyone freaked out about Cambridge Analytica, noting that I feared what would happen is that Facebook would be driven to lock down everyone's data rather than making it more accessible to third party and competing services.

There are significant and important trade-offs here. For years now I've been talking about the real way to create more competition on the internet, and much of it involves pressuring the big internet companies into opening up. Have them create APIs that allow others to build services on top of their data so that we're not so locked into the giant platforms. Enable more competition at the service level, rather than the data collection level.

But this agreement does the opposite. It is basically giving up and saying that the FTC and regulators now think that Facebook will be the dominant platform for ages, and therefore it needs to better police data and better lock it down. This is not a good solution (except if you're Facebook). As former Facebook CSO Alex Stamos points out in a very thoughtful thread, while this is a slap on the wrist regarding Facebook's problematic privacy practices, it actually helps stop future competition:

The real threat to the tech giants is competition, not regulation, and everybody is missing what really happened today: Facebook paid the FTC $5B for a letter that says "You never again have to create mechanisms that could facilitate competition."

Facebook already has ~2.5B users. It has the world's second largest ad network. It never again needs data from anybody else to make money or third parties to facilitate growth. This order doesn't include the word competition or include any balancing tests. It's fantastic for FB.

"You need to allow for 3rd party clients."

Sorry, mean FTC won't let us.

"Other companies can build on your graph."

Sorry, mean FTC won't let us.

"You need a real data export feature that allows users to move."

Sorry, mean FTC won't let us.

I can't believe Facebook didn't pay more for this. If the FTC offered to "order" Amazon to help consumers save money by offering house branded options in every top category, Bezos would leap across the table with a $10B check and a massive grin. This is a natural consequence of the shallow nature of the "techlash". The US doesn't have a substantive privacy law, and the FTC has to base work on what they consider unfair or misleading practices. If critics don't understand the equities balance, they can't balance equities. This isn't binding on other companies, but it will be interesting to see if they use this as a reason to reduce APIs and favor their own apps. The data stolen and exported to the cloud (GPS, SMS, contacts, mail, calendar) from Android/iOS dwarfs SCL/CA.

This is part of the problem I keep trying to highlight. When your only focus is on punishing big tech companies like Facebook, be careful about how you do so, because there are so many important tradeoffs, that if you don't pay attention to what you're doing, all you really end up doing is locking them in as the dominant platforms.

And that's really what's happening there. Our lack of understanding about privacy or about data and "ownership" will lead people to a very dangerous place, where we make short term decisions -- such as what happened here -- that are focused on "punishing" one particular set of companies for one particular set of actions (many of which were really bad). But the end result is even worse. You've set up the system such that the only logical and reasonable way out of this bad situation is foreclosed.

The best way out of Facebook's dominance is to have it give up total control over the data it collects. But, here, the FTC has done the reverse. It has given Facebook more control over the data it collects in the name of "protecting" privacy. This is backwards. Rather than saying that Facebook shouldn't be the one protecting all that data, the FTC is just saying "protect it better, and don't let any other service be allowed to come in and do anything." And that includes the kinds of competitive services that are necessary to eat away at Facebook's position.

I know a lot of people are mad the fine wasn't larger, but the fine doesn't matter. All that really matters is whether or not competitive services are enabled or not, and this agreement forecloses the best way to actually chip away at Facebook's market position. And that's the real shame.

Filed Under: apis, competition, fines, ftc, openness, privacy, regulations, settlement, sharing
Companies: facebook


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    identicon
    Menschen is my name in Sheboygan, 24 Jul 2019 @ 11:30am

    Just exactly HOW privacy can be protected WITHOUT "lock down"?

    That said, my bigger concern, as always, is that everyone's obsession over "protecting privacy" is going to mean significantly less competition. I raised this issue last year, soon after everyone freaked out about Cambridge Analytica, noting that I feared what would happen is that Facebook would be driven to lock down everyone's data rather than making it more accessible to third party and competing services.

    I'll not wait, as can't be done.

    You've outdone yourself this time.

    reply to this | link to this | view in chronology ]

    • icon
      Cdaragorn (profile), 24 Jul 2019 @ 12:06pm

      Re: Just exactly HOW privacy can be protected WITHOUT "lock down

      You don't seem to understand the difference between "lock down" and "protected access". They are not the same thing and both protect privacy equally when done correctly. One just actually allows the user who owns the data to decide what to do with it.

      reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 24 Jul 2019 @ 1:48pm

      Re: Just exactly HOW privacy can be protected WITHOUT "lock down

      Just exactly HOW privacy can be protected WITHOUT "lock down"?

      Let the users lock it down, rather than handing it over to a giant data-sucking machine. That means giving the users the control over the data, determining who can access it and for what reasons.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Jul 2019 @ 7:36pm

      Re: Just exactly HOW ignorant a motherfucker can you be?

      Sup coward. Why won’t you answer questions?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jul 2019 @ 11:33am

    Interesting to see how that interacts with the mean GDPR that says they are required to have a data export feature. At least for Europeans.

    reply to this | link to this | view in chronology ]

  • icon
    Darkness Of Course (profile), 24 Jul 2019 @ 12:28pm

    FTC is not consumer based

    It is the Trade Commission. It only has two hammers, one is financial, the other is agreements that have little weight over extended periods. So their focus on a big fine is understandable. And wrong.

    A federal law regulating exactly what privacy means, and how people own their own data is needed. With the lack of technology abilities in the legislature there is zero chance of that happening. Well, at least zero chance of it happening correctly.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Jul 2019 @ 1:45pm

      Re: FTC is not consumer based

      FTC is a ponderous, ineffective, counter-productive Federal bureaucracy.

      more Federal laws or regulations are not a solution

      competition is indeed the solution -- you achieve that by removing the existing barriers to competition

      the primary barriers to competition are the massive existing government interventions into these markets

      Federal/state/local governments have made a mess of things and will continue to do so if left to their own confusions

      reply to this | link to this | view in chronology ]

      • icon
        Gary (profile), 24 Jul 2019 @ 2:21pm

        Re: Re: FTC is not consumer based

        _you achieve that by removing the existing barriers to competition

        the primary barriers to competition are the massive existing government interventions into these markets_

        What massive governmental barriers block access to starting a new social network?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 25 Jul 2019 @ 9:20am

          Re: Re: Re: FTC is not consumer based

          Facebook beating you over the head with the CFAA if you try to get at peoples' Facebook friend lists? Without expansive CFAA interpretations, all Facebook could do is sit and sulk.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jul 2019 @ 12:39pm

    Missing a closing anchor tag for the link at the beginning of the article. Needs one of these: </a>

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 24 Jul 2019 @ 12:55pm

    Iv seen more imagination...

    In old games trying to protect themselves, then Much of the internet has remembered..
    There are Many many imaginative things you can do to protect data from being seen, found, Hacked into then there are gods in the heavens..
    And the only thing in all of this is that Someone gave the data.. not hacked it.
    The Biggest problem in all of this is matching the data and the AMOUNTS of data.
    Giving away addresses is 1 thing, giving away NAMES is another, Giving ALL OF IT, is giving away a persons identity in this country. this is more data then even the DOT/DMV requires..

    Separating it, and spreading the data around, would help, scrambling is around to mis-match it would help, hiding it, and convoluting the data would help...
    requiring a Specific program to be run under an alternative program to combine and put things back together, would be wonderful..

    But Corps make money with DATA... and its the AMOUNT of data given. FB, being a social platform can create a Massive data base of all we say and do.. what we like and everything.. it could be used in many ways..
    The problems are HOW MUCH DATA, HOW MUCH is Given, and who is buying for what purpose..

    And I have said before that the old phone system had protections, and NOW thinking you have any is beyond stupid..
    And it will force the major corps to do other stupid things, for reasons. All you data has escaped, your data is now free to anyone that can pay for it. Many Credit/debit cards are exposed and all your data being matched up..
    so what can a Corp do to PROVE it was you that used your card??
    Facial ID and a ChIp in your body..(starting to feel like a lost pet to a rich person) Corps and banks are going to have allot of fun, for the next few years..
    Paying off the states to NOT restrict Facial ID, is going to cost them.
    I hate being paranoid..

    reply to this | link to this | view in chronology ]

  • identicon
    Urza9814, 24 Jul 2019 @ 1:30pm

    Backwards...

    I think you've got your logic a bit backwards.

    Part of what this fine does is discourage harvesting so much data in the first place. That is good. And they should be fined -- massively and repeatedly -- for any data that leaks out, particularly when they didn't necessarily need that data in the first place.

    Any data collection and retention is a risk. The way to solve that risk is NOT to allow everyone to spread that data far and wide to anyone who wants it. The way to solve that risk is to make collection and retention of data so expensive that companies won't do it unless absolutely necessary. What we want is for companies to be saying "How can we do this without the data ever leaving the user's device so that we don't end up being liable if that data leaks?"

    Also, how the heck are you conflating an end user retrieving their own data with companies sharing massive marketing portfolios of other peoples' information? Are you TRYING to spread misinformation or are you just not thinking?

    reply to this | link to this | view in chronology ]

    • icon
      ECA (profile), 24 Jul 2019 @ 2:31pm

      Re: Backwards...

      because this is 1 event in a Huge number that have happened..
      And 1 was the Social sec Site when first created, and the major credit Bureau..
      A ton of medical sites have been hit.

      And this is locking the Door after the horse has gone.
      its already happened.
      The Laws of privacy have not been enforced..let alone the demand from sites is getting Stupid, for data needed just to create accounts.

      reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 24 Jul 2019 @ 2:58pm

      Re: Backwards...

      I think you've misunderstood his point. Mike is not arguing that Facebook should be allowed to spread user data around to anyone who wants it. He's arguing that users should be in control, and should have the ability to use third party tools to manage their data if they want to.

      reply to this | link to this | view in chronology ]

      • icon
        Mike Masnick (profile), 24 Jul 2019 @ 4:05pm

        Re: Re: Backwards...

        Yes, this.

        reply to this | link to this | view in chronology ]

        • This comment has been flagged by the community. Click here to show it
          identicon
          Anonymous Coward, 24 Jul 2019 @ 7:38pm

          Re: Re: Re: Backwards...

          I heard that Robert Mueller is going to run for president, with Mark Zuckerberg as his running mate, focused on an agenda of establishing basic minimum guaranteed income, but actually fronting for the Russians to forward their diabolical agenda. Think about it - if Zuckerberg got universal basic income passed through Congress, people would have more money to buy things ON FACEBOOK! That’s diabolical, isn’t it?

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 24 Jul 2019 @ 10:19pm

            Re: Do you smell toast?

            I think you should probably call 911 as it sounds very much like you are having a stroke.

            reply to this | link to this | view in chronology ]

            • This comment has been flagged by the community. Click here to show it
              identicon
              Anonymous Coward, 24 Jul 2019 @ 11:00pm

              Re: Re: Do you smell toast?

              Look, I watched Mueller today, he was compelling, organized, insightful, and ready to take on this president and put an end to his obvious and open collusion with the Russians. He can’t collude with the Russians, that’s Hillary’s job! SHE PAID THE RUSSIANS! A LOT!

              And Facebook took money from the Russians, too! They SAID SO, in Court! RUSSIAN MONEY FOR FACEBOOK. Billions and Billions of Rubles (how much is that, by the way?) Well, Russian money made it’s way to Facebook, that’s for sure, and they used it to pay off the FDA! OR maybe the FTC! Or the CIA, FBI, CBS, News at 5. All the same.

              Hillary PAID FOR IT. The FBI PAID FOR IT! The American People PAID FOR IT! PAIDPAIDPAID!

              Stroke, smoke, you are a lunatic if you don’t think Facebook published Russian Dis-Information and Mueller had Hilary’s attorney on his team! What does that tell you?

              Now you’re embarrassed, aren’t you? I have always believed that facts have a power all of their own and they can speak for themselves.

              Just ask Nunes! FACTS! FACTS! YOU’RE TOAST!

              reply to this | link to this | view in chronology ]

        • identicon
          urza9814, 25 Jul 2019 @ 10:27am

          Re: Re: Re: Backwards...

          Alright, I may have misread your article a bit and come away thinking you opposed any such regulation, rather than merely wanting the consequences to be different.

          But I still don't see what consequences you think would help. Facebook has no incentive right now to promote open access to their data. At one point in time they did, as that is what drove the adoption and spread of the platform in the first place. And maybe in certain markets (games, for example) they still try to allow limited sharing in order to keep ahead of the competition that they haven't yet defeated. But they have no reason to open up free access to most of their data. They have no reason to allow a competitor to simply pull my data and mirror my profile elsewhere. I don't see any way to create that incentive without making the mere collection and storage of that data a significant financial risk. What, exactly, would you propose instead?

          reply to this | link to this | view in chronology ]

          • icon
            nasch (profile), 25 Jul 2019 @ 11:36am

            Re: Re: Re: Re: Backwards...

            Here's at least one of his ideas on how to improve the competitive landscape in social media:

            https://www.techdirt.com/articles/20190309/00004641769/how-to-actually-break-up-big-tech.shtm l

            reply to this | link to this | view in chronology ]

            • identicon
              urza9814, 26 Jul 2019 @ 8:51am

              Re: Re: Re: Re: Re: Backwards...

              So in that post, he argues that one of the major reasons why companies might want to voluntarily break up the platform and build a protocol instead is to avoid liability -- which is exactly what I think this ruling does, as I've explained above. And yet in this post, he seems to also be arguing against the current attempts to hold these platforms liable for their behavior. Apparently they don't need fines, they need competition, and they'll be motivated to create systems that enable that competition when they're held liable for their actions through....some undefined consequence that is not fines, apparently? Or fines for other behavior that is not currently illegal through some unspecified law? I don't see where that argument is supposed to be going.

              If you want protocols instead of platforms, then you want to discourage collection of the data in the first place. Punishing a corporation for spreading their massive database of other peoples' information is not the same as discouraging decentralized systems. It's an entirely different kind of sharing. What we need to punish -- and what this ruling DOES punish in part -- is the centralized collection of data. You can't get sued for giving away data if you don't possess the data in the first place. Anything that increases the potential liability for those compiling these huge datastores is a great step forward IMO.

              reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    icon
    Harry Orton (profile), 24 Jul 2019 @ 11:37pm

    Btc to dollar

    https://www.bitcoinscashout.com/bitcoin-to-usd.php
    Btc to dollar provides fastest exchange from bitcoins to cash in just few minutes, without any problem and authentication.You are supposed to visit our website for proper peace of mind and a secure transaction as well.

    reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 25 Jul 2019 @ 8:06am

    Using phone numbers that were provided for security (two factor authentication) for advertising (a massively dangerous and stupid practice by Facebook)

    I agree that this was massively stupid and unethical, but I don't quite see how it's dangerous. Can you elaborate?

    reply to this | link to this | view in chronology ]

    • icon
      Thad (profile), 25 Jul 2019 @ 8:25am

      Re:

      It weakens trust. In the same way that HP pushing "security updates" that disable third-party ink cartridges weakens trust.

      If you tell customers that you're doing something for security purposes, then you had damn-well better only use it for security purposes. If customers feel that they have been misled by claims that a company is doing something for security purposes, then they're less likely to trust similar claims in the future. Maybe they won't use 2FA next time. Maybe they won't install that security update next time.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.