(Richard
Drew/AP)
The
Federal Trade Commission plans to allege that Facebook misled
users about its handling of their phone numbers as part of a
wide-ranging complaint that accompanies a settlement ending the
government’s privacy probe, according to two people familiar with
the matter.
In
the complaint, which has not yet been released, federal regulators
take issue with Facebook’s earlier implementation of a security
feature called two-factor authentication. It allows users to
request a one-time password, sent by text message, each time they
log on to the social-networking site.
But
some advertisers managed to target Facebook users who uploaded
those contact details, perhaps without the full knowledge of those
who provided them, the two sources said. The misuse of the phone
numbers was first identified in media reports and by academics
this year.
The
FTC also plans to allege that Facebook had provided insufficient
information to users — roughly 30 million — about their ability to
turn off a tool that would identify and offer tag suggestions for
photos, the sources added. The sources spoke on the condition of
anonymity. The facial recognition issue appears to have first been
publicized earlier this year by
Consumer
Reports.
The
FTC declined comment. Facebook also declined to comment.
The
two privacy violations are included in a complaint tied to a
settlement brokered between the FTC and Facebook, which multiple
sources said they expect to be announced Wednesday. The agreement
requires Facebook to submit to unprecedented federal oversight of
its business practices, as The Post
first
reported in May,
including the creation of a special committee on its board of
directors that regularly certifies the tech giant is handling user
data appropriately.
But
the inclusion of those two privacy issues in the complaint
highlights a critical question facing the commission: How to
handle a litany of privacy scandals that came to light during the
course of the FTC’s 16-month investigation into Facebook, and
whether the FTC will penalize the tech giant for those additional
violations or give it a clean slate going forward.
As
part of the settlement, Facebook won’t be required to admit guilt,
according to three people familiar with the matter. The FTC often
allows companies to avoid admitting any wrongdoing as part of its
agreements ending investigations, choosing instead to focus its
legal firepower on securing substantial changes to an offending
company’s business practices. But the move could embolden critics
who feel the agency was not aggressive enough in its negotiations
with Facebook.
“There’s
a growing perception that the perceived effectiveness of what the
agency’s doing depends on [its] ability to extract this kind of
acknowledgment of fault,” said William Kovacic, a former FTC
commissioner who’s now a professor at the George Washington
University Law School
Google
avoided a statement of guilt when it was penalized by the FTC in
2012 for its privacy violations as part of an agreement with the
agency that saw the tech giant pay a $22.5 million fine. On
Monday,
Equifax
also did not admit guilt to the FTC even as it committed to the
agency to improve its cybersecurity practices. The
credit-reporting agency drew the FTC’s attention after it suffered
a massive security breach in 2017 that put 147 million Americans’
personal data in jeopardy.
Adding
to some critics’ potential objections: The FTC did not question
Facebook chief executive Mark Zuckerberg, two people familiar with
the probe said Tuesday.
The
settlement is
weaker
than the tough penalties
— including a fine into the tens of billions of dollars — that
some at the FTC initially hoped to obtain from Facebook, sources
told the Post over the course of a six-month investigation. Those
issues prompted the FTC’s two Democrats to vote against the
settlement in July.