Those of you who have been following CLP’s involvement in United States v. Facebook know that, in our amicus brief submitted in October, I argued that the proposed settlement between the Federal Trade Commission and Facebook appeared to grant warrantless access to Facebook user data to both the FTC and the Department of Justice and, quoting the language of the settlement, that it did so “without further leave of court.” (CLP Amicus at 8)
Then, in December, Judge Timothy J. Kelley took the (I am told) unusual step of ordering both parties to respond to all the arguments presented by amici. Well, the responses came in last Friday, and the responses to CLP’s arguments were revealing. The government and Facebook apparently have conflicting views about what happens to your privacy under the terms of the proposed settlement order.
Facebook, for its part, spent only two short paragraphs responding to CLP. In its view, CLP’s concerns were unfounded because, first, “Any requests by the DOJ and FTC for user records or communications under the Stipulated Order would still be governed by the Stored Communications Act (the ‘SCA’).” (Facebook Response at 16) and, second, “Facebook does not need to produce personally identifiable information to satisfy the requirements of the Order.” (Id.) (Read Facebook’s entire response brief.)
Both the terms of the settlement order and the government’s response brief seem to contradict Facebook’s first contention. Again, note that the proposed settlement order specifies that the FTC (and the DOJ, which is given the power to stand in the shoes of the FTC for purposes of enforcement) is permitted to request more information from Facebook, “without further leave of court.” (Stipulated order at 28) The SCA, by contrast, even for “communications” stored over a longer period of time, requires at least some “leave of court,” even if only that required for a subpoena. (For those communications stored for a shorter period of time, the SCA requires a warrant.)
The government’s longer response to CLP, by contrast, makes no reference to the SCA or anything else that might prevent it from seeking warrantless access to Facebook user data. In fact, the brief unapologetically claims the right to access such data. After misconstruing CLP’s argument with respect to the applicable law (we argued that even the majority holding in Carpenter calls into question the status of Facebook user data under the Fourth Amendment), the government cites a 2018 D.C. Circuit case holding “that Facebook users lack a ‘reasonable expectation of privacy’ in the Facebook content they voluntarily post on Facebook.” (Government Response at 14) The government also tries to assure us that the “recordkeeping provisions” are not “some sort of Trojan horse through which the government intends to acquire and use Facebook user data for undisclosed purposes,” but are “familiar part of agency enforcement actions and are intended to ensure ongoing compliance with the order.” (Id.) One can’t help but be reminded of the NSA “intending” to monitor foreigners, and yet collecting conversations of innocent Americans.
Further, the government asserts, “there is nothing in the Amended FTC Order that requires Facebook to provide any information about any specific user to the government.” (Id. at 14-15) No, of course not, and CLP never argued this. What we argued is that the Order seems to permit this, especially when it allows the government to demand “other requested information”–quite a broad catch-all, “without further leave of court.” (See CLP Amicus at 8, citing Stipulated Order at 28)
And with respect to personally identifiable data (such as your telephone number), whereas Facebook seems to think it can comply with the Order without turning such data over to the government (see above), the government, citing Smith v. Maryland, proudly asserts the legality of requesting and obtaining warrantless access to it: “a Facebook user’s telephone number is not protected by the Fourth Amendment.” (Government Response at 15) Note that it’s unclear whether the holding in Smith v. Maryland is even applicable to a situation in which someone provides his phone number to a service provider other than the telephone company. More importantly, CLP argues that the Supreme Court’s 2018 holding in Carpenter v. United States–yes, even the majority opinion–calls into question the original holding in Smith!
Most troubling, perhaps, is what the government says in the second-to-last paragraph of its response to CLP:
[E]ven if the Amended FTC Order could incorrectly be read to require production of Fourth Amendment-protected information, the Supreme Court and the D.C. Circuit have for nearly three-quarters of a century repeatedly rejected Fourth Amendment challenges to agency orders requiring document productions–as long as the agency’s requests are reasonable and related to the agency’s investigatory and enforcement powers.
Government Response at 15, emphasis added
So there you have it: the government contends that it is entitled to obtain whatever Facebook user data it wants, so long as the request for such data is “reasonable and related” to its investigation of and enforcement against Facebook with respect to Facebook’s privacy practices. How often is any government request for any sort of data not held to be “reasonable and related” to some power of our ever-expanding government? As I wrote in our amicus brief, if George Orwell were to be reading this today, he’d think he was reading The Onion.
(The government goes on to criticize CLP for not citing this standard, but CLP’s position was made clear in our brief: if the goal is to protect users from Facebook’s bad practices with respect to user privacy, the answer is not to further encroach on user privacy by making their data accessible, without a warrant, to the FTC and the DOJ! The standard quoted by the government, above, does not reference investigation of and enforcement against Facebook users, only against Facebook itself.)
While the Government and Facebook seem to have very different ideas about what happens to your privacy under the terms of the proposed settlement, both agree that Judge Kelley should “enter the Proposed Stipulated Order without delay” (Government Response at 16). CLP urges Judge Kelley to continue to take seriously his duty to ensure the Proposed Order’s “consistency with the public interest.” Until a Constitutional amendment such as the one currently being considered in New Hampshire becomes effective nationally, only judges can further clarify the scope of the “third-party doctrine” post-Carpenter and thereby protect our rights (and interests). The government should not be handed warrantless access to Facebook data, simply because of Facebook’s alleged misconduct.
Yesterday I had the opportunity to testify before the New Hampshire House Judiciary Committee in favor of CACR15, a proposed constitutional amendment I wrote along with Rep. Josh Yokela. The amendment would restore crucial Constitutional protections for individuals while, at the same time, preserving government’s ability to engage in legitimate criminal investigations. It does this by precisely restricting the scope of the “third-party doctrine” to that it originally enjoyed: government obtaining information shared as part of a criminal scheme. Under CACR15, information shared, for a limited purpose, as part of a legally enforceable contract, would once again enjoy the protection of a warrant requirement.
Watch my full testimony (about 20 minutes) below. Thank you to Rep. Josh Yokela for having the vision to propose this amendment, and for inviting me out to discuss it. Many people care about privacy, but think nothing can be done about it. We’re trying to change that.
A couple irons I’ve had in the fire for some time are heating up this month. First, on January 22 I will be speaking before the New Hampshire House Judiciary Committee in support of a proposed Constitutional amendment that I drafted with Representative Josh Yokela.
You can read the full text here, but in essence the amendment would ensure that the warrant requirement–the requirement that law enforcement show probable cause and particularized suspicion before an impartial judge, in advance of a search or seizure–applies to data shared as part of a legally enforceable contract.
In so doing, the amendment implements, in concise language, my solution to the problem created by the U.S. Supreme Court’s unjustified expansion of the so-called “third-party doctrine.” Those of you who have followed my work are familiar with this doctrine and my critique of it, but for the benefit of those who are new to me or my work:
The third-party doctrine says: once an individual shares information with a “third party” (phone company, bank, social media platform, etc.), the warrant requirement no longer applies to that information. In other words, government need not obtain a warrant before obtaining the information from the third party. Why does the doctrine allow this? The primary rationale offered is that, once an individual shares information with a third party, he no longer retains a “reasonable expectation of privacy” in it. Even if you happen to think you’re sharing information for only a limited purpose, and you expect it to remain private otherwise, the Supreme Court decided, back in the 1970’s, that your expectation is not “reasonable.”
My critique: Contrary to what some Supreme Court justices wrote in Carpenter,this doctrine did not originate in the 1970’s. It grew out of a series of earlier cases called the “secret agent cases.” You can imagine Tony Soprano, in his basement, noisy appliances running to defeat any attempts at bugging, making plans with one of his colleagues/confidants to carry out criminal conspiracies. In those early cases the doctrine provided that, were the colleague/confidant later to rat on Soprano, this would not constitute a search for purposes of the Fourth Amendment. No warrant was required.
This is the sort of context in which the doctrine was applied for decades, until the 1970’s, when the Supreme Court transported it into an ordinary–i.e., non-criminal–business context. Suddenly, with little explanation, the doctrine was held to apply not only to the information shared by the Tony Sopranos of the world, but also to you and me when we share information daily, simply to obtain the goods and services that enrich our lives.
These holdings from the 1970’s were, in my view, unjustified. To see why, we need only apply common law doctrine explaining the difference between the lack of “reasonable expectation of privacy” that naturally exists in the criminal context, and the reasonable, legitimate expectation that you and I retain when we share information with a third party for a limited purpose. That distinction lies in the sort of agreement that exists in each context, and the enforceability of that agreement at common law. In the Tony Soprano scenario, he and his colleague are engaged in an illegal contract, a contract the primary purpose of which is to achieve an illegal (rights-violating) end. Such contracts are unenforceable at common law–including any provisions of such contracts requiring secrecy. In other words, in the secret agent cases, there was no legally enforceable agreement in place protecting the privacy of the information.
The same is not true, however, in the ordinary business context. When you and I make agreements with banks, telephone service providers, internet service providers, retailers, etc., etc., the agreements often, if not always, include promises to use the information collected for only limited purposes. And because these are overall valid, enforceable contracts, provisions like these should be enforced. Consequently, any expectation of privacy we do retain when engaging in such contracts should be deemed “reasonable.” In other words: government, if you want that information, get a warrant. Don’t treat us all like criminals.
Now that I have explained the distinction, let’s look at the text of the proposed amendment. It adds a mere 25 words to Article 19 of the New Hampshire Constitution, to include, among the things in which “[e]very subject hath a right to be secure from all unreasonable searches and seizures…information provided as a part of a legally enforceable contract that is to be used only for a limited purpose and otherwise kept confidential.”
The amendment, if adopted, would literally legalize privacy in the state of New Hampshire, by making it possible for citizens of New Hampshire to make valid, enforceable contracts in which they share information for a limited purpose, and thereby retaining the most privacy possible while obtaining the various goods and services that enrich their lives.
I thank representative Josh Yokela for having the vision to propose this, and for allowing me the opportunity to explain and promote the amendment to the committee. I’m looking forward to it!
Just two days after that hearing, on January 24, a round of briefs are due in United States v. Facebook. In that case, Judge Timothy J. Kelly has ordered both Facebook and the Government to respond “to all the arguments presented by all amici curiae.” That includes the arguments presented by CLP in its brief back in October.
I’m excited about the progress that we’ve made over the last several months! If you want CLP to continue to Legalize Privacy in 2020, donate here. We simply cannot continue to do it without your support. Thank you!
Law360, a legal news site for professionals, published an article about three amicus briefs filed in United States v. Facebook. CLP’s brief was featured in the headline, “$5B Facebook Deal Lets Gov’t Grab User Data, Court Told.” A second amicus brief was filed by “a coalition of four consumer advocacy groups,” and they, like EPIC, were concerned that the proposed settlement wasn’t hard enough on Facebook, “letting the social media giant off the hook for ‘innumerable practices’–including its handling of children’s and health data–that extend far beyond the allegations of the FTC’s action.” EPIC also filed a brief, but has not given up on its motion to intervene in the case.
CLP has not taken a position on Facebook’s alleged wrongdoing. Instead, we’ve argued in the brief that, regardless of any of that, an appropriate remedy does not consist in granting to the FTC and DOJ warrantless access to Facebook user data. If you haven’t yet read our brief yet, you can find it here.
Support for this work is very much appreciated. Donate here.
Should an individual lose the protection of our Fourth Amendment’s warrant requirement simply because he or she shares information, for a limited purpose, on Facebook?
Today the Center for the Legalization of Privacy filed its first amicus brief, in United States v. Facebook, currently pending before Federal District Court in the District of Columbia. The case concerns whether the Court should approve a settlement reached between Facebook and the Federal Trade Commission, embodied in this stipulated order.
In its brief, CLP argues that:
(1) The Stipulated Order, as written, can reasonably be interpreted to grant the FTC and the DOJ warrantless access to Facebook user data.
(2) The order, insofar as it does this, relies upon an unjustified assumption about the validity and scope of the so-called “third-party doctrine.”
(3) That assumption is particularly unjustified in light of Carpenter v. United States
From the brief’s conclusion:
CLP’s mission is to “legalize privacy” generally: to allow individuals, once again, to use the tools the Common Law put at their disposal to create and protect states of privacy for themselves, according to their own tastes and preferences. An individual should not lose the protection of our Fourth Amendment’s warrant requirement simply because he or she shares information, for a limited purpose, in order to enjoy any number of life-enhancing technologies now made available to us.
Full legalization of privacy will require, as argued above, that the third-party doctrine either be eliminated or narrowed to its original scope. CLP is aware that such a ruling by this Court would likely be overbroad given the narrow scope of the decision it’s been asked to make. CLP urges, at least, that any final order approved by this court specify that no identifiable Facebook user data be given to any government agent or agency—including the Commission, the Department of Justice, and anyone appointed at their pleasure (who are arguably de facto government agents)—without a warrant based on probable cause and particularized suspicion regarding that individual user. “Relevance” to the question of whether Facebook is or has been violating its contractual obligation to protect user privacy in a way that runs afoul of any number of FTC regulations, consent decrees, stipulated orders, etc., does not justify warrantless access to personal information about the individual citizens who are its customers. Not in a free country.
If you would like to read the entire brief, you can do so here. It’s not long as briefs go, and I think it’s quite readable. Let me know what you think in the comments, below.
Today the Center for the Legalization of Privacy was granted leave to file an amicus brief in United States v. Facebook. The Center will use its novel theory of the third-party doctrine to argue that it’s not a good idea, as a remedy for alleged misuse of data by Facebook, to grant warrantless access to that data to two government agencies for twenty years (maybe more).
You can read the motion below. If you’d like to donate to support this effort, there are currently three ways:
Very excited to be interviewing Timothy Sandefur, Vice President for Litigation at the Goldwater Institute, TOMORROW! The topic will be the Arizona Constitution’s “Private Affairs” clause, and what it means for the legal protection of privacy in AZ (and maybe elsewhere). Tune in and watch live, 6:30 p.m. ET (3:30 p.m. PT) at this link:
My co-host of “None of the Above” was ill this week, so I used the opportunity to geek out for a full hour on privacy, and the prospects for, as I put it, “checking out of Hotel Panopticon” (saving privacy). Check it out here:
What theory of privacy do I plan to bring to bear here? Those who have followed me for some time already know what it is, but for those of you who are new, I’ll give you the answer I just gave to someone who asked me the question on Facebook.
Background: From the beginning, when Leonard Peikoff first asked me to “find out whether there was a right to privacy,” as research for his radio show, I found the arguments for a distinct right to privacy unconvincing. I thought, instead, the proper legal protection for privacy should rest on rights to property and contract. I wrote my dissertation to that effect, and my revised understanding of my position, in relation to the academic literature, is here: http://www.law.nyu.edu/…/default/files/ECM_PRO_060963.pdf
The cool thing about my way of conceiving of privacy is that it allowed me to think of a solution to the problem of the “third-party doctrine”–the 4th Amendment doctrine saying that you no longer have a “reasonable expectation of privacy” in information you share with a “third party.” (E.g., Facebook). If you no longer have that expectation, so the doctrine says, it’s not a “search” within the meaning of the 4th amendment when the government obtains your information from the “third party,” and so no warrant is required. So, for example, the recent “settlement order,” which has the pretense of “oversight,” is enough of a reason for the FTC & DOJ to have access to your data.
In my view this is a bunch of garbage, and in fact the whole third-party doctrine should be scrapped in favor of a consistent application of common-law contract. How you can do this, and still retain proper functions of law enforcement, was the subject of my last law review article:
I have reason to think my view of this doctrine can actually be accepted, and is not at all pie-in-the-sky, due to the approach Justices Gorsuch and Thomas, in particular, used in analyzing the recent Carpenter case. (Gorsuch is closest to understanding my view.)
If you would like to help me get this theory before the Court, perhaps as part of challenging the FTC’s recent takeover of Facebook, donate here.
What follows is an excerpted and annotated version of the FTC’s “Stipulated Order” representing its “Settlement” with Facebook. It’s dated July 24. I’m giving you the lowlights, as I see them, plus my “translations.” If you like, and if you have a strong stomach, I invite you to read the whole order here.
“Defendant agrees that the Department of Justice shall have the same rights as the Commission to engage in compliance monitoring as provided by Part XV of the Decision and Order set forth in Attachment A, as well as the same right as the Associate Director for Enforcement for the Bureau of Consumer Protection at the Commission provided under Part VIII.B to approve the person(s) selected to conduct the Assessments described in Part VIII of the Decision and Order set forth in Attachment A, subject to any applicable law or regulation.” (page 4)
Translation: Anything the FTC can get or do as a result of this “settlement,” so can the DOJ. This becomes particularly relevant when you see some of the last paragraphs of the order, the ones which inspired the title of this blog post.
“If a User deletes an individual piece of Covered Information but does not delete his or her account, nothing in this paragraph shall be construed to require deletion or de-identification of metadata (e.g., logs of User activity) that may remain associated with the User’s account after the User has deleted such information.” (page 6)
Translation: All your metadata are belong to the DOJ, unless you delete your entire account in time. (And will that really work anyway, or is it already too late?) Deleting individual pieces of data is inadequate to protect your privacy.
I include this here because many are interested in the restrictions on Facial Recognition technology more generally. The provision is included in the agreement, I’m sure, so you are under the impression that the FTC is really looking out for you! Doesn’t it make you feel warm and fuzzy? There are other similar, tough-sounding provisions, in addition to the $5 billion fine they’re so proud of.
VIII. INDEPENDENT PRIVACY PROGRAM ASSESSMENTS (pp. 12-14)
“Each Assessment must: (1) determine whether Respondent has implemented and maintained the Privacy Program required by Part VII.A-J of this Order, titled Mandated Privacy Program; (2) assess the effectiveness of Respondent’s implementation and maintenance of each subpart in Part VII of this Order; (3) identify any gaps or weaknesses in the Privacy Program; and (4) identify specific evidence (including, but not limited to, documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is sufficient to justify the Assessor’s findings. To the extent that Respondent revises, updates, or adds one or more safeguards required under Part VII.E. of this Order in the middle of an Assessment period, the Assessment shall assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard;
“E. Respondent and its Representatives must disclose all material facts to the Assessor(s), and must not misrepresent in any manner, expressly or by implication, any fact material to the Assessor(s)’ (1) determination of whether Respondent has implemented and maintained the Mandated Privacy Program required by Part VII of this Order; (2) assessment of the effectiveness of the implementation and maintenance of subparts VII.A-J of this Order; or (3) identification of any gaps or weaknesses to the Mandated Privacy Program;
“F. Respondent and its Representatives, whether acting directly or indirectly, must provide or otherwise make available to the Assessor all information and material in their possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege;
“G. No finding of any Assessment shall rely primarily on assertions or attestations by Respondent’s management. The Assessment shall be signed by the Assessor and shall state that the Assessor conducted an independent review of the Mandated Privacy Program, and did not rely primarily on assertions or attestations by Respondent’s management;
My take: F contains some pretty broad language, right? The Assessor–again, someone who is basically appointed by the government–is supposed to conduct an “independent review” and, per the language of VIII. F., can get all “relevant” information, so long as there is “no reasonable claim of privilege.” I include the rest of the information about the assessments so that you can see there is a lot to which a piece of information might be deemed “relevant.”
“I. The Assessor may only be removed by Respondent from such position, subject to Part VIII.B, with the affirmative vote of a majority of the Independent Privacy Committee.“
Translation: Good luck getting rid of the government stooge, because it requires an affirmative vote of a majority of all the other stooges.
X. MANDATED INDEPENDENT PRIVACY COMMITTEE AND OTHER GOVERNANCE MATTERS (pp. 14-16)
A. Within one hundred and twenty (120) days after entry of this Order, Respondent shall create the Independent Privacy Committee, including adopting a new committee charter or amending the charter of an existing committee. The adopted or amended charter for such committee shall include the following qualifications, authority, and responsibilities, including:
Each member of the committee shall be an Independent Director, and each of the members of the committee shall meet the Privacy and Compliance Baseline Requirements;
Translation: We’re packing your Board of Directors with people who will be sympathetic to government “oversight,” because of the “baseline requirements” we will specify. Good luck!
5. The committee shall meet with the Assessor at least quarterly, and at the conclusion of each biennial Assessment;
Translation: The committee of aspiring stooges, now mandatory members of your board, will be meeting with the head stooge quite often! But wait! It gets better…
b. At each quarterly meeting, the committee (together with any other Independent Directors in attendance) shall meet with the Assessor in an executive session without management present to discuss matters involving the Assessment or other privacy-related issues or risks, as appropriate; and
c. At the meeting to review the biennial Assessment with the Assessor, the Assessor and the committee shall review the various elements of the Assessment, as well as (1) any material issues raised by the most recent Assessment or material unresolved issues from prior Assessments, and (2) in an executive session without management present, any problems or difficulties with management. Following the review of the biennial Assessment (at either the same meeting or the following meeting), management shall review with the committee its proposed remediation plans to address any such issues raised in the Assessment; and
Translation: All the stooges we’re deploying to take charge of your company, will be meeting behind your back to talk about you, and scheme about how to take even more control from you, on a regular basis, plus…
6. The committee shall evaluate the independence of the Assessor, and the Assessor shall not be appointed or removed by Respondent, subject to Part VIII.B, without the prior approval of a majority of the committee;
…if you don’t like the Assessor, it’s really too bad, because neither the assessor nor these “Independent Directors” are supposed to be your friends. Moreover, all the stooges have each others’ back, while they’re busy talking about you, and scheming about grabbing more control, behind your back.
B. Within one hundred and twenty (120) days after entry of this Order, Respondent shall create the Independent Nominating Committee, including adopting a new committee charter or amending the charter of an existing committee to provide that such committee shall have the following authority and responsibilities, including:
1. The committee shall have the sole authority to recommend the appointment of directors, or the nomination of candidates for election, to Respondent’s Board of Directors,such that Respondent’s Board of Directors may not approve any such appointment or nomination in the absence of a favorable recommendation from the committee;
2. The committee shall have the sole authority to recommend the appointment of directors to, or the removal of directors from, the Independent Privacy Committee, such that Respondent’s Board of Directors may not approve any such appointment or removal in the absence of a favorable recommendation from the committee; and
3. The committee shall determine whether the members of the Independent Privacy Committee qualify as Independent Directors and whether each member of the Independent Privacy Committee meets the Privacy and Compliance Baseline Requirements. The foregoing determinations shall be made prior to, or concurrent with, the formation of the Independent Privacy Committee for the initial members; and prior to, or concurrent with, the appointment of each new director to the Independent Privacy Committee for future members;
Translation: You no longer have control over the makeup of your Board of Directors and, moreover, the “Privacy and Compliance Baseline Requirements” (details of which are conveniently omitted here, #sorrynotsorry) will ensure that the members of the “Independent Privacy Committee” are sympathetic to government control and oversight.
C. Within one hundred and eighty (180) days after entry of this Order, Respondent shall adopt and file an amendment to Respondent’s Certificate of Incorporation (the “Charter Amendment”) in accordance with applicable Delaware law modifying the provisions of Article VI, Section 4 thereof with respect to the removal of directors as set forth in the form attached hereto as Exhibit 1, for the purpose of adding a new Article VI, Section 4(b) (hereafter “Supplemental Removal Provision”). Respondent shall not further alter or amend the Supplemental Removal Provision of Respondent’s Certificate of Incorporation for the term of the Order. Notwithstanding the foregoing, in the event that, prior to the effectiveness of the Charter Amendment, any person commences any legal or administrative proceeding or action (an “Action”), or any governmental or regulatory entity or body, or any court, tribunal, or judicial body, in each case whether federal, state, or local, issues or grants any order, judgment, decision, decree, injunction, or ruling that has the effect of delaying, restraining, enjoining, prohibiting, or otherwise preventing the approval, filing, or effectiveness of the Charter Amendment (individually or collectively, a “Restraint”) within 180 days after entry of this Order, that time period shall be extended and Respondent shall be deemed to be in compliance with the Order so long as: (a) Respondent diligently pursues in good faith the favorable resolution of such Action, and (b) Respondent adopts and files the Charter Amendment in accordance with applicable Delaware law as promptly as reasonably practicable following the resolution of the Action and at such time as such Restraint (if any) is withdrawn, vacated, or terminated; and
Translation: Our board-packing plan must be included in your corporate charter, to memorialize your capitulation.
D. Nothing in this Order shall be construed to expand, modify, or alter the fiduciary duties of the members of the Respondent’s Board of Directors or any committee thereof.
Translation: Of course we all know that having some members of a Board of Directors meet, behind closed doors, with an independent assessor, to discuss, among other things, “difficulties with management,” does indeed alter the fiduciary duties of members of the board (at least these “independent” ones). Nonetheless, everyone is supposed to pretend that nothing has changed. And we include the word “expand” in this paragraph just to throw you off the scent from the idea that the “independent” directors will not be loyal to Facebook–i.e., that their fiduciary duties will actually be contracted.
IT IS FURTHER ORDERED that Respondent shall:
A. Within forty-five (45) days after the end of each full fiscal quarter (but in no event later than the first meeting of the Independent Privacy Committee with respect to such fiscal quarter (as provided in Part X.A)) following the anniversary of the effective date of this Order, provide the Commission with its certification, signed by the Principal Executive Officer and the Designated Compliance Officer(s) on behalf of Respondent, that, with respect to such fiscal quarter: (1) Respondent has established, implemented, and maintained a Privacy Program that complies in all material respects with the requirements of Part VII of this Order; and (2) Respondent is not aware of any material noncompliance with Part VII that has not been corrected or disclosed to the Commission. In making this certification on behalf of Respondent, the Principal Executive Officer shall rely, and be entitled to rely, solely on the following: (a) his or her personal knowledge; (b) sub-certifications regarding compliance with Part VII, provided by knowledgeable personnel charged with implementing the Privacy Program; and (c) the Principal Executive Officer’s review of the summaries in the Quarterly Privacy Review Report required under Part VII.E.2.c.(i) for such fiscal quarter, as well as any material issues raised in Covered Incident Reports required under Part IX for such fiscal quarter. The Designated Compliance Officer(s) shall rely, and be entitled to rely, solely on the following: (a) his or her personal knowledge; (b) sub-certifications regarding compliance with Part VII, provided by knowledgeable personnel charged with implementing the Privacy Program; (c) material issues identified in the Quarterly Privacy Review Report required under Part VII.E.2.c.; and (d) material issues raised in the Covered Incident Reports required under Part IX for such fiscal quarter;
Translation: Mark Zuckerberg or his successor(s) must personally, explicitly, and formally reaffirm his capitulation to our demands on a regular basis. (I omitted, for your comfort, paragraph B, which requires the submission of even more “certifications”.)
XIII. COMPLIANCE REPORTING
IT IS FURTHER ORDERED that Respondent make timely submissions to the Commission:
A. One hundred eighty (180) days after entry of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, which: (1) identifies the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondent; (2) identifies all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses; (3) describes the activities of each business; (4) describes in detail whether and how Respondent is in compliance with each Part of this Order; and (5) provides a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission;
B. For twenty (20) years after entry of this Order, Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following: (1) any designated point of contact; (2) Respondent’s corporate structure; or (3) the structure of any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order;
C. Respondent must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing;
Translation: Good luck trying to escape or shrug! We will know where you are at all times! (Oh, and you may as well send us a compliance report, too.)
IT IS FURTHER ORDERED that Respondent must create certain records for twenty (20) years after entry of the Order, and retain each such record for five (5) years. Specifically, Respondent must create and retain the following records:
… (Omitting paragraphs A-D, detailing a bunch of different kind of records, so that you have bandwidth to digest the really juicy ones. Basically, they say to keep records that will allow us to keep tabs on who has the data, and records of complaints, etc., that make Facebook look bad.)…
E. Each materially different document relating to Respondent’s attempt to obtain the consent of Users referred to in Part II titled Changes To Sharing Of Covered Information, along with documents and information sufficient to show each User’s consent; and documents sufficient to demonstrate, on an aggregate basis, the number of Users for whom each such Privacy Setting was in effect at any time Respondent has attempted to obtain and/or been required to obtain such consent;
Translation: You are required to keep records of each Facebook user for at least five years, but, scout’s honor, it’s only because we want to make sure you’ve gotten consent from them. (All the better to insist on the application of the third-party doctrine, right?)
G. All records necessary to demonstrate full compliance with each Part of this Order, including all submissions to the Commission.
Translation: We bet you won’t dare discard anything given the comprehensive language of this provision! Heh.
And, saving the very worst for last…
XV. COMPLIANCE MONITORING
IT IS FURTHER ORDERED that, for the purpose of monitoring Respondent’s compliance with this Order:
Translation: This is our excuse for the monstrosities that follow. We hope you’ll buy it.
A. Within fourteen (14) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury; appear for depositions; and produce documents for inspection and copying. The Commission is also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69;
Translation: We can request anything we want (“other requested information”), and all it takes is a phone call, regardless of our attempt to distract you in the first sentence about written requests, etc. (And, remember, someone from the DOJ can call up Facebook, just as the FTC can, per the first paragraph I excerpt, above.)
B. For matters concerning this Order, the Commission is authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview any employee or other person affiliated with Respondent who has agreed to such an interview. The person interviewed may have counsel present; and
My take: “Matters concerning this Order” is pretty broad, isn’t it? And remember, the DOJ is therefore also authorized to communicate directly with “any employee or other person affiliated with Respondent who has agreed to such an interview.”
C. The Commission may use all other lawful means, including posing, through its representatives, as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.
Translation: Just in case all of the above is inadequate for us to catch you doing something that will give us an excuse to retain or gain even more control over Facebook, we (and therefore also the DOJ) can use secret agents. Face it, Facebook, you’re toast. And, therefore, so are your users, insofar as they care about keeping their private information out of government hands in the absence of a warrant.
Would you like to help me do whatever is possible, using my unique theory of the proper legal protection of privacy, to fight this power-grab by the FTC and DOJ? If so, donate here. Make sure to add “FTC” in the optional comment field, and your contribution will be earmarked appropriately. I’m in the process of applying for non-profit, 501 c(3) status, and so I’ll do everything possible to ensure your donation will be tax deductible once the application is approved.