Facebook's executives are no doubt licking their wounds about the tough sanctions imposed on the company by the U.S. Federal Trade Commission. The social media juggernaut must now redesign its systems and policies to protect privacy. It's likely that the bankers preparing Facebook's imminent IPO are feeling the pain too.
But the FTC may have unwittingly saved the company with the settlement reached Nov. 29. Privacy has been Facebook's Achilles heel and over the years, the company has continually gotten it wrong. Now the FTC is forcing it to get it right. Facebook could have avoided this mess if it understood that privacy needs to be designed into its DNA. The lessons apply to all companies, not just social media websites.
The FTC said Facebook "deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public." The company didn't warn users that this would be happening. It also claimed that detailed user information would not be shared with advertisers, when it was doing exactly that. And when users left the service, Facebook said their information and photos would be removed, when this information actually remained available.
As a pioneering social media company, Facebook is continually venturing into uncharted waters. Before it arrived, few would have predicted that hundreds of millions of people would voluntarily log on to the Internet and record detailed almost minute-by-minute data about themselves, their activities, their likes and dislikes. The degree of detail Facebook knows about its users is unprecedented.
Why has Facebook continually botched the privacy issue? Most believe this treasure chest of information has motivated Facebook executives to collect and monetize every scrap of data they can, even if that means undermining its members' privacy. But there may be a deeper cultural reason. In his book The Facebook Effect, David Kirkpatrick explains that some Facebook executives believe transparency is not just about companies and other institutions disclosing pertinent information about themselves – it's an opportunity for individuals to do so as well.
They believe that "more visibility makes us better people," Mr. Kirkpatrick says. "Some claim, for example, that because of Facebook, young people today have a harder time cheating on their boyfriends or girlfriends. They also say that more transparency should make for a more tolerant society in which people eventually accept that everybody sometimes does bad or embarrassing things."
Some at Facebook refer to this as "radical transparency" – a term initially used to talk about institutions, now adapted to individuals. "Our mission since Day 1 has been to make society more open," says Dave Morin, one of CEO Mark Zuckerberg's inner circle. In other words, everyone should have just one identity, at their workplace and in their personal life.
If true, this is naive, misguided and dangerous. Transparency applies to organizations, not people. Organizations are increasingly obliged to communicate pertinent information to their customers, shareholders, business partners and so on. This is not the case for individuals. Indeed, individual privacy is the foundation of a free society and individuals have an obligation to themselves to safeguard their personal information. And institutions should be transparent about what they do with that information.
Over the years, users have shown a distinct lack of loyalty to their networking platforms. The privacy issue has recently become an important consideration for sophisticated users and many of these have become frustrated with Facebook, dumping it for more privacy-friendly platforms. Given the company's privacy-hostile DNA, it was only a matter of time before users started abandoning the company in droves. So the FTC's sanctions may have unwittingly helped the company survive.
"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," said FTC chairman Jon Leibowitz. "Facebook's innovation does not have to come at the expense of consumer privacy."
According to the proposed FTC settlement, Facebook is barred from making misrepresentations about the privacy or security of consumers' personal information. It is required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences, and required to prevent anyone from accessing a user's material no more than 30 days after the user has deleted his or her account. In addition, the company is required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and Facebook is required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.
On his blog, Mr. Zuckerberg wrote that the FTC settlement "means we're making a clear and formal long-term commitment to do the things we've always tried to do and planned to keep doing – giving you tools to control who can see your information and then making sure only those people you intend can see it."
Safeguarding privacy should be a fundamental element of all social media, not something tacked on as an afterthought. As Ontario's Information and Privacy Commissioner Ann Cavoukian says, "It's all about being pro-active and embedding the necessary protections into the design of your systems. By doing so, you can prevent the privacy harm from arising, thereby avoiding the costs associated with data breaches."
Ms. Cavoukian advocates Privacy by Design, a concept that has been embraced by privacy advocates around the world. Privacy by Design is about pro-actively embedding privacy into the design of technology and business practices, ideally as the default setting. It also emphasizes data minimization. A company should not collect, use or retain more personally identifiable data than it actually needs.
The lesson here is that companies need to protect the privacy of their customers and everyone else by designing it into the core of their business modus operandi. Not everyone can count on the FTC to be their BFF.
Don Tapscott is the author of Who Knows: Safeguarding Your Privacy in a Networked World and The Naked Corporation: How the Age of Transparency will Revolutionize Business.