Facebook: Audit Finds Privacy Practices Sufficient
Facebook says that an independent audit found its privacy practices sufficient during a six-month assessment period that followed a settlement with federal regulators.
Facebook Inc. said it submitted the findings to the Federal Trade Commission on Monday evening. The audit was a required part of the social networking company’s settlement with the FTC last summer. The settlement resolved charges that Facebook exposed details about its users’ lives without getting the required legal consent.
Facebook provided a copy of its letter to the FTC, along with a redacted copy of the auditor’s letter, to The Associated Press on Wednesday. The redacted portion contains trade secret information and does not alter the auditor’s findings, the company said. The audit, which found that Facebook’s privacy program met or exceeded requirements under the FTC’s order, covered written policies as well as samples of its data.
"We’re encouraged by this confirmation that the controls set out in our privacy program are working as intended," said Erin Egan, Facebook’s chief privacy officer for policy," in an emailed statement. "This assessment has also helped us identify areas to work on as Facebook continues to evolve as a company, and improve upon the privacy protections we already have in place. We will keep working to meet the changing and evolving needs of our users and to put user privacy and security at the center of everything we do."
Facebook did not disclose the full, 79-page report or specific details on shortcomings in its privacy practices that were revealed by the audit. Spokeswoman Jodi Seth said Facebook declined to disclose such details "based on contractual obligations and the possibility of security and competitive vulnerabilities."
The company has asked the FTC to keep the redacted information private, saying it would put it and its auditor at a competitive disadvantage and because it could reveal possible limitations of its privacy program.
The name of the accounting firm is also redacted but that information will be released when the FTC responds to the audit.
A representative for the FTC did not immediately return a message for comment on Thursday morning.
Facebook has made several high-profile mistakes over user privacy, especially in its early years. Much of the FTC’s complaint against the company centered on a series of changes that Facebook made to its privacy controls in late 2009. The revisions automatically shared information and pictures about Facebook users, even if they previously programmed their privacy settings to shield that content. Among other things, people’s profile pictures, lists of online friends and political views were suddenly available for the world to see, the FTC alleged.
The complaint also charged that Facebook shared users’ personal information with third-party advertisers from September 2008 through May 2010 despite several public assurances from company officials that it wasn’t passing the data along for marketing purposes. Facebook said this only happened in limited instances.
Facebook did not admit any wrongdoing as part of the settlement, but it agreed to submit to audits of its privacy practices for 20 years. This was the first of those audits. Google Inc. earlier agreed to a similar settlement, but was fined $22.5 million last August to resolve allegations that it did not comply with it.