The FTC Wants More Privacy, Less Zuckerberg, at Facebook

Facebook's agreement with the Federal Trade Commission requires CEO Mark Zuckerberg to certify each year that the company is abiding by its requirements.Stephen Lam/Reuters
MARK ZUCKERBERG’S NAME doesn’t appear anywhere in the 50-page complaint brought against Facebook by the US government Wednesday as it settled charges the company deceived millions of Americans over how it used and shared their personal information. But make no mistake: The Federal Trade Commission is not happy with how Zuckerberg has been running his company.As part of the settlement order, Facebook has agreed not just to pay a record $5 billion civil penalty, as previously reported , but also to make substantial changes to the company’s structure and how it handles privacy issues. The order doesn’t hold any executives personally liable, as some commissioners had sought, but Zuckerberg will need to personally certify each year that Facebook remains compliant with its terms.“Millions of Americans entrusted personal information to Facebook with the understanding that Facebook would respect the laws governing consumer privacy, but Facebook’s many privacy missteps made clear that it lacked a culture of compliance in this area,” FTC commissioner Christine Wilson said at a press conference announcing the settlement Wednesday. “It was clear that we needed to erect speed bumps requiring both Mr. Zuckerberg and Facebook to slow down and take care with consumer privacy.” She said the commission couldn’t remove Zuckerberg as Facebook’s CEO, “but we have imposed a robust system of checks and balances that extinguishes his ability unilaterally to chart the path for consumer privacy at Facebook.”Among other things, the settlement requires Facebook to change how it nominates people to its board of directors, and create a board committee dedicated to privacy issues that will be briefed quarterly by management. An outside, government-approved assessor—also new—will monitor Facebook’s compliance with the order and issue biannual reports to the board and the US government, though not necessarily the public. The FTC and the Department of Justice will both be involved in oversight. Facebook will also need to review and report on the privacy impact of new features or updates, and alert the FTC as well as the assessor in the event the data of more than 500 users is compromised.“Mr. Zuckerberg does remain the controlling shareholder, but his power over privacy in particular will be more diffused, and his influence accordingly diminished,” FTC commissioner Noah Joshua Phillips said at the press conference.In Facebook’s own announcement of the agreement, General Counsel Colin Stretch wrote, “It will mark a sharper turn toward privacy, on a different scale than anything we’ve done in the past.” But many observers, including within the FTC, are more skeptical that Wednesday’s agreement changes things at Facebook enough to keep the company from choosing profits over privacy in the future.Two of the five FTC commissioners voted against approving the agreement, arguing that the commission should have pursued a lawsuit against Facebook. “The settlement’s $5 billion penalty makes for a good headline, but the terms and conditions, including blanket immunity for Facebook executives and no real restraints on Facebook’s business model, do not fix the core problems that led to these violations,” commissioner Rohit Chopra wrote in a statement. Rebecca Kelly Slaughter also dissented.In his statement, Chopra said the settlement “ratifies Facebook’s governance structure instead of changing it. The ‘Independent Privacy Committee’ has little independence, no meaningful powers, and no buy-in from shareholders.” Any new directors must be approved by shareholders, but Zuckerberg controls almost 60 percent of shareholder voting power. “Even if truly independent directors were chosen, they would be virtually powerless: the order gives them no authority to veto any management decision, and their fiduciary duty is to shareholders, not users."FTC Chair Joe Simons defended the agency’s decision. “Would it have been nice to get more? To get $10 billion instead of $5 billion, for example. To get greater restrictions on how Facebook collects, uses, and shares data. To get a more limited release. To put Mark Zuckerberg’s name in the complaint caption,” Simons said during the press conference. “To the extent people object to our settlement because it does not have terms like these, we did not have those options. We cannot impose such things with our own fiat.”Former FTC chief technologist Ashkan Soltani says the agency was negotiating from a position of weakness, because it lacks broad enforcement authority. “People want the FTC to enforce laws that don’t exist, and they want the FTC to enforce issues that the FTC doesn’t have authority over, unfortunately,” he told WIRED. Congress could empower the agency with more rule-making authority and resources, or pass federal privacy legislation that would regulate companies like Facebook—but so far efforts to change the status quo have stalled on Capitol Hill.Even within the limited authority of the FTC, however, Soltani worries that the agreement is too narrow to sufficiently protect consumers as Facebook’s business model evolves. The agreement mostly addresses Facebook’s past sins, he says. For example, the order prohibits Facebook from taking phone numbers users had shared for security purposes and use them for advertising purposes, something the company has previously done. But, Soltani says, “it doesn’t essentially look at some of the future planned activity that Facebook has signaled, like around the use of information for commerce, around the interaction between their business and consumers via WhatsApp.”The country may still be waiting for Congress to act on data privacy, but lawmakers eagerly jumped at another opportunity to criticize Facebook and its CEO, who have become particularly popular targets on the Hill over the past year.“This fig leaf deal releases Facebook without requiring any real privacy protections—no restraints on future data use, no accountability for top executives, nothing more than chump change financial fines,” Senator Richard Blumenthal (D-Connecticut) said in a statement. “The American public is owed more than another Zuckerberg apology and an anemic FTC settlement.”

Zuckerberg didn’t appear to apologize for anything on Wednesday, however. “We have a responsibility to protect people's privacy. We already work hard to live up to this responsibility, but now we're going to set a completely new standard for our industry,” the CEO wrote in a Facebook post. He estimated that implementing some of the new processes “will take hundreds of engineers and more than a thousand people across our company.”

“The next focus for our company is to build privacy protections as strong as the best services we provide,” Zuckerberg concluded. “I'm committed to doing this well and delivering the best private social platform for our community.”

Separately, the Securities and Exchange Commission announced charges of its own against Facebook Wednesday, for failing to adequately disclose to investors that its users’ data had been misused. The Wall Street Journal first reported the SEC was investigating the company last July. To settle these charges, Facebook agreed to pay a fine of $100 million; as with the FTC agreement, the company does not have to admit any fault.
  • High drama: A cannabis biotech firm roils small growers
  • Lunar mysteries that science still needs to solve
  • Are super automatic espresso machines worth it?
  • The best algorithms don't recognize black faces equally
  • These hackers made an app that kills to prove a point
  • 🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers , running gear (including shoes and socks ), and best headphones .
  • 📩 Get even more of our inside scoops with our weekly Backchannel newsletter