Why Privacy Failures Are In Facebook's DNA

Elias Bizannes is the chairperson and executive director of the DataPortability Project; founder of the Startup Bus; creator of the Silicon Beach community; and manages the finance function at search engine startup Vast.com. He previously was at PricewaterhouseCoopers Australia, where he rolled out a CEO-sponsored social media program using to change collaboration practices at the firm and make it more “open”.  In this guest post, he tackles the cultural roots of Facebook’s ongoing privacy problems and suggests a solution in the form of a clear data portability policy.

Facebook’s technological prowess is tarnishing its image, which could damage its long-term corporate success. What worked for Facebook when innovating as a startup with a superior service, will not work when the technology manipulates the personal information of its community—without its perceived permission—especially once Facebook starts to monetize that information. If Facebook really wants to change the world, then it should start at home and not expect the world adapt to it.

The Facebook Culture: Do Now, Fix Later
Facebook is famous for releasing new products and completely reinventing itself, often to the protests of its large community. When the live homescreen launched, it was filled with bugs that subsequently had to be fixed—and Facebook’s engineers were proud of this. In their eyes, they were compliant with what founder Mark Zuckerberg has styled this organisation to be: a hacker culture, permanently in beta—rapid innovation for innovation’s sake and a “because we can” attitude.

The hacker mentality extends to Facebook’s practices with member privacy. When Robert Scoble posted a private exchange with Zuckerberg, Zuckerberg expressed this culture with these words:

We’ve been listening to all the feedback and have been trying to distill it down to the key things we need to improve. I’d like to show an improved product rather than just talk about things we might do.

This is the kind of statement a good entrepreneur would make at most startups in Silicon Valley.  It is not what the CEO of a globally significant company should espouse. Because when you already matter to the world, when you have built a community nearly 500-million strong, your existence is dictated more so by your environment.

Facebook is no longer a startup; it’s a company with a vast community, levying an impact so large that US senators bother to take the time to ask questions about company practices. Entrepreneurs might prefer a do-now, talk-later culture; but when you build a company on the philosophy of community and that has a global impact, you must engage members in a continuous dialog that demonstrates authentic concern for their needs and expectations.

“Stakeholder management”
If you expect to change the culture of a company or a community, you must manage the relationship with your stakeholders. I learned this important lesson when rolling out wiki and blogging tools at one of the world’s largest and most conservative private companies, tackling the specific problem of making the culture more open. I had the full support of my firm’s leadership to do what I wanted. Yet the middle management held me back because I didn’t recognize they were my stakeholders—and even though my vision was realized eventually, it took far longer than needed because I ignored a primary rule of leadership.

Stakeholder management isn’t just about listening, it’s about managing expectations and honoring relationships. Companies have stakeholders who are not just their shareholders; they are their employees, the local communities, and their customers (to name a few). These stakeholders might not have the traditional power of executive management or investors, but their vote matters just as much and sometimes more.

Facebook’s users may not be their customers, but they are its stakeholders. Because of Facebook’s hacker culture, the company can’t recognize the problem: even if they incorporate every pixel of feedback, they still are not going to succeed because stakeholder management is less about logic and more about emotion. It’s giving people a sense of control over an outcome that affects them and their data.

Zuck: Take a lesson from the marketplace. (The real one.)
Facebook isn’t the only company with this challenge. Any company that is listed on a stock exchange is well aware of stakeholder management. A single surprise announcement that deviates from expectations can smash the market capitalization of a company overnight. It’s why continuous disclosure policies around the world are growing in popularity, where companies announce significant company changes progressively through the year; and why capital markets require quarterly reports and management estimates in the lead-up to an annual report.

Disclosing your expectations and having your stakeholders informed can determine how companies on stock exchanges survive. In this vein, Facebook needs to recognize that it is no longer good enough to rely on its hacker culture to charm its community. Hacking works for product development, it doesn’t work for privacy—and while Facebook is not (yet) a public company, it needs to start practicing better stakeholder management with its community if it hopes to play with the big boys.

That’s not to say stakeholder management will make Facebook boring and predictable. Look at Apple.

Apple is now one of the largest companies in the world and it’s anything but boring. And as its CEO Steve Jobs said on stage this week, the company still operates like a startup. It’s not an easy thing to do, but done right, magic can happen (like the complete reinvention of a company, an industry, and a person as has happened with the Apple story).

What’s Next: The Portability Policy
It’s easy to criticize, which is why I’m more interested in having the industry discusss a solution—hence this post.The DataPortability Project, a registered not-for-profit that exists for the sole purpose of advocating the portability of personal data residing on websites and in networks, has recognised this as a key problem for all web services. (Disclosure: I am the chairperson and executive director of the DataPortability Project).  For the last 16 months, have quietly worked on a challenging way to address these issues.

We started with the observation that the current ToS and EULA model—those hundred page legal documents you are forced to agree to in order to use a service—are often ignored by consumers and hence they are surprised when they get a service enforcing its terms. We believed a simpler way is needed to communicate what a service does with respect to a person’s data and what rights they have over it.

Later this month, we will be formally announcing our initiative which we call the “Portability Policy”. This will be a set of questions a company can answer (with no right or wrong answers) that discloses what people can do with their data. The goal of this initiative is to create better communication in the marketplace between service providers and end-users. With better communications, we also hope this will give better clarity to what users can come to expect. And while this might not solve all of Facebook’s problems, it could be a tool that Facebook and other hacker-culture startups could use to better manage their stakeholder relationships and give users a sense of control. This is so they can iterate their technology in parallel, to innovate their products and pursue profitability.

The real challenge with data portability isn’t technical so much as cultural. As Chris Saad, who coined the term and helped found the movement, correctly pointed out in a post last week, Facebook’s vision was not clearly documented in its social contract. We want to help fix that.

The Portability Policy will be released soon and we look forward to launching a discussion about it. In the mean time, you can sign up and be among the first to adopt this new framework for communication and give feedback. For more, visit http://PortabilityPolicy.org/.

Photo credit: Flickr/Massimo Barbieri.