Prometheus bound: an historical content analysis of information regulation in Facebook.

• Author: Medzini, Rotem
• Position: Case Study Analysis - Privacy Controls through the Lens of Facebook ii. Facebook: Pushing the Limits on People's Ability to Connect b. February and December 2009: Advocacy Groups First Complaint to the FTC through h. December 2011: Fraley v. Facebook, p. 224-254

2. February and December 2009: Advocacy groups first complaint to the FTC

   In February 2009, Facebook revised its terms of service to assert broad, permanent, and retroactive rights to users' personal information. (185) Facebook asserted that it could make public a user's "name, likeness and image for any purpose, including commercial or advertising." (186) On the eve that EPIC submitted an official complaint, Facebook retracted its actions. (187) During November and December 2009, Facebook changed its privacy policy once more. (188) Before the changes, only a user's name and network were publicly available. (189) Likewise, the Facebook Principles--a non-legal document published by Facebook stating "the foundation of the rights and responsibilities of those within the Facebook Service" (190)--told users that while sharing information should be easy, users should have easy control over their personal information. (191) Users should practice and act upon this control using privacy tools necessary to allow users to choose among options, while limiting information displayed on the user's profile only to his networks using the privacy settings. (192)

   Yet, following privacy policy changes, the definition of "public information" was broadened to include more information traits such as profile pictures, the user's "list of friends," pages of which the user is a fan, the user's gender, and geographic regions the user visited. (193) Coupled with a privacy settings change, Facebook could now share this newly defined public information to internet users, search engines, and such other third parties such as applications and websites. (194)

   Another important aspect of this change was the way Facebook communicated the changes to users. (195) In an "important message from Facebook," Facebook notified users of the changes that gave them more control over information. (196) As explained, the underlying goal was to help users stay connected by simplifying the privacy page and allowing users to set the privacy levels on everything they share. (197) The pop up message, which Facebook presented to all users, guided and nudged users to change their privacy settings. (198)

   On December 2009, EPIC and nine other online consumer advocacy organizations submitted an official complaint to the FTC. (199) The advocacy groups worried about Facebook's growing size, and presented three main claims in their complaint. (200) The first and second claims dealt with the abovementioned changes. (201) The third claim was against another interesting change, which was introduced in May 2007. (202) "Facebook Platform" was an Application Programming Interface (API) that allowed third parties to access basic user information at the moment the users accessed their application or website, and allowed additional information at the moment the user connected with the third party or authorized it to do so.

   Prior to the change that prompted the complaint, Facebook gave users a "one-click" opt-out button to prevent entirely the transfer of their information over the API. (203) Following the change, however, Facebook updated the "one-click" button in two important ways. (204) First, as explained earlier, Facebook extended the definition of public information, thus allowing more information to be constantly shared with third parties as a standard practice. (205) Users could only notice these changes, which included major updates in the API, by looking at the privacy policy. (206) Second, instead of the "one-click" opt-out, Facebook allowed users to extend further the information shared with applications that their friends used, whether or not the user actually used the application. (207) Following the change, according to the notice alongside the new privacy settings, even if a user decided to uncheck all boxes, the applications were still able to access the publicly available information. (208) Moreover, according to the notice, if a user decided previously to define a particular post as private, this change resulted with a privacy setting that overrode the user's privacy settings. (209)

   In their complaint, the advocacy groups referenced the privacy policy, which at that time told users they can opt-out from the platform and Facebook altogether. (210) As explained in the complaint, many users and experts complained about the changes. (211) Thousands of blog posts were written, and more than 500 Facebook groups were created, the biggest of which, requesting Facebook to stop invading their privacy, had 74,000 members. (212) Claiming the aforementioned actions were unfair and deceptive, the advocacy groups explained that Facebook misrepresented to users that they have extensive and precise controls. (213) Accordingly, Facebook's actions caused users to believe falsely that they have full control over their information and undermined users' ability to efficiently make use of Facebook's promises of privacy protections. (214) As such, the advocacy groups requested the FTC to order Facebook to make the privacy policy clearer and to restore two of its previous privacy settings--regarding the disclosure of public information and opting out of revealing information to third-party developers. (215)

   It is important to realize some implicit aspects of this Complaint. (216) First, as previously explained, Facebook started placing notices in different positions along their interface. (217) One way of looking at these Facebook notifications is that while users were concentrating on the privacy policy, Facebook used different methods on its platform interface to notify users. (218) Yet, Facebook failed to update the privacy policy to fit those notices. (219) Similarly, while in some instances Facebook notified users through its privacy policy on its information collection practices, when push comes to shove Facebook's interests led to the use of a "setting wizard" that guided users as they changed their privacy settings. This practice of using a wizard to guide users as they are changing their information sharing settings was not only misleading, but also considered as unfair. Users' information became public, and Facebook began sharing public information through users' friends, as users were nudged to accept the change.

   In Facebook's March 2010 privacy policy proposal, the "deceit-claimed" statement notifying users of the ability to opt-out from Facebook Platform was removed. (220) Likewise, Facebook started using categories to explain how information was collected and used. (221) While this change included better explanation about the types of information categories, dealing with issues raised in the complaint, only name and profile picture were defined as public. (222) Similarly, the paragraph explaining which types of information that are defined as public was removed from the policy. (223) Public information means there is no privacy settings affecting and limiting information sharing. (224) Consequently, a user could have expected the remaining items on the list to fall under the privacy settings control. (225) Though some categories such as gender and age were still sometimes considered mandatory to add to one's profile, users were told they could hide them. (226) Moreover, Facebook made clear the settings of "everyone" and added under the topic of "Information You Share with Third Parties," a clear and long explanation...