Last week, Facebook launched some major new products, including social plugins, its Like button for the web, and its Open Graph API. It also launched a product that has some serious privacy issues: “Instant Personalization”, which automatically hands over some of your data to certain third-party sites as soon as you visit them, without any action required on your part. I’ve previously discussed at length why I think this could lead to a major backlash. And now four Democratic US Senators — Charles Schumer, Michael Bennet, Mark Begich and Al Franken — are calling on Facebook to change its policies.
This morning the senators sent a letter addressed to Mark Zuckerberg that details these issues (they’ve also separately reached out to the FTC, urging it to establish more rules around social networks). Here are the senators’ three main concerns, along with my own commentary:
1. Publicly available data. Facebook’s expansion of publicly available data to include a user’s current city, hometown, education, work, likes, interests, and friends has raised concerns for users who would like to have an opt-in option to share this profile information. Through the expanded use of “connections,” Facebook now obligates users to make publicly available certain parts of their profile that were previously private. If the user does not want to connect to a page with other users from their current town or university, the user will have that information deleted altogether from their profile. We appreciate that Facebook allows users to type this information into the “Bio” section of their profiles, and privatize it, but we believe that users should have more control over these very personal and very common data points. These personal details should remain private unless a user decides that he/she would like to make a connection and share this information with a community.
The senators are spot on: Facebook has been systematically stripping away users’ privacy one item at a time and adding it to the bucket of information it considers publicly accessible. It’s debatable whether or not a user’s list of friends, or Interests and Activities (which recently could be made private but are now all public Fan Pages) really constitute sensitive information. But the fact of the matter is that people built their profiles under the impression that they were private, and users don’t stand to benefit by having their control over this data reduced.
2. Third party data storage. Previously, Facebook allowed third-party advertisers to store profile data for 24 hours. We are concerned that recent changes allow that data to be stored indefinitely. We believe that Facebook should reverse this policy, or at a minimum require users to opt in to allowing third parties to store data for more than 24 hours.
I’ve heard from multiple sources that Facebook had almost no way to enforce the 24 hour third-party data storage policy, and that many developers routinely ignored it and kept data for longer than 24 hours. The big guys — Zynga and the like — have to keep everything above board, so this change is probably primarily directed at them. Comforting? Not at all. But regardless of Facebook’s policy it will have a hard time enforcing this.
3. Instant personalization. We appreciate that Facebook is attempting to integrate the functionality of several popular websites, and that Facebook has carefully selected its initial partners for its new “instant personalization” feature. We are concerned, however, that this feature will now allow certain third party partners to have access not only to a user’s publicly available profile information, but also to the user’s friend list and the publicly available information about those friends. As a result of the other changes noted above, this class of information now includes significant and personal data points that should be kept private unless the user chooses to share them. Although we are pleased that Facebook allows users to opt-out of sharing private data, many users are unaware of this option and, moreover, find it complicated and confusing to navigate. Facebook should offer users the ability to opt-in to sharing such information, instead of opting out, and should make the process for doing so more clear and coherent.
Again, spot on. The thought of a future where the Web is more social and customized to your interests is really cool. The fact that Facebook decided to enroll all of its users into this new futuristic web without asking them to opt-in is ridiculous. And while Facebook is restricting this program to only three services for now — Pandora, Yelp, and Docs.com — it obviously hopes to expand it.
Elliot Schrage, Facebook VP of Global Communications, responded to the senators with his own letter (embedded below). One key passage (emphasis mine):
Specifically, these new products and features are designed to enhance personalization and promote social activity across the Internet while continuing to give users unprecedented control over what information they share, when they want to share it, and with whom. All of Facebook’s partner sites interact with a user’s consent.
The problem here is that Facebook definitely did not get users’ consent to do this. Yes, there’s an option to turn off Instant Personalization in Facebook’s privacy settings. And yes, whenever you visit one of these Instantly Personalized sites there’s a bar at the top of the screen that you can also use to turn it off. Unfortunately, most people have no idea what any of this means.
Let’s get one thing straight: Facebook does offer quite a few privacy controls, and it offers a wealth of information describing them. In fact, it offers so much control and information that it is utterly overwhelming to most users, who simply don’t bother with it. Facebook knows that people don’t necessarily know what’s going on, but that hasn’t stopped it from racing forward at a clip pace. The social network may not like it, but it’s probably a good thing that these senators are looking to put a few speed bumps on the way.
Schrage letter via CNN.
Top photo by Steve Maller Photography