- Facebook was slammed with a $5 billion fine by the Federal Trade Commission on Wednesday.
- The FTC announced the fine alongside a sweeping set of regulations being imposed on the company.
- The regulations are aimed at protecting user data in response to repeated mishandling of user data by Facebook.
- Visit Business Insider’s homepage for more stories.
It’s official: Facebook was hit with a $5 billion fine from the Federal Trade Commission as part of a settlement over claims the company mishandled user data.
The fine is a record for the FTC — perhaps a precedent for the kind of punishment that tech giants could expect for mishandling users’ data — and is a direct response to the Cambridge Analytica scandal, in which data from over 50 million Facebook users was improperly obtained by a political data-analytics firm.
The data was then used by the firm, Cambridge Analytica, to target American voters in the 2016 US presidential election.
Beyond the record fine, the FTC is also imposing a set of regulations on Facebook aimed at protecting user data. Here’s the full list:
1. “Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data.”
The first regulation on the list directly addresses the root of the FTC’s complaints: that a third-party company was able to access a massive amount of user data through Facebook without the social-media giant stepping in to stop it.
In this case, the third-party company was Cambridge Analytica, with data taken from over 50 million Facebook users.
2. “Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising.”
The second regulation directly concerns users inputting their personal phone number into Facebook for “two-factor” authentication. This type of security requires users to receive either a text message or a phone call with a unique numerical code before they’re allowed to access their Facebook account.
That phone number is being given under the pretense of security, and thus Facebook is being required not to use this data for financial gain (such as advertising).
3. “Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users.”
The third regulation pertains to Facebook’s ability to recognize faces from photos uploaded to the social-media network, and it says Facebook must alert users when facial-recognition software is used.
4. “Facebook must establish, implement, and maintain a comprehensive data security program.”
The fourth regulation is broad — Facebook is required to “establish, implement, and maintain” an oversight committee.
“Just as we have an audit committee of our board to oversee our financial controls, we’ll set up a new privacy committee of our board that will oversee our privacy program,” Facebook CEO Mark Zuckerberg said on Facebook on Wednesday. “To implement this, we’ll have to review our technical systems to document any privacy risks and how we’re handling them. Going forward, when we ship a new feature that uses data, or modify an existing feature to use data in new ways, we’ll have to document any risks and the steps we’re taking to mitigate them. We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work.”
5. “Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext.”
The fifth regulation concernshowpasswords are stored by Facebook: The company must now keep passwords encrypted. This is a measure of internal and external security — both so Facebook employees can’t see user passwords but also so hackers can’t retrieve passwords stored without encryption.
This is a standard practice for any company operating a service with users who use passwords.
6. “Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.”
One major component of Facebook is verifying the identity of its users, and one way to do that is by using a third-party service that has already verified a person’s identity. But that’s far more banal than Facebook asking for the login information used on third-party services, like Google.
As such, the sixth and final regulation imposed on Facebook by the FTC on Wednesday specifically says Facebook is not allowed to ask for that login information.