Friday, April 2, 2010

Facebook Doubles Down on Disdain for Privacy

Before I get to the latest astonishingly bad privacy policy of Facebook, let's take a trip back through some of the companies greatest hits. Now, as I have written here in the past, with the explosion in popularity of social networking sites, the ability to protect ones personal privacy has become increasingly challenging.

Social networking sites like Facebook (which I use) reveal a considerable amount of information about a user's lifestyle, interests, and goals. Depending on the user's settings, co-workers, employers, and certain family members could have access to information about the user that may be better left unknown.

But it gets worse, a lot worse. A recent study found that the 43 leading sites made privacy control settings difficult to find and to understand; and the defaults were almost always set to allow maximum dispersal of data.

Recent Facebook flaps have highlighted the growing concern about the increasingly sophisticated technologies used to track online activities in an effort to more precisely target advertising. What has also become apparent is that these social networking sites have not exactly been forthcoming about how much user information they harvest, share, and with whom.

On the bright side, users have been becoming more and more conscious of privacy concerns, as Facebook has been criticized for not allowing people to permanently delete their accounts and personal information from the site as well as their use of "Beacon" (no longer in use) - a technology that tracks user's online purchases and informs their friends.

But Facebook didn't stop there. Next, they released their new privacy settings, that were new, but were actually less private.

There's more "publicly available information" that you can't control, there was the official "recommendation" that users should loosen their privacy settings, since Facebook's recommendations are less private than the previous default settings, most users have to click through to another page of privacy controls in order to strengthen their settings, and finally, the default settings are all set to the LEAST private setting

Even if your Facebook profile is "private," when you take a quiz or run any other application, that app can access almost everything in your profile: your religion, sexual orientation, political affiliation, pictures, and groups. And these apps may have access to most of the info on your friends' profiles too—which means if your friend takes a quiz, they could be giving away your personal information, even if you've never used an app!

The privacy settings that address this issue remain buried behind too many layers of menus and the new controls still fail to explain what applications can really see.

Then there's government and law enforcement access. Facebook reportedly receives up to 100 demands each week seeking information about its users. AOL reportedly receives 1,000 demands a month. In 2006, a U.S. Attorney demanded book purchase records of 24,000 customers. (In a show of loyalty to users, the company successfully fought back against the subpoena.)

As Nicole Ozer of the ACLU pointed out, "We shouldn't have to pay for these seemingly free online services with personal details about our lives."

With all that said, one would think that Facebook would have learned its lesson - or at least not come out with a plan that doubles down on its disdain for privacy. But that's exactly what they did last week (I was on vacation so couldn't post on it).

I gotta say, even I was a bit surprised by this brazen proposal. As Jared Newman of PC World notes, Under Facebook's current rules you're asked first if you want to share information (your name, photos and friends list) with third-party sites. The proposed policy, which Facebook hasn't implemented yet, would bypass asking you for approval when visiting some sites and applications Facebook has busines relationships with, sharing limited personal information automatically.

In other words, if Facebook deems a Web site or application trustworthy, it'll immediately grab your information when you visit or use it, provided you're logged into Facebook when that happens. Users will be able to opt-out, but it's not clear if this would happen on a user's settings page or by some other means. Facebook didn't get into specifics on when these changes will be made, why they're happening now or which sites will be participating.


Facebook users are understandably sensitive about what the site does with their personal data. In 2007, the site got into hot water over Beacon, which logged user activity on third-party sites even when they weren't logged into Facebook, and optionally published that activity to users' profiles. That resulted in a $9.5 million lawsuit settlement last December. This proposal differs from Beacon in that the user must be logged into Facebook to share data, and there's no indication that Facebook will log or publish what you do on those sites.

Facebook also retooled user privacy settings in December in hopes that people would make parts of their profiles public. That effort backfired when users realized their friends lists were made public even when the rest of their profiles were not, causing Facebook to relent and tweak its settings.

Click here to read more.

Facebook’s draft privacy policy states that we'll be able to opt-out of these sites, and we'll also be able to opt-out of these ‘pre-approved’ experiences entirely. But by default, we're all in. Seems a bit inconvenient, no?

Another immediate question I had was what personal information are they sharing? Here’s how Facebook defines the term ‘General Information’:

The term General Information includes your and your friends’ names, profile pictures, gender, connections, and any content shared using the Everyone privacy setting. We may also make information about the location of your computer or access device and your age available to applications and websites in order to help them implement appropriate security measures and control the distribution of age-appropriate content.

That's a lot of information if you ask me. As the PC World article notes, Facebook users aren't too happy about this new policy:

Right now, there are more than 900 comments on the blog post in which Facebook Deputy General Counsel Michael Richter announced the proposed changes. Most of them are negative (though more than 2000 people "like" the blog post itself). Users are particularly angry that the third-party data sharing is opt-out, meaning users will take part by default.

Let's hope a large enough outcry from users will suffice in Facebook rethinking this new policy...that really sets the bar for intrusiveness and bad privacy policy.

And, if you're like me, and had some problems figuring out Facebook's privacy settings, check out this two part video series explaining how to do it right...something I'm going to go over myself again tonight.

Watch Part 1.

Watch Part 2.

No comments: