A new white paper -- "Understanding and Improving Privacy ‘Audits’ under FTC Orders’" -- calls the Federal Trade Commission (FTC) on the carpet for its lenient approach to privacy audits required of tech companies like Facebook and Google.
"These audits, as a practical matter, are often the only ‘tooth’ in FTC orders to protect consumer privacy," wrote Megan Gray, an FTC attorney and non-residential fellow at Stanford Law School. "They are critically important to accomplishing the agency’s privacy mission. As such, a failure to attend to their robust enforcement can have unintended consequences, and arguably, provide consumers with a false sense of security."
While the FTC’s privacy audits are regarded as an efficient way of keeping tech companies in line with privacy commitments made to consumers, Gray urges the agency to improve its privacy standards if it intends on being serious about protecting consumers.
The paper illuminates how privacy audits are not actually audits as most understand them to be. Rather, because the FTC’s language only requires third-party "assessments," tech companies get away with submitting reports that are essentially a confirmation that they did all that was required.
Take Facebook for instance
A contemporary example would be Facebook’s run-in with its users’ privacy. Under the social media company’s agreement with the FTC, all it’s required to do is undergo twice-yearly privacy audits to show it isn’t misinforming its users about their privacy.
However, none of Facebook’s audits brought Cambridge Analytica’s data mining into question. Despite Facebook knowing about the misuse as far back as 2015, Congressional leaders implied that Facebook wasn’t following the FTC’s instructions as rigorously as it should have been.
In the FTC’s complaint against Facebook, the agency harped on the word "deceptive" in questioning Facebook on how it handled users’ private information in areas like profile and app settings.
As an example, the FTC brought up the fact that in November 2009, approximately 586,241 users had used their Friends’ App Settings to "block" Platform Applications that their Friends used from accessing any of their profile information, including their Name, Profile Picture, Gender, Friend List, Pages, and Networks.
Yet, in Facebook’s December 2009 Privacy Changes, its users could no longer restrict access to their "publicly available information," and all prior user choices to do that were overridden. Although Facebook reinstated those settings soon thereafter, the FTC found that the settings weren’t stored to a user’s Profile Privacy restrictions and instead were essentially hidden.
Better protection of consumers’ privacy is needed
Gray offers several ways the FTC could improve its privacy audits. At the top of her list would be requiring the FTC to end its reliance on a company’s simple confirmation that its privacy protection is up to snuff.
Gray suggests that the current method could be greatly improved if the FTC detailed its expectations in what it wants privacy auditors to examine and have assessors report directly to the FTC instead of the company being audited.
"Simply ‘staying the course’ puts consumers...in an untenable situation, with real-world consequences," concludes Gray. "It’s time to dive deeply into understanding these third-party privacy assessments and consider meaningful proposals for their improvement. The FTC is an extraordinary agency, and it is more than capable of rising to this challenge."
In an email to ConsumerAffairs, the FTC stated that Gray currently has no involvement with current privacy or data security investigations and that the comments made in her paper do not reflect the agency's views.