A recently publicized report filed against Facebook by a security researcher and a BRCA advocacy group now alleges that the social media giant has marketed its Groups as a Personal Health Record (PHR) and then violated the FTC Act by sharing the private data publicly.
Specifically, the complaint accuses Facebook of actively utilizing personal private data shared with the company by individuals to actively solicit users to join health- or patient-related ‘Closed’ Groups. It then puts forward unfairly or deceptively defined privacy policies for those Groups and ‘Secret’ Groups, despite that those groups qualify as PHRs. When leaks from that private data have occurred, the complaint alleges that Facebook has failed to disclose the issue.
Within the groups in question, the complaint elaborates, Facebook users can and are sometimes encouraged to share private information such as clinical reports or health-related photos. Groups also ask questions about members’ health conditions and sometimes require proof of a condition in order for inclusion criteria to be met. Users are often met with conflicting information about just how private that shared data is and Facebook does little to clarify that.
An ongoing, multi-faceted problem
The 43-page-long complaint does point out that Facebook has made some changes to the way privacy is handled in Groups but that the changes were not made for the express purpose of improving privacy. That’s in spite of news reports near the middle of 2018 that Facebook had been made aware of ongoing leaks of user data within its Groups directly related to patient collaboration and PHR-purposes as well as its policies on the matter.
According to the most recent filing, it is still too easy for users’ private data to be ‘scraped’ and the solution to the problem would be easy to implement if Facebook chose to do so. Privacy control is also still inconsistent across the board, despite that the issue has been made known to CEO Mark Zuckerberg and Facebook is facing record-breaking fines from the FTC.
The FTC is presently investigating whether or not the plethora of privacy breaches and other issues that have arisen with Facebook since its Cambridge Analytica Scandal broke in early 2018 violate a deal between the FTC and Facebook in 2011. That deal is related to the current complaint in that the company agreed at the time that it would obtain express consent from users before sharing their data with third-parties.
The possible cost to Facebook
The complaint goes on to list a number of other key factors for consideration by the FTC, ranging from how Facebook handles republished screenshots from private groups to misconceptions about user control over who has access to their data.
The group delves substantially into the potential risks associated with leaked data too. That includes risks associated with requiring users to share their real names alongside information that could paint them as a target for violent groups.
Facebook has already been under a great deal of scrutiny and its above-mentioned negotiations with the FTC could ultimately result in a multibillion-dollar fine for the tech company, equating to a significant portion of its quarterly profits.
The latest complaint filed against the company would be much more impactful. According to the group, the FTC should level a fine against Facebook at the maximum allowed amount for an FTC PHR breach — $41,484 per violation. By the group’s calculation, Facebook’s violations are continuous from the day it was initially informed of the problem. That could result in fines that cost Facebook tens of billions of dollars.
Full FTC Complaint - PDF