The New York Times recently printed a first page article and various editorial pieces about the state of education in US law schools. The New York Times claims that law schools are "in crisis" because they do not adequately prepare lawyers to enter the workforce. As I've noted elsewhere, I think the New York Times gets it all wrong. At least one of their columnists seems to agree with me.
http://opinionator.blogs.nytimes.com/2011/12/12/teaching-law/?hp
Tuesday, December 13, 2011
Monday, December 5, 2011
Facebook Settlement with FTC
Last week Facebook settled claims brought against it by the Federal Trade Commission. The terms of settlement are the subject of commentary this week by consumer advocates and lawyers. But perhaps the most fascinating thing about the whole affair is the nature of the FTC's complaint. The complaint was not an enforcement of specific U.S. privacy law. Indeed, the FTC does not have much, if any, "privacy law" to enforce. Rather, here, in order to flex its muscle, the FTC resorted to claims that Facebook had made inaccurate statements in its privacy policies and elsewhere about information-control settings available to users of the Facebook site. These statements were, according to the FTC, false and misleading. On that basis the FTC has power to punish Facebook.
The bottom line is that Facebook got itself into a tangle by making broad statements to its users and by making promises that it arguably did not keep. Would Facebook have drawn the ire of the FTC if it had, from the beginning, consistently refused to make any user-friendly statements and promises about the way it gathers, analyzes, and shares information about users and about user behavior? Perhaps not.
Here's a summary of the complaint.
1. Profile Information Made Available to Applications Used by Friends. According to the FTC, Facebook represented to users that through use of its site's Profile Privacy Settings users could restrict access to user profile information (e.g., birthday, hometown, activities, interests) to specific groups, such as "Only Friends" or "Friends of Friends." This, according to the FTC, was false, misleading, or both. The truth being that Facebook made profile information that a user chose to restrict to "Only Friends" or "Friends of Friends" accessible to any third party Facebook platform application that the user's Friends used.
2. December 2009 Privacy Changes. According to the FTC, prior to December 2009, Facebook users could, and did, use Friends' App Settings to restrict third party Facebook platform applications from accessing profile information such as name, profile picture, gender, friend list, pages, and networks. In December 2009, Facebook made the decision to no longer make available settings to protect this information. And all prior user choices to protect this information were overridden. This information effectively became publicly available information ("PAI"). To implement these changes, Facebook required each user to click through a privacy wizard that told the user:
"We're making some changes to give you more control of our information and help you stay connected. We've simplified the Privacy page and added the ability to set privacy on everything you share, from status updates to photos."
"At the same time, we're helping everyone find and connect with each other by keeping some information - like your name and current city - publicly available. The next step will guide you through choosing your privacy settings."
"Facebook's new, simplified privacy settings give you more control over the information you share. We've recommended settings below, but you can choose to apply your old settings to any of the fields."
According to the FTC, the privacy wizard did not disclose adequately that users could no longer restrict access to their newly-designated PAI via Facebook settings. For example, the notice did not disclose that a user's existing choice to share his or her friend list with "Only Friends" would be overridden, and that this information would be made accessible to the public.
According to the FTC, Facebook's failure to adequately disclose that following the December 2009 privacy changes users could no longer restrict access to their name, profile picture, gender, friend list, pages, or networks by use of settings, and its failure to disclose adequately that the December 2009 privacy changes overrode existing privacy settings, constituted a deceptive act or practice. Further, by designating as PAI certain user profile information that had previously been subject to privacy settings, Facebook materially changed its promises that users could keep such information private. It changed these promises without adequate notice and consent. According to the FTC, Facebook's failure to disclose constituted an unfair act or practice.
3. Information Not Needed. According to the FTC, Facebook made numerous statements to users that third party Facebook platform applications used by a user would access only the profile information that "the application need[s] to operate." For example,
"Allowing [name of application] access will let it pull your profile information, photos, your friends' info, and other content that it requires to work."
"Applications you use will access your Facebook information in order for them to work."
The FTC argued that third party Facebook platform applications could in many instances access profile information that was unrelated to the application's purpose or unnecessary to its operation. Thus, Facebook's statements constituted false or misleading representations.
4. Sharing Information with Advertisers. The FTC complained that Facebook broke its promise to users that Facebook would not provide profile information to advertisers. According to the FTC, Facebook made many statements that it did not share information about users with advertisers, including:
"Facebook may use information in your profile without identifying you as an individual to third parties."
"We don't share information with advertisers without your consent . . ."
"[W]e never provide the advertiser any names or other information about people who are shown, or even who click on, . . . ads."
"We never share your personal information with advertisers. We never sell your personal information to anyone."
"The only information we provide to advertisers is aggregate and anonymous data, so they can know how many people viewed their ad and general categories of information about them."
According to the FTC, contrary to these statements, in many instances, Facebook has shared information about users with platform advertisers by identifying users to the advertisers when users click on ads. Specifically, through May 2010, Facebook in many instances provided User IDs to advertisers. User IDs can be used to obtain information that after December 2009 Facebook began to categorize as PAI (i.e., profile picture, gender, current city, friend list, pages, and networks and information about the online behavior of the user). On this evidence, the FTC alleged that the Facebook statements were false and/or misleading.
5. Verified Apps Program. It was alleged by the FTC that from May 2009 until December 2009 Facebook operated a Verified Apps program in which it designated certain third party Facebook platform applications as "Facebook Verified Apps." Facebook then made statements to its users that it had taken steps to verify the security of these Verified Apps, in excess of its review of other third party applications. The FTC argued that Facebook did not in fact take these steps, making its statements false or misleading.
6. Continued Display of User Photos. The FTC contended that Facebook made statements to users that users could restrict access to photos and videos that a user uploaded by deleting or deactivating his or her user account. For example:
"To deactivate your account, navigate to the "Settings" tab on the Account Settings page. Deactivation will remove your profile and content associated with your account from Facebook. In addition, users will not be able to search for you or view your information."
In fact, Facebook continued to display users' photos and videos to anyone who accessed the content URL for such photo or video, even after a user had deleted or deactivated their accounts. Thus, according to the FTC, the representations that this content would be removed was false and misleading.
7. Faulty Self-Certification of EU Safe Harbor Framework Principles. The FTC argued that from May 2007 until the time of its complaint, Facebook had stated in its privacy policy that it complies with the "EU Safe Harbor Privacy Framework as set forth by the United States Department of Commerce." In fact, in many instances, Facebook had not adhered to the U.S. Safe Harbor Privacy Principles of Notice and Choice, making its statements deceptive acts or practices.
The bottom line is that Facebook got itself into a tangle by making broad statements to its users and by making promises that it arguably did not keep. Would Facebook have drawn the ire of the FTC if it had, from the beginning, consistently refused to make any user-friendly statements and promises about the way it gathers, analyzes, and shares information about users and about user behavior? Perhaps not.
Here's a summary of the complaint.
1. Profile Information Made Available to Applications Used by Friends. According to the FTC, Facebook represented to users that through use of its site's Profile Privacy Settings users could restrict access to user profile information (e.g., birthday, hometown, activities, interests) to specific groups, such as "Only Friends" or "Friends of Friends." This, according to the FTC, was false, misleading, or both. The truth being that Facebook made profile information that a user chose to restrict to "Only Friends" or "Friends of Friends" accessible to any third party Facebook platform application that the user's Friends used.
2. December 2009 Privacy Changes. According to the FTC, prior to December 2009, Facebook users could, and did, use Friends' App Settings to restrict third party Facebook platform applications from accessing profile information such as name, profile picture, gender, friend list, pages, and networks. In December 2009, Facebook made the decision to no longer make available settings to protect this information. And all prior user choices to protect this information were overridden. This information effectively became publicly available information ("PAI"). To implement these changes, Facebook required each user to click through a privacy wizard that told the user:
"We're making some changes to give you more control of our information and help you stay connected. We've simplified the Privacy page and added the ability to set privacy on everything you share, from status updates to photos."
"At the same time, we're helping everyone find and connect with each other by keeping some information - like your name and current city - publicly available. The next step will guide you through choosing your privacy settings."
"Facebook's new, simplified privacy settings give you more control over the information you share. We've recommended settings below, but you can choose to apply your old settings to any of the fields."
According to the FTC, the privacy wizard did not disclose adequately that users could no longer restrict access to their newly-designated PAI via Facebook settings. For example, the notice did not disclose that a user's existing choice to share his or her friend list with "Only Friends" would be overridden, and that this information would be made accessible to the public.
According to the FTC, Facebook's failure to adequately disclose that following the December 2009 privacy changes users could no longer restrict access to their name, profile picture, gender, friend list, pages, or networks by use of settings, and its failure to disclose adequately that the December 2009 privacy changes overrode existing privacy settings, constituted a deceptive act or practice. Further, by designating as PAI certain user profile information that had previously been subject to privacy settings, Facebook materially changed its promises that users could keep such information private. It changed these promises without adequate notice and consent. According to the FTC, Facebook's failure to disclose constituted an unfair act or practice.
3. Information Not Needed. According to the FTC, Facebook made numerous statements to users that third party Facebook platform applications used by a user would access only the profile information that "the application need[s] to operate." For example,
"Allowing [name of application] access will let it pull your profile information, photos, your friends' info, and other content that it requires to work."
"Applications you use will access your Facebook information in order for them to work."
The FTC argued that third party Facebook platform applications could in many instances access profile information that was unrelated to the application's purpose or unnecessary to its operation. Thus, Facebook's statements constituted false or misleading representations.
4. Sharing Information with Advertisers. The FTC complained that Facebook broke its promise to users that Facebook would not provide profile information to advertisers. According to the FTC, Facebook made many statements that it did not share information about users with advertisers, including:
"Facebook may use information in your profile without identifying you as an individual to third parties."
"We don't share information with advertisers without your consent . . ."
"[W]e never provide the advertiser any names or other information about people who are shown, or even who click on, . . . ads."
"We never share your personal information with advertisers. We never sell your personal information to anyone."
"The only information we provide to advertisers is aggregate and anonymous data, so they can know how many people viewed their ad and general categories of information about them."
According to the FTC, contrary to these statements, in many instances, Facebook has shared information about users with platform advertisers by identifying users to the advertisers when users click on ads. Specifically, through May 2010, Facebook in many instances provided User IDs to advertisers. User IDs can be used to obtain information that after December 2009 Facebook began to categorize as PAI (i.e., profile picture, gender, current city, friend list, pages, and networks and information about the online behavior of the user). On this evidence, the FTC alleged that the Facebook statements were false and/or misleading.
5. Verified Apps Program. It was alleged by the FTC that from May 2009 until December 2009 Facebook operated a Verified Apps program in which it designated certain third party Facebook platform applications as "Facebook Verified Apps." Facebook then made statements to its users that it had taken steps to verify the security of these Verified Apps, in excess of its review of other third party applications. The FTC argued that Facebook did not in fact take these steps, making its statements false or misleading.
6. Continued Display of User Photos. The FTC contended that Facebook made statements to users that users could restrict access to photos and videos that a user uploaded by deleting or deactivating his or her user account. For example:
"To deactivate your account, navigate to the "Settings" tab on the Account Settings page. Deactivation will remove your profile and content associated with your account from Facebook. In addition, users will not be able to search for you or view your information."
In fact, Facebook continued to display users' photos and videos to anyone who accessed the content URL for such photo or video, even after a user had deleted or deactivated their accounts. Thus, according to the FTC, the representations that this content would be removed was false and misleading.
7. Faulty Self-Certification of EU Safe Harbor Framework Principles. The FTC argued that from May 2007 until the time of its complaint, Facebook had stated in its privacy policy that it complies with the "EU Safe Harbor Privacy Framework as set forth by the United States Department of Commerce." In fact, in many instances, Facebook had not adhered to the U.S. Safe Harbor Privacy Principles of Notice and Choice, making its statements deceptive acts or practices.
Subscribe to:
Posts (Atom)
Posts
