Sunday, January 03, 2010

Privacy on Facebook

Attention Facebook readers: You might want to click the "View Original Post" link at the bottom of this note. Facebook sometimes messes up the formatting. Irony: Writing about Facebook in an article available on Facebook and telling people to go somewhere else to read it.

Facebook is one of the world's most popular websites, with over 350 million users. An awful lot of those people share all kinds of information on Facebook that they wouldn't normally share with people, and a lot of them seem to have forgotten who they've added as friends when they update their status. I've seen people who post status messages like "Woohoo! Got laid tonight!", forgetting that mom, Aunt Mary, and the boss are all reading this. Privacy, or the lack thereof, has always been a big issue with Facebook. Thanks to some recent changes to their privacy policy and settings, an awful lot of people are sharing an awful lot of information with the world that they probably don't really want to share, and may not even realize that they are sharing.

Gail and I attended a "Facebook 101" seminar at a local school a couple of months ago. A local (Oakville) parent started looking into Facebook privacy, and was appalled at (a) the amount of information available by default to the world, (b) the number of people who don't know this, and (c) the number of kids joining Facebook and not considering the ramifications of what they post. He started doing this seminar so that parents unfamiliar with Facebook (and even those who are) were informed about the privacy aspects. There were a number of parents there who had older kids than ours, and whose kids were on Facebook. Some of them didn't really have a good idea what Facebook was or what their kids used it for. After the meeting, I checked on my privacy settings. I was aware of most of the information given in the seminar, and I had already changed my privacy settings, so I didn't have to make many changes. I then started poking around my friends' settings and their friends and so on just to see how much information I could glean about these unknown people, to see if what this guy had told us was really true, or if he was more of an alarmist, pointing out the extreme cases. Fairly quickly, I came across a fair amount of information about people I don't know, the best example of which was the page of my manager's teenage daughter, who I have never met. Her privacy settings were set wide open. Despite the fact that I was not her friend, I could see who her friends are, pictures of her, where she went to school, and even her her email address, home address, and home and cell phone numbers. I immediately emailed my boss to tell him, and a day or two later her page had been locked down. Even my very limited research told me that this was not an isolated case, and that the guy running the seminar was not an alarmist at all.

Facebook has recently changed its privacy policy as well as the privacy settings. The settings are much more straightforward than before, and it seems easier to lock down your personal information, but there are three huge issues with Facebook's privacy policy:

  1. As I said, it's easier to lock down your personal information - or at least it's easier to lock down the information that Facebook allows you to lock down. There are now some pieces of information (for example, your networks, sex, what city you live in, and your list of friends) that Facebook now considers public information, which means that you cannot prevent people from seeing that information. It is more than a little disturbing to me that Facebook has decided that they have the right to decide that for you and won't allow you to change it.
  2. The old default security settings weren't bad, for the most part – your friends and people in your network could generally see most of your information. There were some pieces of information that were available to everyone, but not everything was. But the second big change was to the default security settings – the new settings mean that by default, everything is globally visible. If you had modified your security settings before the change those settings were kept, so security-conscious people didn't notice any difference. But the vast majority of Facebook users had never touched their security settings, and are now sharing all of their information with the world.
  3. When you install a Facebook application, the application developers get access to all of your information, even if you've marked it as private. Even worse, the application developers get access to all of your friends' information as well. (This has always been true, but you used to be able to turn it off. Now you can't.) This means that every time you install an application on Facebook, my information (assuming I'm on your friends list) is sent to the developer, and not only do I not have any control over that, I am not even informed of it. The application developers are then free to do whatever they like with the information. Technically they are subject to Facebook's terms of service, which says that they are not allowed to use the data in any manner inconsistent with the user's privacy information, but there's no way for Facebook to police that.

If you don't like these rules, you can just delete your account, right? Well, sort of, but that still doesn't solve the problem. First off, Facebook doesn't give you any easy way to delete your account. There is a way to "deactivate" your account, but there's no "delete" button there. Apparently if you search hard enough you can find a way to delete it, but does Facebook actually delete your information from their servers, or just make it harder to find? Secondly, even if they do delete it, they still have backups of everything, so the information is all still available to them. Thirdly, (and this isn't specific to Facebook) if someone on the internet can see your data, then they can save it to their hard disk, and nothing Facebook does can delete that. At the seminar I mentioned, the guy showed pictures that were taken at a frat party back in the 90's, where two obviously drunk guys were standing at a party next to a stand-up cardboard cut-out of Hilary Clinton, and one of them had his hand on her breast. That guy, years later, became a speechwriter for Barack Obama, and when that photo re-appeared, he got into some serious trouble, jeopardizing not only his job but his entire career. Think about that when you post those pictures from last weekend's kegger.

I read a comment online somewhere that said something like "Facebook shouldn't be sharing information about their customers". Another commenter responded succinctly and summed up everything: "You are not Facebook's customer. Advertisers are Facebook's customers. You are the product." The more public information Facebook has on you, the more they can offer advertisers.

The easiest rule of thumb for internet security is: if you ever put anything on the internet, whether through Facebook, YouTube, a blog, a message board, or even email, whether it's information, pictures, or videos, whether it's intended to be publicly visible or not, you must always assume that it will be accessible by everyone - forever. Facebook is proving this – if you post information or pictures on Facebook and expect that only the people you allow to see it will be able to see it, you're wrong, and it's not because of some glitch that may or may not come up in the future, and it's not because someone might squirrel the information away and publish it themselves later. It's because Facebook is less concerned with your privacy than with how much they can make by selling it.

Here are a couple of related articles: one from the Electronic Frontier Foundation (EFF) and one from Jason Calacanis.

No comments: