To “enable you to send us your questions, concerns, and feedback about privacy”, Facebook today launched “Ask Our Chief Privacy Officer”. Questions submitted through the form on Facebook’s Privacy Page will be answered once in a month in a Note by CPO Erin Egan. It’s one alternative for having your voice heard that Facebook announced would replace the recently abolished policy voting system.

Egan announced the feature this morning in Washington, DC at Facebook’s “Data Policy Day”. In her note about the launch, she admitted “We also understand that issues about privacy can be complex given the fast-moving nature of technology.” That may be a bit of an understatement. Facebook gives people an unprecedented way to communicate publicly.

To use “Ask Our CPO”, visit Facebook’s Privacy Page, click the “Ask Erin” box beneath the Timeline Cover, fill out the form, and hit ‘Submit’. Egan will then address a selection of the questions in a monthly Note published by the Privacy Page. Additionally, Egan will be available to answer questions in a regular live streamed video conference.

As an example of what you could learn from Ask Our CPO, Egan answered a few common questions about Facebook’s thoughts on privacy in her announcement of the feature. She looked at “

• How does Facebook think about privacy when building its products?
  Short Answer: Systematically thanks to a cross-functional privacy team and company-wide privacy training
• How do you personally use Facebook’s privacy settings to share?
  Short Answer: “Some people want to share everything with everyone, some want to share far less and with a small audience, and most fall somewhere in between.” Egan uses Facebook Lists to share with specific friends, and “Only Me” to privately scrapbook photos of her kids.
• Does Facebook sell my private information to advertisers?
  Short Answer: “No…We use the things you do and share on Facebook, including demographics, likes and interests to show ads that are more relevant to you.”

Theoretically, being able to ask questions gives user less of a voice than the old policy voting system. But in reality, the voting system was broken. An astronomically high 30% of Facebook users had to vote to make their decision binding, which was never going to happen. For example, in Facebook’s final policy vote about whether it should abolish voting, less than 1% of users voted.

Voting wasn’t necessarily productive anyway because there was an underlying problem with privacy on Facebook: People don’t fully understand it. Hopefully, Ask Our CPO can address this. The impetus will be on Facebook to promote the monthly answers to questions, possibly with notices in the form of sidebar or news feed ads.

Otherwise many people will continue stumbling in the dark when it comes to Facebook privacy. The social network needs people to understand and trust it so they’ll be willing to share more information that can earn it money and make Facebook more interesting to their friends.

Article courtesy of TechCrunch

The polls have closed on Facebook’s final site governance vote, with 588,803 votes (88%) opposed to the changes, and 79,697 of the total 668,500 in support. But since fewer than 30% of users voted, Facebook will implement the changes — eliminating the voting structure and integrating Instagram data. Facebook will seek feedback on future changes via other channels, and is free to use Facebook data to target eventual Instagram ads.

The vote that ended today at noon pacific time was the biggest in Facebook’s history, surpassing a vote in April 2009 that saw 665,000 people cast their ballots. Still, only 0.0668% of the site’s user base voted. Since the 300 million vote threshold for a binding vote wasn’t met, the strong opposition to the changes will only be taken under advisory and Facebook may implement the changes.

Now an independent auditing firm will analyze the results of the vote to ensure they’re legitimate  Facebook is likely to make an announcement tomorrow about the vote’s results and when the new versions of its Statement Of Rights And Responsibilities and Data Use Policy will go into effect.

Instead of putting changes up for comment and then a vote if 7,000 comments are received, Facebook will now attempt to pull in more qualitative feedback on how users feel about proposed site governance and policy changes. Users will be able to submit questions to the sites Chief Privacy Officer Erin Egan and chime in on webcasts with Facebook’s policy team. Though this might be seen a slight to users, the old voting system was badly broken. There was likely a better compromise available than simply eliminating the vote, but that time has passed.

Beyond the end of Facebook’s experiment with democracy, the most interesting outcome of the vote is that Facebook will be able to intermingle data with its affiliates including Instagram. That means any Instagram user that also has a Facebook account could have their personal Facebook data used to target them with ads on Instagram. Of course, Instagram doesn’t show any ads yet but many suspect it will start in the near future.

Instagram’s minimalist sign-up flow and bare-bones profile means it doesn’t collect a ton of data about who its users are. That could have posed a problem for targeting them with ads. But with this policy change OK’d, it’s legal to use gender, hometown, interests, work history, and other Facebook data to make these potential ads as relevant as possible. Facebook might finally start directly earning back the $775 million it paid for the photo sharing app.

Article courtesy of TechCrunch

If new Facebook users understand their privacy on the site, they’ll trust Facebook more and share more too. So Facebook has just made privacy education a central part of the sign-up flow. New users are taught about their default controls, how to limit the audience of their posts, and how ads and apps work. Facebook also added in-line privacy controls so users can customize their settings right from the start.

Without this new tutorial and the addition of in-line controls, rookie Facebookers would have to dig through privacy documentation and uncover controls buried in the site’s setting pages. They might’ve never done that, and then been alarmed to know Facebook uses their data to target ads, or that people could do a reverse look-up on them through their phone number.

If users get get burned by privacy confusion early in their Facebook experience, they might enter less personal info or ditch the site entirely. Especially in key, mature markets where Facebook is running up against market saturation, it has to make every sign-up count. It can’t afford to alienate these high lifetime value users.

Facebook’s Chief Privacy Officer for policy Erin Egan gave TechCrunch this statement:

“At Facebook, we’re committed to making sure people understand how to control what they share and with whom. We’re pleased to be rolling out more prominent and detailed privacy information to new users as soon as they begin the account sign-up process and we appreciate the guidance we’ve received from the Irish Data Protection Commissioner’s Office as we strive to highlight the many resources and tools we offer to help people control their information on Facebook.”

Here’s a full list of the topics users are walked through when they sign up for a Facebook account:

• Default settings
• Selecting an audience for information shared on Timeline
• Access to their data
• How they interact with applications, games, and websites
• How ads works on the site
• Tagging people and things
• Finding friends on Facebook through search and contact importers

Facebook mentioned that the changes were made that it received guidance on the effort from privacy regulators in the US, Canada, and Ireland. In fact, educating users about how their data is used and what Facebook stores about them was a core demand of the settlement Facebook made with the Irish Data Protection Commissioner’s Office last December. By then it was already getting more serious about privacy, adding in-line controls to the news feed publisher and profile as well launching tag review in August 2011.

If the new user education works, people could have less surprises later in their Facebook experience. That means fewer angry users complaining to regulators, or spreading negative feelings about the social network. Since Facebook’s business model thrives on the data its users volunteer, making sure they feel comfortable on the site is critical and this enhanced sign-up flow should definitely help.

There’s just one problem. There’s 1 billion existing Facebook users that didn’t benefit from this education. To get them to keep adding personal info that powers targeted advertising, game recommendations, and ecommerce suggestions, it will need to get them up to speed as well.

Article courtesy of TechCrunch

Facebook filed a 22-page letter with the Federal Trade Commission outlining its thoughts and recommendations for the commission’s proposed changes to the Children’s Online Privacy Protection Act (COPPA).

The social network lauded the FTC’s commitment to protecting children’s online experiences and privacy, but expressed concern about some language in the proposed change, which could hold Facebook liable in cases where third-parties use its social plugins and create additional burdens for Facebook, developers, publishers and parents. In particular, Facebook urged the commission to explicitly allow first-party advertising as an acceptable use of a child’s “persistent identifier,” such as an IP address or cookie ID.

The FTC is proposing that COPPA be expanded to apply to apps, games and online ad networks, in addition to the child-directed websites it currently covers. Some language in the proposal would deem website publishers and developers that use plugins like Facebook Login or the Like Button as “co-operators” with Facebook. Facebook Chief Privacy Officer Erin Egan, who wrote the letter to the FTC, suggests that the language in the proposal “fundamentally misunderstands the relationship between plugin providers and website publishers.” The social network, for example, makes plugins available but doesn’t choose which websites use them, which plugins they use or how they use them. Neither does Facebook share data with the third-parties that use its plugins. As such, the company wants to ensure that it would not be held liable under COPPA for offenses by web publishers or app developers that integrate with its platform.

The FTC proposal makes some exceptions for collecting and using children’s information as needed for “support for internal operations.” Facebook requests that the FTC clarify its definition of “support for internal operations” to include data captured by plugins and to explicitly include activities that do not impact children’s privacy, such as first-party advertising. The letter cites the commission’s previous reports that distinguish first-party advertising from third-party advertising because it does not raise the same privacy concerns and is generally an expected part of free websites and online services.

Egan further recommends that COPPA not include language that requires operators of child-directed sites to “treat all users as children” and obtain parental consent even if they otherwise have knowledge that a user is 13 years or older. For example, if a user has signed up for Facebook, the user has verified that they are over 13 by providing a birthdate. Egan says this should apply to third-party sites that integrate plugins without requiring additional consent or age verification. “It would be nonsensical to require an operator to obtain verifiable parental consent before collecting information from a parent,” Egan writes.

As we’ve previously written about, Facebook could ultimately serve as a means for age verification all around the web. In its letter, the company suggests that the commission could add explicit clarification that publishers can use a common mechanism to obtain verifiable parental consent, as Microsoft, Disney and a number of organizations have suggested in their comments to the FTC. Doing this, Egan writes, would minimize the burden on parents by reducing the number of times they have to give consent and eliminate the need for multiple detailed privacy notices. Instead, parents could give consent and get notice up front. They would then then get a more specific notice when a child wants to play a game or use a new app. If a platform provides this ability, Facebook argues, it should not assume liability or turn the platform into a “co-operator” with third-party apps or websites that implement it.

The Wall Street Journal reported in June that Facebook was taking steps toward allowing children under 13 to be allowed on the site, including creating mechanisms that would connect children’s accounts to those of their parents. Facebook has not publicly shared whether it is planning to lower its age limit or how it would do so.

Article courtesy of Inside Facebook

Following up on disturbing reports that some employers are asking applicants to turn over their Facebook usernames and passwords, Facebook’s Chief Privacy Officer on Policy, Erin Egan, hints that the company is looking into drafting new laws to protect users from violations of their privacy like this.

Writes Egan on the company’s Privacy page:

“Facebook takes your privacy seriously. We’ll take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action, including by shutting down applications that abuse their privileges.”

The issue involving employers asking for users’ Facebook credentials recently caught the attention of the ACLU, which had previously become involved in a similar case back in 2010. The case was also cited by an AP report on the trend earlier this week.

During a reinstatement interview at the Maryland Department of Public Safety and Correctional Services, Robert Collins was asked to provide his Facebook username and password, which the agency said they needed to check for gang affiliations. Although Collins said he was shocked by the request, he felt he had no choice but to comply because he needed the job. The agency later reconsidered its policy, asking applicants to “voluntarily” provide their username and password instead.

“Voluntarily,” however, is still wrong, and Facebook seems to agree.

Egan points out that all of this is a violation of Facebook’s Statement of Rights and Responsibilities, which explicitly states that users cannot share or solicit a Facebook password. The pertinent section reads:

You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.

He also notes that, by requesting such information, employers may be unknowingly be putting themselves in other potentially troublesome legal hot water. Perhaps they’ll discover someone is disabled, an ethnic minority, LGBT, a senior citizen, etc., and then get into trouble for not hiring them.

“For example, if an employer sees on Facebook that someone is a member of a protected group (e.g. over a certain age, etc.) that employer may open themselves up to claims of discrimination if they don’t hire that person,” writes Egan.

In the announcement’s conclusion, however, comes the key part: Facebook will look into ways to see this practice of password-sharing stopped, even if it involves litigation or new laws. Facebook says it will engage policy makers on the matter, initiate legal action and even shut down applications that abuse their privileges.

That latter part involving rogue apps isn’t really related to this employer abuse situation, but falls under the larger umbrella of protecting Facebook users’ privacy.

The full announcement is available here.

Article courtesy of TechCrunch

Spreecast, a social video platform that lets people broadcast together, is adding the ability to embed ‘spreecasts’ on their blogs, free of charge.

The brainchild of StubHub co-founder and investor Jeff Fluhr, Spreecast can be used publicly or privately to create interactive, social online video broadcasts. Up to 4 people at a time can be face-to-face, streaming their conversation live while hundreds of others can watch, chat, and participate by submitting comments and questions to those on-screen. Viewers can also request to join on camera, while producers of the Spreecast can manage the action. Spreecast is also integrated with Facebook, Twitter, and Google+ so that producers and creators can broadcast their conversations to their friends, followers, circles, contacts and connections.

For Spreecast, adding the ability to embed these video broadcasts is another way to let people take part in the conversations happening on the platform. Spreecasts can be embedded with a simple line of code in any blog or post. The embedded video comes in multiple sizes and includes a two-way video screen, built-in chat room, customizable Twitter stream, and Facebook Comments.

We’ve actually embedded a conversation between Chris Kelly, the former Chief Privacy Officer of Facebook, and 4INFO founder Zaw Thet below (which will start as 10:30 PT).

Spreecast has raised $4 million in funding from Frank Biondi, former CEO of Viacom; Gordon Crawford, media and technology investor at The Capital Research Group and Edward Scott, Jr., founder of BEA Systems.

Article courtesy of TechCrunch

Facebook has confirmed with me that it has undergone a corporate reorganization. ”We can confirm that in order to streamline the product development process, we have reorganized our technical teams into product groups that report into Mark. These groups will be lead by Bret Taylor, Chris Cox, Greg Badros, Mike Schroepfer, and Sam Lessin.” Though Facebook didn’t formally name the divisions headed by these company leaders, their areas of focus are CTO Taylor – mobile, VP of Product Cox – general product, Badros – ads engineering, VP of Engineering Schroepfer – engineering, and Lessin – Timeline / profile.

Rumors of the reorganization were first published by AllThingsD’s Liz Gannes last night. The company has grown quickly over the last few years, making it difficult to keep those working on related products in sync. Refocusing around these areas should help Facebook make the product development process faster and less erratic. It will also make it easier for CEO Mark Zuckerberg to communicate his vision down to those building and supporting the different facets of the service.

Facebook recently installed two Chief Privacy Officers as part of its settlement with the FTC, Erin Egan for policy and Michael Richter for product. Their roles are to oversee Facebook product development to ensure that privacy is protected and that Facebook upholds the promises it made to the FTC. The new vertically integrated structure will facilitate this oversight and help prevent the building or launch of products that could jeopardize user privacy.

Facebook had 2000 employees a year ago and is aggressively hiring as it prepares to move into its new “1 Hacker Way” 3600 person capacity headquarters (with room to build more offices). While the company has prided itself on staying lean and remaining relatively flat, the reorganization represents necessary growing pains as the company matures. “Move Fast and Break Things” was a strategy that allowed it to iterate quickly and grow a huge lead in social networking. However, with more public scrutiny and an expected $100 billion IPO, the stakes are higher now.

By creating these 5 lieutenant positions that report to Zuckerberg, Facebook will be able to marry efficiency and purpose with innovation.

Article courtesy of TechCrunch

In a blog post regarding today’s FTC settlement, Facebook CEO Mark Zuckerberg also announced that the company has officially split the Chief Privacy Officer role into two parts, to be filled by existing Facebook employees Erin Egan and Michael Richter.

Richter, who will be taking the CPO — Policy role, was Facebook’s Chief Privacy Counsel on its legal team and now will be focused on the product side of Facebook’s privacy policy, serving as a key figure in Facebook’s internal privacy review program.

Erin Engan, who will be taking on the CPO — Product role, came to Facebook from the law firm Covington and Burling where she served as co-chair of their global privacy and data security practice. She held the Director of Privacy role at Facebook prior to today’s changes.

Entrepreneur and former Attorney General candidate Chris Kelly held the last Facebook CPO role. When he left, Richter served as Chief Privacy Counsel in lieu of a formal CPO position.

With the new focus on privacy regulations, Engan and Richter will ostensibly have a lot on their plate; Facebook will undergo privacy audits every 2 years for the next 20 years as part of the settlement, in addition to having to abide by the following strictures:

– barred from making misrepresentations about the privacy or security of consumers’ personal information;

– required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;

– required to prevent anyone from accessing a user’s material no more than 30 days after the user has deleted his or her account;

– required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and

– required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.

Article courtesy of TechCrunch

Facebook CEO Mark Zuckerberg just issued a statement on the Facebook Blog confirming that his company has settled with the FTC over charges that it has violated user privacy over the years. Facebook is now “required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences”, effectively making all future privacy control changes opt in. Facebook must also submit to privacy audits every 2 years for the next 20 years, bar access to content on deactivated accounts, and avoid misrepresenting the privacy or security of user data. The settlement will hinder Facebook’s ability to release new products, as users are typically resistant to change and may be reluctant to opt in to new privacy controls.

Another core stipulation of the settlement is that Facebook change its product development process to ensure privacy is upheld. In compliance, Zuckerberg has created two new corporate officer roles, which we detail here. Chief Privacy Officer – Policy will be filled by Erin Egan, partner and co-chair of  international law firm Covington & Burling, while Chief Privacy Officer – Products will be filled by Michael Richter, Facebook’s former Chief Privacy Counsel. Facebook’s proposed package of changes to comply with the FTC will now go into a public comment period, and will likely be finalized and accepted by the FTC at the start of the new year.

The settlement will significantly impact how Facebook develops and rolls out products. Previously, product teams and engineers were in part free to build and push changes to the site’s interface. Facebook could also quietly push bigger changes that influence privacy to small portions of the user base to see how they react. This strategy of asking for forgiveness rather than permission will have to cease.

Changes will now require direct oversight from the new Chief Privacy Officers. Facebook will need to determine the most effective way to push users to opt in. This might include banners on the home page, email notifications, and other forms of alerts that could annoy users or make them overly concerned with their privacy. Unfortunately, getting 100% of the user base onto a new feature may now be impossible, rather than simply requiring a code push.

Imagine how difficult it would have been to get all of Facebook’s users to approve Places, its location-based checkin service that included a new location privacy control. Most of Facebook’s products thrive on ubiquity — they only work properly if everyone you know is on them. If Places launched now, you might only be able to check some of your friends in with you, because some may not have seen or may have ignored the option to opt in. This could have given an opportunity to disrupt Facebook to smaller location-based services like Foursquare which haven’t received such privacy scrutiny.

The one positive thing about the settlement: Facebook managed to avoid  promising to make specific changes to how it powers ad targeting with user biographic, interest, and activity data. Facebook is “barred from making misrepresentations about the privacy or security of consumers’ personal information”. Therefore, it may only need to include a line in its signup process explaining that advertisers can target users based on anonymized, aggregated personal data. The company’s core business model is safe for now.

The FTC’s 7 Complaints, and Finalizing Facebook’s Compliance Package

Zuckerberg cited the recent progress Facebook has made towards giving users better control of their privacy, but over the years its misstakes piled up giving FTC grounds to demand major changes. The FTC made 7 key complaints about how Facebook has handled privacy in the past, and many of the issues still stand:

• Facebook didn’t warn user that Friend Lists and other data would become public when it transitioned to a new privacy model in December 2009
• Apps can request access to almost any piece of user data, though Facebook said they could only access data they need to operate.
• The “Friends Only” privacy setting still allowed data to be accessed by third-party apps used by friends.
• The “Verified Apps” program didn’t actually verify the security of apps.
• A security bug caused Facebook to accidentally share personal data with advertisers when it promised it wouldn’t.
• Content on deactivated and deleted accounts could still be accessed despite claims to the contrary.
• Data of users in the European Union was transferred in violation of the US-EU Safe Harbor Framework.

Facebook has corrected some of these mistakes. The Verified Apps program has been shut down, and the bug that allowed personal data to be leaked to advertisers has been fixed. Facebook still isn’t always transparent — it didn’t link to or list the changes it proposed to the FTC in the Facebook Blog post.

Zuckerberg’s statement explains that the world’s privacy weighs heavy on him,”not one day goes by when I don’t think about what it means for us to be the stewards of this community and their trust.” He also says that Facebook code deeply integrates privacy protection, “We do privacy access checks literally tens of billions of times each day to ensure we’re enforcing that only the people you want see your content.”

However, Facebook’s progressive, fast moving product development cycle has led it to make some missteps over the years. FTC Chairman Jon Leibowitz says ”Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.” The FTC voted 4-0 to accept Facebook’s package of changes and open it for 30 days of public comment starting today. The Commission will then decide whether to finalize the proposed consent order. The restrictions could negatively impact the $100 billion IPO Facebook is said to be planning for summer 2012.

Article courtesy of TechCrunch

The Federal Trade Commission announced a settlement with Facebook this morning over charges that the social network deceived users by failing to honor privacy agreements.

Under the agreement, Facebook:

• cannot misrepresent the privacy or security of users personal information;
• must get user consent before releasing changes that override existing privacy settings;
• must prevent people from accessing a user’s material no more than 30 days after that user has deleted their account;
• has to establish and maintain a privacy program that addresses risks that come with “the development and management” of products and services and that protects the privacy of user’s information;
• and — within 180 days and every two years afterward for the next 20 — must seek out third-party audits verifying that the privacy program is in place and that it satisfies the FTC’s order.

The agreement comes nearly two years after the American Civil Liberties Union and the Electronic Frontier Foundation raised concerns over Facebook’s 2009 changes to its privacy settings that exposed personal information — namely profile name, profile picture, list of friends, current city, gender, networks, and Pages — to a larger audience than the social network previously allowed. Earlier in 2011, it was reported that Facebook would settle with the FTC over charges that these changes deceived users and violated their privacy — making any changes that retroactively expose user data an opt-in instead of a mandatory change.

At this point, Facebook would have to take pretty intentional steps against the terms of the agreement to cause the FTC to pursue action against it again. In the last year alone, Facebook has also added or changed many features that affect privacy in ways that address the FTC’s complaint — like protecting user IDs from falling into the wrong hands.

In a Facebook response post to the agreement, Mark Zuckerberg says that he feels the platform has a positive track record for providing transparency and control over privacy settings.

“That said,” his post reads, “I’m the first to admit that we’ve made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done. I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using any one service.  Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected. It’s important for people to think about this, and not one day goes by when I don’t think about what it means for us to be the stewards of this community and their trust.”

Zuckerberg also announced that Erin Egan will become Chief Privacy Officer, Policy and that Michael Richter will become Chief Privacy Officer, Products.

During a media call in session with the FTC, Chairman Jon Leibowitz, Bureau of Consumer Protection Deputy Director Jessica Rich, Division of Privacy and Identity Protection Associate Director Maneesha Mithal, and Division of Privacy and Identity Protection Staff Attorney Laura Berger explained carefully that the settlement does not count as a ruling that Facebook violated the law in changing its privacy settings or that it knowingly shared private user data with advertisers. They also stressed that, while this order is very broad, it prohibits any deception about privacy in the future whenever Facebook introduces changes or updates.

Article courtesy of Inside Facebook