Facebook's settlement with the FTC after the agency's yearlong investigation provides a detailed account of the company's sneaky behavior and secures a handful of new safeguards, many of them backward-looking. They limit how Facebook shares some data with third-party app developers, circumscribe the collection of phone numbers for advertising purposes and require "clear and conspicuous" notice before people's photos and videos are subjected to facial recognition technology.
But privacy experts say there's little that will slow Facebook's harvesting of vast amounts of sensitive personal information. That data is key to how the tech company makes a profit through targeted advertising — and Facebook has a spotty record of protecting it.
"It will take us quite a while to figure out whether this will have any effect on how Facebook does its business," said Michelle Richardson, director of privacy and data for the Center for Democracy and Technology. "These are small, incremental changes. There's no easy advice to give individuals about any switch they can flip to make the privacy risks go away."
Richardson said it's possible that accountability measures imposed on Facebook CEO Mark Zuckerberg, who must personally certify compliance, may give the company pause before launching new services that could threaten users' privacy or data security.
But she said the FTC's order lacks firm rules that could have guided how Facebook uses and shares the information it collects. That's in part because, unless Congress follows through with proposals to enact a comprehensive federal privacy law, the FTC has little authority to police online privacy concerns, she said.
The deal also absolves Facebook of any known consumer-protection claims prior to June 12, effectively wiping the slate clean of past privacy violations. Yale Privacy Lab researcher Sean O'Brien said FTC's limited penalties will enable Facebook to publicly say it is changing course while maintaining an illusion of privacy. It may bolster the ranks of privacy-focused managers and executives, he said, and could add new menu items to the platform's already confusing settings, "which most users never change anyway."
The company has also made a public push for improving the privacy of conversations on its WhatsApp, Messenger and Instagram chatting services, but O'Brien said it won't give up spying on far more valuable information about users' online behavior and social lives.
"Facebook has surveillance at the core of its business model, which is the monetization of data profiles about humans and about human social interaction," he said. "Far too many companies are making money off of Facebook and the data economy in general for there to be fundamental change."
FTC's ruling fell along partisan lines, with its three Republican commissioners voting in favor of the punitive actions, including the $5 billion fine, which goes to the U.S. Treasury's general fund. The two Democrats dissented because they wanted tougher restrictions and penalties. Republicans argued they couldn't have done much more without a difficult legal battle.
While the commissioners disagreed on how to penalize Facebook, the FTC's formal legal complaint makes clear what is at stake for users and outlines years of deception following a 2012 FTC consent order that was supposed to curb Facebook's privacy abuses.
Wednesday's complaint noted that over 100 million Americans "use Facebook every day to share personal information, such as their real name, date of birth, hometown, current city, employer, relationship status, and spouse's name, as well as sensitive personal information, such as political views, sexual orientation, photos of minor children, and membership in health-related and other support groups." The complaint also points to research showing a user's "likes" of public Facebook pages "can be used to accurately predict that user's personality traits, sometimes better than the user's own friends and family."
The complaint said third-party apps given access to much of that data by Facebook were by September 2013 sucking out vast quantities of personal information, with a Facebook audit finding that a single app made more than 450 million data requests in a 30-day period. The volume was so great, according to the complaint, that it led one Facebook employee to comment, "I must admit, I was surprised to find out that we are giving out a lot here for no obvious reason."
Only after March 2018, when the Cambridge Analytica privacy scandal broke, did Facebook begin a "massive cultural shift" to enforce its own publicly stated policies designed to protect user privacy, the complaint said. Prior to that, even after claiming it cut off all developers in April 2015, the company let several dozen "white-listed" partners suck up data that "Facebook knew consumers might be sensitive to sharing" without their knowledge or consent, it added. Microsoft and Sony continued to have access to certain data until Facebook publicly cut them off after the settlement announcement Wednesday.
Even with the piecemeal restrictions the FTC did impose, O'Brien said it's possible the company can find enough wiggle room to work around them. He is particularly skeptical about the FTC's requirement that Facebook provide "clear and conspicuous" notice on how it is using facial recognition technology and obtain "affirmative express consent" from users if it expands the use of facial recognition beyond what it has previously disclosed. The FTC imposed that restriction after finding that Facebook broke a similar promise last year when it updated its data policy in a way that misrepresented the extent to which consumers could opt out of facial recognition.
Besides, after years of people tagging friends' faces as they uploaded photos onto the social network, the company already has a valuable repository of images stored in its data centers. "It's closing the barn door after the horse is gone," O'Brien said.
AP Technology Writer Frank Bajak contributed to this report.