>Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
>Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
>Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
>Facebook must establish, implement, and maintain a comprehensive data security program;
>Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
>Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
This is great! What do we need to do to get this to apply to other data harvesting companies like Google and Microsoft?
>Facebook must exercise greater oversight over third-party apps, including by terminating app developers that fail to certify that they are in compliance with Facebook’s platform policies or fail to justify their need for specific user data;
That applies to Google and Apple, no? To apps in their stores.
>Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
Why are they storing passwords at all? It's not necessary for authentication. They should only be storing a hash, or better yet a public key derived from the password on the client.
It came to light that they were storing passwords in plaintext in an application log. In theory they only store hashes in places where they actually intend to store passwords.
Most of this is already restricted under GDPR, or at least is not advisable given the potential fines that couple be imposed for a leak. Other parts of the GDPR which should help are blatantly ignored (e.g. privacy popups that are checked by default), so if the US were to implement similar legislation it would be a big win for privacy.
>Facebook is prohibited from using telephone numbers obtained to enable a security feature (e.g., two-factor authentication) for advertising;
>Facebook must provide clear and conspicuous notice of its use of facial recognition technology, and obtain affirmative express user consent prior to any use that materially exceeds its prior disclosures to users;
>Facebook must establish, implement, and maintain a comprehensive data security program;
>Facebook must encrypt user passwords and regularly scan to detect whether any passwords are stored in plaintext; and
>Facebook is prohibited from asking for email passwords to other services when consumers sign up for its services.
This is great! What do we need to do to get this to apply to other data harvesting companies like Google and Microsoft?