,
40 tweets,
8 min read
Read on Twitter
I'm digging in to the Facebook complaint and order. My real time thoughts. Thread.
First, a little background on how I like to read such things. I read the complaint first. All of the background one should read a context. This section usually seeks to paint the defendant in the worst possible light, so I expect a lot of pejorative language here. BUT...
All of that is just dicta. It is very common for the background section to describe all sorts of practices that sound bad but don't break the law. It's the counts themselves where you see what the FTC actually thinks are the legal violations.
I read the order after the complaint. I like to see how the provisions in the order line up with the alleged violations in the counts. That suggests how much more the FTC got out of a settlement than they would have gotten had they won a court case against defendant.
Ok, so digging in to the complaint. This is pretty worked over! P2 doesn't explicitly call "likes" sensitive, but lays groundwork for concern over the sharing of likes. Also, very factual description of how *users* (not FB) employ 3rd party apps - would have expected more shade. 
Paragraphs 3-4 have plenty of shade, describe how Facebook made money by "monetizing user information" for ads. Claims FB subverted privacy choices "to serve its own business interest." Let's see if that mens rea-like language makes it into a count - my bet is "no."
P5 describes how people who installed FB apps agreed to sharing their data and data of friends. Doesn't describe what data (hope that's later), but says the data could be used for ID theft, etc.
P5 described pre-2012 order practices; P6-9 describe FB's actions in the aftermath of the 2012 order. P9 contains the first allegation of a violation of the 2012 order - FB allowing Whitelisted Devs to use affected friend data.
P9-12 summarize the allegation that FB violated the 2012 Order's requirement that it maintain a reasonable privacy program. In short, says FB's enforcement of its policies, terms, and conditions was unreasonable.
To clarify, says FB's enforcement of its policies, terms, and conditions *as applied to third party developers* was unreasonable.
P13-14 include two separate Section 5 allegations. First is related to FB's use of phone numbers not just for two-factor authentication but also for advertising; sounds like this may be a "failure to disclose" claim, which would be interesting.
Second is related to FB's description of how people could control facial recognition of uploaded pictures. This sounds like its a deceptive implied claim. I'm curious to see how this is fleshed out.
So, it appears we're set up for two violations of the 2012 order and two unrelated Section 5 violations. Neither of the Section 5 deception allegations involve expressly false claims, it appears.
That's the summary. I'm not going to paragraph by paragraph the remaining 44 pages - I'll just pick out the bits that interest me. Let's do it.
Paras 19-33 describe the 2012 Order. Potentially relevant is the difference between P23's list of data available to third parties and the Order's def. of covered information, which is much narrower. But this section doesn't really make any news.
P35-50 describe FB's alleged failure to disclose how third party apps had access to friend data. The heading for this section is super vague: what is a failure to disclose that user privacy choices would be *undermined*? Was so curious that I skipped ahead to the counts....
Which are phrased as misrepresentations, not as failures to disclose! Puzzling. A misrep allegations is stronger, FTC prefers it if the evidence allows. But then why characterize FB's conduct as the weaker "failure to disclose" in the background?
As I mentioned earlier, the FTC usually "exaggerates" the violations in the background, non-legal allegations and then narrows down to better supported allegations in the Counts. Here it seems to be backward. But I'll keep reading.
It may have something to do with the fact that the counts allege order violations, and the order commands that FB "shall not misrepresent, expressly or by implication ..."
Up to P65. FB's practices re: sharing w/ 3rd party apps looks like "half-truth" failure to disclose: truthful disclosures allegedly create materially misleading expectations. FTC sometimes characterizes such claims as an implied misrep, so mismatch w/ counts not a big deal.
(Failure to disclose is a fascinating area of FTC deception law, and one with room for increased use and potential for abuse. See link for the most comprehensive recent statement from an FTC official (@M_Ohlhausen) on failure to disclose): ftc.gov/system/files/d…)
@M_Ohlhausen Through P80. Not seeing a lot of difference between the fact pattern for FB desktop and FB mobile app. P81-87 provide evidence that FB knew lots of Affected Friend data was being accessed by apps.
Four interesting paragraphs, 88-91, argue that FB was motivated by $$$ to not cut off certain apps' access to Affected Friend data. Normally I would think this just color, but as @privacyattorney noted, this language supports part of count 4.
I think that is new! I haven't seen a complaint alleging that treating big customers different from small is an unreasonable privacy practice. (Although the count is a bit ambiguous whether that is unreasonable or if failing to inform the assessor is unreasonable.)
P92-100 argue FB's public announcements of changes to its graph API to give users further control are deceptive b/c certain apps continued access for about a year. I think that's a pretty weak allegation that relies on some close parsing of PR, but it's similar to past practice.
The argument in 101-105 is again a failure to disclose / half-truth argument: FB's Privacy Check did in fact increase control of user info as claimed but was silent about friends' apps' access - therefore deceptive?
Shades of Nomi here, where a company is penalized for trying to offer more privacy options than legal required but missing something. (Of course, in Nomi that was pretty much the whole case; here, there are many other serious allegations.) ftc.gov/system/files/d…
Paragraphs 106-113 talks about the Whitelisted Developers that maintained access to Affected Friend data. As alleged, this practice by FB was, to use a technical term, wack.
Even if the Graph API v2 announcements lacked express claims about timeline for cutting off data access, continued access for Whitelisted Developers appears directly contrary to the core claims of the announce changes.
The upshot of P114-127 is that FB's Platform Policies were apparently fine but that FB's allegedly lax and uneven enforcement of those policies against third parties was problematic.
P128-143 discuss FB's use for advertising of phone numbers submitted for 2 factor authentication. Interestingly, even though materiality is an element of Section 5 deception, P143 is the first time the FTC alleges that a FBs deceptive data uses is material to users.
P144-154 lays out a weak deception allegation w/r/t FB's facial recognition notifications. It seems to allege that the words "If you have it turned on" in the Data Policy mean "if you have turned it on." Materiality absent again. This is only here b/c FR is a hot topic right now.
On to the counts! Counts 1-3 all allege violations of Part I of the 2012 Order prohibiting misreps about user control and sharing with 3rd parties. I still think there is a little slight of hand here because they make failures to disclose sound like express misrepresentations.
Count 4 alleges a violation of Part IV of the 2012 Order, which requires a comprehensive privacy program. I've already mentioned the novelty of this count, which faults an enforcement mechanism that is unevenly administered based on the financial benefit a violator brings.
Count 5 is the facial recognition opt out count. The allegedly deceptive language is summarized as a two word quote with an ellipses (or whatever [] is called). That is.... unconvincing.
Count 6 adds a Section 5 deception count for the undisclosed use of phone numbers for advertising. This *is* pled as a failure to disclose. B/c a failure to disclose (as opposed to an express statement) cannot be presumed material, P189 alleges the info was material to consumers.
(I think it's possible the practices underlying Counts 1-3 are described in the narrative as failures to disclose but are pled as misrepresentations in part to avoid discussions of materiality. Tricky!)
The rest of the complaint is boilerplate.
The rest of the complaint is boilerplate.
Ok, that's it for the complaint. I may dig into the order later, but that's been covered a lot more - even though what the FTC thinks the law is ought to be captured in the complaint, not the order.
My key takeaways from FB complaint: FTC used deception b/c showing substantial injury would have been near impossible. It played fast & loose with deception's materiality prong. FB's Whitelisted Developers practice looks egregious. And no mention of Cambridge Analytica! /END
@threadreaderapp please unroll
