The Federal Trade Commission charged social network MySpace LLC with falsely representing the protection of its millions of users’ personal information. On May 8, 2012, the FTC made public its press release noting the conditions of the agreed settlement between the FTC and MySpace LLC.

So, what did MySpace do? According to the FTC, MySpace LLC led millions of users in the wrong direction about how the social network shared and protected their personal information that was collected via their personal profiles. The FTC said that MySpace provided its advertisers with its users’ Friend IDs; the unique identifier for each profile created on MySpace. The problem was not only that advertisers were able to use the Friend ID to find a user’s profile, but they were also able obtain the personal information that was made public by the user on his or her profile (age, gender, display name, user’s full name, profile picture – if provided, hobbies, list of user’s friends, and possible interests). This information was used to link web-browsing activity to the user.

MySpace LLC provides their privacy policy statements, which have not been revised since December 7th, 2010. Per their site, MySpace’s privacy policy is divided into different sections: Privacy Policy, Collection and Submission of PII and non-PII on MySpace, Notice: MySpace will provide you with notice about its PII collection practices, Choice: MySpace will provide you with choices about the use of your PII, Use: MySpace’s use of PII, Security: MySpace protects the security of PII, and Safe Harbor. These sections, in essence, advised its users that MySpace LLC would not share information for purposes other than those noted under each section, and that prior to use a user would be notified. Furthermore, another section promised that individual users would not be personally identified to third-parties, especially when it came to sharing web-browsing activity that was not anonymous. The privacy page further explains that MySpace is in compliance with the U.S. – EU Safe Harbor Framework and the U.S. – Swiss Safe Harbor Framework – framework which is set forth by the U.S. Department of Commerce. However, the FTC noted that MySpace’s privacy statements were deceptive in addition to violating federal law. In other words, MySpace was not practicing what they preached.

In the end, the social network agreed to settle. The FTC’s proposed settlement comes with several requests:

  1. Requires that MySpace LLC establish a “comprehensive” privacy program specifically designed to protect consumer information.
  2. MySpace is to engage and be subject to continued privacy assessments for the next 20 years by independent, third-party auditors. \
  3. The agreement “bars MySpace from misrepresenting the extent to which it protects the privacy of users’ personal information or the extent to which it belongs to or complies with any privacy, security, or other compliance program, including the U.S. – EU Safe Harbor Framework.”

In a 4-0-1 decision, the Federal Trade Commission accepted the consent agreement. However, this agreement is now open for public comment – closing June 8th, 2012. Then, the FTC will come to an accord whether it will make the consent order final.

“Shame on you MySpace” was written by Gabby Beltran. Gabby is the Public Information Officer and a Bilingual Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.