Facebook has been fined by the US Federal Trade Commission for misuse of user data.
Perhaps this record-breaking fine is a precedent showing what awaits the tech giants in case of improper handling of user data. This is a direct response to the Cambridge Analytica scandal when data from more than 50 million Facebook users was illegally obtained by a political analysis firm.
These data were subsequently used to target American voters in the 2016 US presidential election.
In addition to the fine, the Federal Trade Commission introduces a number of rules on Facebook aimed at protecting user data. Let's consider this list of restrictions in more detail.
Facebook must control the use of third-party applications
Facebook should exercise more stringent control over the use of third-party applications, including by terminating cooperation with application developers who cannot confirm that they comply with the policies of the Facebook platform or cannot justify their need for certain user data.
The first requirement for Facebook is directly related to the main claims of the Federal Trade Commission to the company. The Consumer Rights Protection Agency points out that a third-party organization should not have had such easy access to the data of a huge number of users. The company, which owns the largest social network in the world, was obliged to take appropriate measures in the field of user data security.
In this case, Cambridge Analytica turned out to be a third-party organization, which used the data of more than 50 million users to their advantage.
Facebook is not allowed to send advertisements to users ’phones
The company is prohibited from using the telephone numbers of users obtained in the interests of ensuring their safety for advertising purposes.
The second requirement relates to cases when users enter their phone numbers on a social network to perform two-factor authentication. This security measure provides users with a text message with a unique digital code, which must be entered on the authentication page in order to access your social network account.
This phone number is provided by the user under the pretext of protecting his account from unauthorized access by third parties. Facebook data obtained in this way cannot be used to obtain financial benefits, including advertising.
Facebook should warn users about using face recognition technology
The company should ensure the formation of a clear and noticeable notice for users about the use of face recognition technology. In addition, she must obtain the consent of the user before each use of these funds.
The third requirement relates to Facebook’s ability to recognize the faces of users from photos uploaded to the social network. It indicates that Facebook should warn users about using face recognition software.
Facebook must implement a comprehensive user data protection program
Facebook should develop, implement and further maintain a comprehensive user data protection program.
The fourth requirement actually means that a data security oversight committee will be created.
“Just like we have a committee to control our financial activities, a committee will be created to ensure the security of users' personal information,” said Facebook CEO Mark Zuckerberg on Wednesday. - To implement this requirement, we will have to review the work of all our technical systems. They should record information about any risks regarding the integrity of personal information. In addition, the processing and decision-making algorithms will be revised when such events occur. We expect that to complete this important work we will need hundreds of engineers, in total more than a thousand people. ”
Facebook must monitor user password strength
Facebook should encrypt user passwords and regularly monitor the storage of passwords in encrypted form.
The fifth requirement concerns the procedure for storing passwords in a company. They must be stored in encrypted form. This is a measure of both external and internal security. Neither company employees nor hackers should know user passwords.
This is standard practice for any company that works with users in password access mode.
Facebook does not have the right to request passwords from email accounts
The company is prohibited from requesting passwords from e-mail accounts when providing various services, when users need to access these services.
One of the basic principles of Facebook is to identify users. One way to do this is to use information from third-party services that have already established the identity of the user. In other words, Facebook is no longer entitled to request Google login information.