Guest post: Cleaning up privacy for a Facebook generation

This is a guest post by Julian Ranger (@rangerj) an Angel investor and founder of Surrey, UK-based innovation hub iBundle. Current iBundle projects include SocialSafe, mifiction and DAD. Julian has been an investor since 2007. Previously he was founder and Managing Director of STASYS Ltd, which he sold to Lockheed Martin in 2005.

Privacy is something we jealously guard in real life. We lock our doors, protect our bank details – we’re in control. But online it’s become a different story. Hardly a week goes by without a major government hack, social network outage or search engine breach: accusations of fault and blame are levied, and our trust is further eroded.

The debate has two camps: those that care and those that don’t.

This is due to an underlying issue: for some reason, being online has shifted the definition of privacy. Two forms of privacy have emerged along with two sets of ‘best practice’ rules: privacy online and privacy offline, (and the term ‘best practice’ is used loosely).

‘Privacy: freedom from public attention’ (Oxford English Dictionary) should be respected by businesses on and offline. And those interacting with businesses should expect the following principles, rightly or wrongly:

A.      We are clearly told at what privacy level a service operates at

B.      The privacy level cannot be changed on us without us knowing

C.      We have an ability to have our information deleted should we so wish it

Many detailed and vast research papers and draft legislation, contend what should be privacy best practice. However the majority are not accessible for the average Internet users. Simplification and accessibility must be the order of the day to communicate the privacy level that sites, such as Facebook, operate at.

Privacy online should have a standard system of easily understood levels:

1.    Me: what I keep totally to myself

2.    Family: what I share with family and close friends

3.    Friends: what I share with wider friends and acquaintances

4.    Business: what I share with a business, which is not shared onwards

5.    Business to Business: what I’ve shared with a business and that business then shares with other businesses

6.    Public: information in the public domain, found by anyone

There are multiple subgroups within these levels. For example at Level 2 / Family, there are things I choose to share with my wife, but don’t with my parents or children, and at Level 3 / Friends, there are things I share with my friends that I party with that I don’t share with those I work with. These sub-groups are an inherent part of who we are and what we do in the physical world; often impossible to define and ring fence in the digital world.

The fragile contract of trust is often down to a deliberate and convenient requirement for clarity. Two examples have recently involved Facebook and, where its users have been mislead into believing they are operating at Levels 2 / Family, and 3 / Friends, when actually their precious information has been sold in a firehose of information to businesses at Levels 4 / Business and 5 / Business to Business and to Level 6 / Public.

Facebook has a history of breaching the principles A and B (A: We are clearly told at what privacy level a service operates at, B: The privacy level cannot be changed on us without us knowing). Since May’s public outcry, they have promised not to breach B again, saying that they will not change on us the privacy levels that we choose to set. However, in my opinion they are still breaching principle A by being deliberately obtuse about their privacy levels.

At first glance, Facebook’s recommended settings look reasonable, with three items being shared with everyone, three with Friends of Friends, and three with Friends Only. However we are recommend to share our status, updates, photos, posts, bio, family relationships – in other words, virtually all our information, with everyone. As individuals we do not derive any value from this, however, this information is the gold at the end of the rainbow for Facebook.

In addition, Facebook, in common with most sites and services, does not follow principle C (that we can choose to delete our data at any time) at all. Accounts can be deleted from view, but Facebook reserves the right to retain users data and old information will still show up in Google’s infinite memory box of search data.

Quoting from the Wall Street Journal about’s business practices: “A visit to the online dictionary site resulting in 234 files or programs being downloaded onto the Journal’s test computer, 223 of which were from companies that track Web users”. This is clearly a Level 5 / Business to Business use, particularly pernicious because the user is not aware that this is being done at all – with no consent, implied or otherwise, provided. As the diagram of levels shows, the information is flowing ‘underground’ from to others hidden from view.

There is no reason why privacy and trust should be handled any differently online from the tight restrictions and respects offered it in the off-line world. If we don’t get privacy right then the online consumer will revolt, which will negatively impact everyone involved in online businesses.

Discussions must be held at international level – it is the world wide web after all – to agree clearly defined privacy levels (either those proposed above, or some other widely adopted definition).  This would be an important first step to helping users as the general public should not have to be experts in privacy law every time they go online.

This should be followed by a mandate whereby sites and services must be explicitly clear at what privacy level they operate.  Opt outs must be as easy as opt ins, for the sharing of data, and retracting permission retrospectively should be possible.

Above all, privacy in the digital world must be about informed consent, as it is in the physical world.