Privacy groups ask FTC to investigate Facebook for tracking, misleading consumers

Rich Fiscus
30 Sep 2011 11:19

A coalition of US privacy and civil rights groups wants the Federal Trade Commission to investigate Facebook over alleged deceptive trade practices.
The letter was sent by the Electronic Privacy Information Center (EPIC) on behalf of themselves and the American Civil Liberties Union (ACLU), American Library Association (ALA), Bill of Rights Defense Committee (BORDC), Center for Digital Democracy (CDD), Center for Media and Democracy (CMD), Consumer Action, Consumer Watchdog, PrivacyActivism, Privacy Times & Stanford Law School lecturer Chip Pitts.
They are asking the FTC to examine the harm to consumer privacy caused by a combination of Facebook's new frictionless sharing features and tracking cookies used without the user's knowledge or consent.
The letter contends:

In light of recent changes announced by Facebook that impact the privacy interests of almost two hundred million Facebook users in the United States, we would like to bring your attention to new privacy and security risks to American consumers, the secret use of persistent identifiers ("cookies") to track the Internet activity of users even after they have logged off of Facebook, and the company's failure to uphold representations it has made regarding its commitments to protect the privacy of its users.
Facebook's tracking of post-log-out Internet activity violates both the reasonable expectations of consumers and the company's own privacy statements. Although Facebook has partially fixed the problem caused by its tracking cookies, the company still places persistent identifiers on users' browsers that collect post-log-out data and could be used to identify users.
"Frictionless sharing" plays a leading role in the changes Facebook announced at the recent f8 development conference, and works through the interaction of Facebook's Ticker, Timeline, and Open Graph. These changes in business practices give the company far greater ability to disclose the personal information of its users to its business partners than in the past. Options for users to preserve the privacy standards they have established have become confusing, impractical, and unfair.

The issue with tracking cookies is one Facebook has dealt with, although not to everyone's satisfaction. Earlier this month, developer Nik Cubrilovic posted an account of the issue on his blog, saying he sent Facebook multiple reports about tracking cookies not being properly cleared at logout, but received no response.
His initial findings and reports to Facebook came last year, but he decided to make the issue public when Facebook's Mark Zuckerberg announced their frictionless sharing features in a keynote address at the company's f8 conference last week.
Following Cubrilovic's initial blog post, Facebook contacted him to clarify that one of the persistent cookies was being saved in error, but wasn't actually tracked. That cookie, which included information identifying the user's Facebook account number, is now removed when you logout from Facebook.
However, others remain unchanged. While they don't identify a particular Facebook account, there is enough information to identify a specific computer. Facebook says these cookies will remain persistent as they are used for purposes like identifying spammers who setup multiple accounts.
While Cubrilovic doesn't believe Facebook is using these cookies for tracking individuals, he also points out the information provided could be linked to a particular user. He recommends either using a separate browser for Facebook or clear their cookies when logging out.
EPIC's letter to the FTC points out these cookies are used to send identifying information to Facebook whenever a webpage with a "like" button is loaded. They also contend this activity:

directly contradicts Facebook's website, which states that "[i]f you log-out of Facebook, we will not receive this information about partner websites but you will also not see personalized experiences on these sites."

But the central point in their letter is that Facebook's ever changing sharing and privacy settings make it nearly impossible for the user to know or control what information will be available to others, even complete strangers. That includes data most people likely don't even know Facebook is collecting.
Furthermore, they say, since Facebook's recent changes apply to information already shared or collected, users may find information which would have been relatively private when they shared it presented to complete strangers now:

First, and most troubling, all of the information that users have shared with Facebook to date was shared under a different privacy regime, with a different set of justified user expectations. Ticker, for example, might only reveal information about strangers that was previously viewable, but because a user would have had to decide to search for that stranger and to search at or near the time the stranger posted the content, such content was effectively invisible under the previous privacy regime.

They are particularly concerned about Facebook's new Open Graph, which shares behavioral data such as details about the music you listen to on Spotify, which shows you watch on Hulu, and the stories you read using the Washington Post's Social Reader app.
They argue, combined with confusing sharing settings, secret tracking cookies, and requirements from some services to have a Facebook account before you can use them, these concerns represent risks to the public which Facebook needs to both disclose and address.