Advocacy Groups Poke More Holes In Facebook Privacy, Facebook Responds

This morning, a number of major advocacy groups, including the ACLU, EFF, and CDT, sent Facebook an open letter detailing some of the outstanding issues with Facebook privacy. The groups’ letter acknowledged that Facebook has made strides recently on this front, especially with its launch of new, simpler privacy controls, but that it hasn’t addressed some major privacy issues, like the fact that the controversial Instant Personalization feature is automatically opt-in.Wasting no time, Facebook has just responded with an open letter of its own.

Along with Instant Personalization, other issues addressed in the advocacy letter include the fact that Facebook is able to track user browsing behavior through its ‘Like’ buttons and other widgets (these widgets are served up by Facebook to third-party sites, so it can see which sites you’re visiting). And the letter says that users should have more control over what information third-party applications should have access to. Finally, the letter asks Facebook to give  more control over what information mandatorily made public, and the ability to export data so that users can easily transition to social networks other than Facebook.

Facebook’s response addresses each issue point by point:

  • Regarding the so-called “app gap”, Facebook says that it is implementing a new data permission model that will be rolling out in the next few weeks. There’s also now an option to turn off Platform entirely.
  • Facebook’s response to the Instant Personalization is pretty weak — it says that the program has been “widely misunderstood” and that partners can only access users’ public information. I understand the program quite well, as do numerous other critics, and, I’m sure, the likes of the CDT and EFF. And it’s obvious that there are still issues with handing over “public” data, especially when some of that data was switched from private to public during Facebook’s privacy transition in December.
  • Regarding Facebook’s ability to track users through its widgets, Facebook says that it does not use that information for targeting and that it is deleted after 90 days.
  • Addressing the point about giving users more control over what information they can hide, Facebook effectively says that it’s given users more control than they had, but that it finds that users have a “more meaningful experience” when they share more information. In other words, they’re still going to force some of this information to stay public.
  • Facebook says that it is currently testing SSL access to Facebook (a good move).
  • Regarding the ability to export data, Facebook says that users can already do this via its APIs. It then takes some shots at the advocacy organizations saying that it is “surprised that these groups would advocate for a tool that would enable one person to strip all privacy protections for any information that has been shared with them”. I’m pretty sure nobody is asking for that.

Here’s the full letter from the advocacy groups:

And Facebook’s response: