The Federal Trade Commission plans to allege that Facebook misled users about its handling of their phone numbers as part of a wide-ranging complaint that accompanies a settlement ending the government's privacy probe, according to two people familiar with the matter.
In the complaint, which has not been released, federal regulators take issue with Facebook's earlier implementation of a security feature called two-factor authentication. It allows users to request a one-time password, sent by text message, each time they log onto the social-networking site.
But some advertisers managed to target Facebook users who uploaded those contact details, perhaps without the full knowledge of those who provided them, the two sources said. The misuse of the phone numbers was first identified in media reports and by academics this year.
The FTC also plans to allege that Facebook had provided insufficient information to users - roughly 30 million - about their ability to turn off a tool that would identify and offer tag suggestions for photos, the sources added. The sources spoke on the condition of anonymity. The facial recognition issue appears to have first been publicised earlier this year by Consumer Reports.
The FTC declined to comment. Facebook also declined to comment.
The two privacy violations are included in a complaint tied to a settlement brokered between the FTC and Facebook, which sources said they expect to be announced Wednesday. The agreement requires Facebook to submit to unprecedented federal oversight of its business practices, as The Post first reported in May, including the creation of a special committee on its board of directors that regularly certifies that the tech giant is handling user data appropriately.
But the inclusion of those two privacy issues in the complaint highlights a critical question facing the commission: how to handle a litany of privacy scandals that came to light during the course of the FTC's 16-month investigation into Facebook, and whether the FTC will penalise the tech giant for those additional violations or give it a clean slate going forward.
As part of the settlement, Facebook won't be required to admit guilt, according to three people familiar with the matter. The FTC often allows companies to avoid admitting any wrongdoing as part of its agreements ending investigations, choosing instead to focus its legal firepower on securing substantial changes to an offending company's business practices. But the move could embolden critics who feel the agency was not aggressive enough in its negotiations with Facebook.
"There's a growing perception that the perceived effectiveness of what the agency's doing depends on [its] ability to extract this kind of acknowledgment of fault," said William Kovacic, a former FTC commissioner who's now a professor at the George Washington University Law School
Google avoided a statement of guilt when it was penalised by the FTC in 2012 for its privacy violations as part of an agreement with the agency that saw the tech giant pay a $22.5 million fine. On Monday, Equifax also did not admit guilt to the FTC even as it committed to the agency to improve its cybersecurity practices. The credit-reporting agency drew the FTC's attention after it suffered a massive security breach in 2017 that put 147 million Americans' personal data in jeopardy.
Adding to some critics' potential objections: The FTC did not question Facebook chief executive Mark Zuckerberg, two people familiar with the probe said Tuesday.
The settlement is weaker than the tough penalties - including a fine into the tens of billions of dollars - that some at the FTC initially hoped to obtain from Facebook, sources told The Washington Post over the course of a six-month investigation. Those issues prompted the FTC's two Democrats to vote against the settlement in July.