Tuesday, 14 August 2012

Facebook slapped by FTC for failing to meet security promises


The US Federal Trade Commission (FTC) has finally agreed its settlement with Facebook.
In November 2011, The FTC published its investigation findings, listing eight issues that raised privacy and security concerns.
One issue in particular seems to have caught the security media's eye.
The FTC say that Facebook invited developers to submit their apps to its verification program, which promised to review and certify that apps were secure.
Facebook of course charged developers for this service. Fees were between $175 and $375 per application submitted. The social media comonay awarded the badge to approximately 254 platform applications, according to the FTC.
Facebook received up to $95,000 USD from developers who wanted their apps certified, reported The Guardian.

One tiny niggle that the FTC uncovered in its investigation [PDF]: Facebook took the cash, but never verified any of the apps.
...before it awarded the Verified Apps badge, Facebook took no steps to verify either the security of a Verified Application’s website or the security the Application provided for the user information it collected, beyond such steps as it may have taken regarding any other Platform Application.
Ouch.
Among the terms of that settlement, which was finalised this past Friday, Facebook agreed undergo third-party privacy audits certifying that it meets or exceeds the FTC's requirements for the next 20 years. Other conditions include
  • Stop misrepresenting security and privacy policies regarding users' personal information
  • Obtain express consent when changing the handling of existing personal information
  • Prevent people from accessing information from deleted/deactivated accounts after 30 days
  • Establish and maintain a comprehensive privacy program addressing both new and existing products.
by Carole Theriault on August 13, 2012   Source-NakedSecurity

No comments:

Post a Comment