Facebook's byzantine privacy controls produce more confusion

Next Story

They don't make 'em like they used to: Voyager 2 repairs underway

Since last week’s chat exploit, I’ve received further tips of Facebook ‘security bugs’. Only each time they’ve turned out not to be bugs at all, but, well, features. With regard to the site’s privacy controls, users are clearly confused. This confusion, I suspect, is leading to over sharing, which Facebook’s critics say is intentional.

More sharing equals greater monetization opportunities.

As an example, a privacy quirk on Facebook appears to produce the following scenario: User A sends a friend-request to user B but they choose not to accept, at least not yet (it’s a pending request, so they haven’t declined either).

However, just by issuing that request, some of user B’s activity begins showing up in user A’s Facebook News Feed under ‘Most Recent’. This could be complete status updates if user B has chosen or inadvertently made those public (again, remember, this is a feature not a bug, a bit like following somebody on Twitter).

That’s probably OK, assuming user B knows what they are doing. But, more bizarrely, the feed could also show who user B has recently befriended.

In other words, while user A is being shunned, they get to see that other friend-requests are being accepted.


And, of course, user A also gets to see who those friends are. As far as I can tell, this is by design and, presumably, depends on user B’s privacy settings.

Confusing, eh?

The larger point is that Facebook’s privacy settings remain mind bogglingly complex.

Not necessarily in themselves, the UI has improved over time, but because of the nature of Facebook’s rapid innovation: privacy remains a moving target. The site’s features, intended use, and terms of service today, won’t be the same tomorrow — see this excellent diagram by Matt McKeon, which illustrates the problem perfectly.

The end result is user confusion, and people sharing a lot more information than they ever intended. It also produces socially awkward situations like the one above.

“But you shouldn’t put anything on Facebook or the Internet, (Facebook is the Internet, remember) that you don’t want made public”, I hear you cry.

And our very own Paul Carr makes a similar point.

This is also the defense made by Facebook apologists over and over. And I call BS. It completely misses the point and lets the social network and its shifting terms of service off the hook.

Yes I broadly agree, don’t put anything on the Internet that if it was made public it would ruin your life. But that’s no excuse for Facebook effectively duping users into joining the site in huge numbers on the pretext that they were only sharing stuff with their “friends”, therefore locking them in via network effects on the basis that it was a closed/private social network – the anti-MySpace if you will – only to now be told it’s all about sharing publicly after all.

(Hat tip: @tweefer).

  • http://www.introAnalytics.com Nick

    All this from a site that, when at its origins, would not let you even join if you weren’t in the right college email domain (e.g @harvard.edu).

    There is thus a HUGE opportunity here for private social networks where privacy is easy to control.

    • http://www.marcus-povey.co.uk Marcus Povey

      @Nick: Will nudge you towards Elgg (http://www.elgg.org) :)

      (Declaring interest: I was formerly the senior architect on the project)

    • Guest

      That’s why there’s usurvive.com now. Same kind of wall like facebook.

    • http://www.shotbeak.com Simon

      Absolutely. If there ever was a gaping hole for a totally closed social, it is now.

      • kel

        For some people who are thinking that this will put a mole on facebook and in somewhat bizaare way, make it go down. Then I’ll say you’re dreaming.

        Facebook is so big right now that even it has a yet another privacy issues for the next 10 months. It will still continue to grow.

        Face that fact. I say twitter will go extinct first, before facebook.

      • Phil

        I agree, MySpace is invulnerable to challenges, it’s too big to fail.

        Oh wait, you said Facebook, that’s *totally* different. :P

      • flip


        You didn’t get the point of the comment that you’re replying on, don’t you?

        Ah yes! so if that’s you’re predicament. Google will fail any moment, coz Yahoo is on the verge of destruction now.

        oh wait was that different? :D

      • http://www.fbprivacynow.com sean

        ignoer this spamware a*&h*le Kel. They post a reply to the first comment to spam you with this link.

        Techcrunch ban this person. This is the second link on this post alone

      • joe

        thats right! Totally closed social has come of age!!.

        I am friends with only myself!! (oh ok, yes and mrs palmer) !!!

      • Alex

        You meant to say Mrs. Robinson, didn’t you?

      • http://www.whsper.com Jong

        If privacy is what you are looking for in a sharing platform, check out this new beta site called WHSPER (whsper.com). Allows you to completely compartmentalize your online relationships so that you have complete control over what you share and with whom.

      • Guest

        The only social network site worth joining are .edu ones. They pretty much eliminate the spam because users take responsibility for themselves in most cases so they don’t get banned. Privacy settings are also much easier to layout. FB had it pretty good in the beginning with just networks being able to see photos and not sharing your info with search engines to prevent non students from finding you. That’s all gone now and the site has become worthless because of spam, fake accounts, and trojan apps. Along with them changing peoples security settings all the time.

    • http://realestatekhoj.wordpress.com Vineet

      Completely agree to your point, but its giving a service that they have to monetize it somehow .. I cant think of a better way . or they ask the users to pay 2$ per account so that their information is not shared at all.

    • http://jobslackersonline.com Shawn

      @Nick: interesting comment, check out http://jobslackersonline.com it’s a job searching social networking site I just developed from scratch. I’m aiming to help people find jobs while having fun. We only can help one another during these tough economic times…

  • http://www.marcus-povey.co.uk Marcus Povey

    I spotted what appears to be a variation of the same issue: if B also invites C, and A & C aren’t friends then the process of invite will essentially put A & C on the same network, sharing things like photos.

    I can see this being used for abuse.

    Would love if someone else could confirm this.

    • http://www.sjbain.com/ Shervin Bain

      That might be because A & C have mutual friends, which is another privacy setting that confuses me.

      I rather not go through all the intricacies of the privacy settings, so I tend to leave everything blocked to anyone that isn’t a friend.

      • http://www.marcus-povey.co.uk Marcus Povey

        I agree..

        But the fact that these settings are so confusing, with so many unintended consequences is, I think, a bug.

        And in this case you are being exposed by the actions of a third party, which is just wrong.

    • http://@dnshmr Dana Ashmore

      I certainly dislike being observed by my ex-husband, who is obviously there to spy since he has no friends, not even his own children. He keeps coming up as a “suggested friend”, because apparently he has perused my site a bit. I want to communicate with my children freely, without him being able to find out information vicariously.

      Trying to customize my settings did not work when I tried to keep their nosy grandmother from viewing my information through my children’s accounts.

      • http://chrstnblog.blogspot.com ochibi

        you can communicate with ur sons/daughters visiting them like a normal person … internet screw our lives xD

      • Dana Ashmore

        Three of my kids are away at college, and Facebook helps us stay in touch. I do not like the fact that the father who left us and sees them once a year can sit there and snipe information that has not been disclosed personally to him.

      • http://intoolate.wordpress.com/ Marah Marie

        I’m sorry, but I don’t see why, if you must use Facebook (I must, after deleting another FB account, just to keep in touch with one person who uses nothing but FB to communicate online, so I know how it feels), why you can’t use some acronym of your name or *cough I did not say this since it’s a ToS violation cough* just make a name up that reminds you of you, then message your friends and relatives so they know where you are (and which name you’re using) on Facebook.

        I use an acronym myself – it’s my full name, but highly abbreviated. Why go through the stalker stuff if you don’t have to?

        Additionally, set your account so it can’t be found through search (I do), don’t post your personal details like address, occupation and/or employer’s name, and so on, and set your photos so only confirmed friends can see them…seriously, if the only people you’ll hang out with on Facebook already know all the little details about you, then there is no point in posting them for the world to see.

        Also hide whatever email address you use for Facebook, and if possible, make it an email account no one would ever tie to *you* just in case your account gets hacked either by someone you know or someone who just likes to hack.

        Lastly, don’t give apps permission to access your info.

        That covers most, but not all, of the privacy steps you can take on FB. Doing all this makes my FB page highly static and kinda boring but I don’t *really* want to be on FB anyway, I’m just sort of appeasing someone who doesn’t use anything else (not email, not IM, not anything) to communicate anymore, so since I had little choice, I went for every privacy option on FB there is.

        Just my two cents (also it helps, if your husband is after you, or any stalker-type, not to use your real name online at all, but that’s *your* call)…

  • http://ahyen.com jianchung

    This is just a classic case of end user manipulation. If the user does not protect themselves, Facebook won’t do anything about it. After all more traffic seeping through hairline cracks in the system might get more people connected.

    Also if you are looking at the marketing standpoint, even if the user does not accept the invitation to connect, he/she will still be pushed the information regardless and this might result in some action on the end user. This sounds pretty similar with television advertising…

    • http://www.introAnalytics.com Nick

      Mistrust builds anger and resentment in the end.

      It’s only a matter of time when facebooks numbers start declining due to users start removing themselves en masse.

      • Steve O'Hear

        I’m not sure users will leave en masse. As I said in the post, the network effects are very strong. The site’s demographics are also pretty wide, it’s for many the default way to share family photos, for example.

      • http://www.introAnalytics.com Nick

        Yes, they still have time to become a trusted brand because of the network effect.

        The thing with network effects though is that as soon as key influencers start leaving, the network effect of that is not to be understimated. The herd mentality of others following that influencer can grow exponentially just as in the growth.

        All these early reliquishers of facebook need is a viable alternative, which as yet does not exist.

      • http://ahyen.com jianchung

        Well if you look at the trend, new users would tend to hop on to all the apps and result in mass sharing of their Facebook activity. The hype is spread by porting their other friends from other social networks and they get the same hype and hop on to the apps.

        The users who have gone through this stage actually just use Facebook as what it really is – just a social networking tool. Slowly but surely the login frequency will drop resulting in less activity in that network.

        This trend will continue until the wave of incoming new users is intercepted by a new and more addictive form of social networking and then Facebook will only have in their networks those who are too lazy to start their networks all over again in a different platform. Just like what happened to Friendster.

        Until then we can expect Facebook to expand exponentially and more users with limited knowledge and awareness in privacy will continue to be manipulated, keeping Facebook in the top 10 list.

      • Alex

        You miss the point. Nobody needs to ‘leave’ anything, they will just stop logging-in and that’s it. This is the way all the MMO and portals die, people just stop logging in and you are left with a spam list of e-mails (a huge one in this case :) ) that will become obsolete in a couple of months.

      • Meep.

        I would agree, but I’m of the party that cannot leave. I graduated from university in Southern California and then moved back up north to follow my opportunities. As such, I need Facebook to keep in touch with all my college friends as it’s the only real means to do so at this point — getting rid of Facebook would mean completely disappearing off of their map. I’m sure I’m not alone in being stuck in this case where while we would rather leave Facebook, until there’s a better alternative, we’re stuck with what we have.

  • http://www.fbprivacynow.com/2010/05/10/facebook-privacy-confusion-by-design/ Facebook Privacy Confusion by Design

    […] Facebook Privacy Control Confusion var addthis_language = 'en'; Share| […]

  • crsh

    The bait & switch method elevated to business model. Bad practice.

  • Dude

    Just make sure you have “only friends” ticked for everything and not “friends of friends”

    My personal preference is “only friends” and “except limited profile”. then 450 of the 500 friends I have on FB don’t get to see anything.

  • xentrix
    • Alex

      This was a good one. Thank you so very much!

  • http://jacobian.biz jacobian

    just believe in facebook.whatever facebook doing is for the greater good of mankind. :-)

    • http://twitter.com/mikebutcher Mike Butcher

      But of course…

  • highlyconcerned

    I really feel that the argument that only people engaging in illicit behaviour desire privacy is an outrage. If i don’t post things I have concerns about the whole world seeing on Facebook, then I have nothing to post. Pictures of my home I want to show my brother if open to the world could make me a target for theft. Pictures of my children could make them a target for some pedophile. I don’t desire privacy because I am a bad person, but because I know bad people are out there. If I posted such images under the promise that I could control who sees them and then that policy changes and I am harmed then the people who changed that policy should be held accountable.

    • http://ahyen.com jianchung

      Hmm…well if you are that concerned then probably you should just send them pictures through email? After all Facebook is not the only medium for sharing…just my 2 cents

      • highlyconcerned

        Trust me I am very much past Facebook not being for me. FYI Email is typically not a very secure way to share information either. I am aware of the issues and I control my use, thing is when I do so I find Facebook, well useless. My greater concern is for people who are not aware, they would be concerned, but honestly just don’t know what is going on.

  • Noah

    The default setting for everything needs to be FRIENDS or EVERYONE.

    And it needs to be an all or nothing setting by default. All your wall posts, all your photos, all your likes… show them to your friends only or have the profile open to everyone.

    THEN, if the user opts in, they can break it down. I want likes to be everyone, but photos to be friends only. And so forth…

    Privacy should always be a “private as possible” default settings, prompting users to opt-out of privacy instead of forcing them to opt-in.

  • http://changingway.org/ Andrew Watson

    If you’re willing to think this hard about privacy, then Facebook is not the place for you.

    • Jester

      Just as a piece of trivia. Mr. Zuckerman’s choice on Twitter,while he was there, was to protect his twits.

      • Alex

        You misspelled the name, his true name is Zuckerbooker… or maybe Zuckerbookie… I don’t quite remember, sorry.

      • ro

        Ack, replied to the wrong branch of the thread. Should have been here:

        Except that Zuckerberg doesn’t protect his updates:


  • Anon

    “More sharing equals greater monetization opportunities.”

    I don’t know about others, but when I make a comment about not putting anything on the internet that you don’t want to be public, its not a defense of lax security, it is an accusation: these sites can’t be trusted.

  • http://www.witstroll.wordpress.com Pankit

    The internet (Read Facebook) is taking over…

    read more about it on my blog

    If you’re reading this blog, more likely than not…you do have an online presence. You may be a facebook person, an orkut person, a twitter person…or even…what’s that new thing that won’t be so new by the time you finish reading this blog…oh yes…a foursquare person. Continue reading on : http://wp.me/pT2nK-1o

  • Matthew

    This is why I like Twitter’s privacy settings. Public or Private. That’s it.

    Why doesn’t Facebook realize that they don’t need to bait and switch their users to make bucketloads of money? You made the mistake in the beginning to default to private. You should have changed the default to public and left existing users alone. The sheer quantities of users means that enough will be public to monetize off of.

  • John

    Another example of user confusion on Facebook privacy:


    Hahha, people are posting about changing privacy settings but little do they know they’re posts are Public!

  • http://eu.techcrunch.com/2010/05/10/does-this-twitter-bug-force-anyone-to-follow-you/ Does this Twitter bug force anyone to follow you?

    […] been tracking down some of Facebook’s little quirks and flaws lately. But let’s get back to an old favorite. Twitter, which appears to […]

  • http://juegando.com/uncategorized/does-a-bug-in-twitter-force-anyone-to-follow-you/ Does A Bug In Twitter Force Anyone To Follow You? | Juegando

    […] Uncategorized, By juegando Share We’ve been tracking down some of Facebook’s little quirks and flaws lately. But let’s get back to an old favorite. Twitter, which appears to […]

  • MattS

    Also, with this scenario, you get to see all status updates of the person where your friendship request is pending.

    But I was also wondering…maybe it’s just a poor choice of wording on facebooks end, and what they actually mean is “friend with (very) limited rights”

    The reason why I think this is because I still am pending on a couple of people’s accounts for months now, and I highly doubt they still haven’t made their mind up yet on befriending me or not.

  • http://www.torgo.com/blog/2010/05/can-i-have-a-word-in-private.html Can I Have a Word in Private? | Dan’s Blog (2.0)

    […] although social platforms like Facebook are adding richer privacy controls, there remain problems both with the implementation of these controls and in making them understandable to regular users. […]

  • http://rndbackyard.vodafone.com/2010/05/privacy-post/ Can I Have a Word in Private? « RndBackyard

    […] although social platforms like Facebook are adding richer privacy controls, there remain problems both with the implementation of these controls and in making them understandable to regular users. […]

  • kandy

    That “feature” has been around for MONTHS. Also, if you limit someone’s view of your profile, they can find status updates and what not if they do a general search for you, as long as they are some sort of “friend” — your limited stuff is not excluded from search results of that limited friend.

  • http://yourtechworld.net/?p=411 YourTechWorld » Facebook Adds Location Feature, Subtracts Privacy (Again) | 80beats

    […] navigating Facebook’s maze of security section to get the privacy setting you want requires a tour guide and a reservoir of patience. For your convenience, the Electronic Frontier Foundation has posted […]

  • http://socialshoppingnews.landheremedia.com/2010/05/10/does-a-bug-in-twitter-force-anyone-to-follow-you/ Does A Bug In Twitter Force Anyone To Follow You? | Social Shopping News

    […] been tracking down some of Facebook’s little quirks and flaws lately. But let’s get back to an old favorite. Twitter, which appears to […]

  • http://jetlib.com/news/2010/05/10/facebook-adds-location-feature-subtracts-privacy-again/ Facebook Adds Location Feature, Subtracts Privacy (Again) | JetLib News

    […] navigating Facebook’s maze of security section to get the privacy setting you want requires a tour guide and a reservoir of patience. For your convenience, the Electronic Frontier Foundation has posted […]

  • http://spacetechsonline.net/?p=524 SpaceTechsOnline.net » Blog Archive » Facebook Adds Location Feature, Subtracts Privacy (Again) | 80beats

    […] navigating Facebook’s maze of security section to get the privacy setting you want requires a tour guide and a reservoir of patience. For your convenience, the Electronic Frontier Foundation has posted […]

blog comments powered by Disqus