Another Cliffhanger in the Facebook Privacy Saga


facebook_small.jpgADOTAS – Because I’m now one of those people, I was scrolling through news feeds on my iPhone while riding to band practice in my bass player’s car when I sighed a bit too audibly.

“What is it?” she said. She’s given me a hard time about being hooked on my new toy, but her curiosity got the better of her.

“Facebook is making more changes to its privacy policy,” I explained.

“Oh yeah?” she said, being a pretty adamant Facebooker who’s a little jilted by the constant restructuring. “Are they going to change things back to the way they were before? That was so much more convenient.”

“No — it looks like they’re going to share your personal data with third parties. Unless you opt out.”

She drove on in silence, but apprehension glowed across her face.

Prior to the f8 development conference (yeah, guys, that’s not an ominous title — read: “fate” — especially when users are anxious about what you’re doing with their information), Facebook has released a privacy policy draft that outlines what could be considered the opposite of the failed Beacon experiment — instead of user data from external websites hitting Facebook to inform targeted advertising, Facebook profile data is going to be shoveled out to pre-approved partners.

Deputy General Counsel Micheal Richter explains: “In the proposed privacy policy, we’ve also explained the possibility of working with some partner websites that we pre-approve to offer a more personalized experience at the moment you visit the site. In such instances, we would only introduce this feature with a small, select group of partners and we would also offer new controls.”

Users have been invited to share their opinions in the comments section of the blog page and, no surprise, many of the nearly 1,500 comments are not positive. However, the 2,172 users have apparently given it the like — whether that’s a like in terms of Facebook’s forthrightness or a thumbs up to the changes is not clear.

In December, privacy policy changes made far more user information public by default. Privacy advocates who grumbled that Facebook are likely to be furthered anger because frankly, despite all the candidness and the open site governance blog, it’s a little sketchy what Facebook wants to do with all the information you’ve given the site. The option of opting out hasn’t been enough for many concerned about Facebook’s privacy policies.

Launched in 2007, Beacon was a debacle, with Facebook killing the program within two years and eventually paying $9.5 million in a class action. Though it may be Beacon in reverse, it’s hard not to see a similar fate awaiting this latest maneuver.

In an e-mail to ReadWriteWeb, Barry Schnitt, Senior Manager, Corporate Communications and Public Policy at Facebook wrote, “The right way to think about this is not like a new experience but as making the [Facebook] Connect experience even better and more seamless…. We think there are some instances where people would benefit from this experience as soon as they arrive on a small number of trusted websites that we pre-approve.”

There’s something that reeks of “Big Brother knows best” in those statements.

It doesn’t help Facebook’s cause that there have been a few highly public privacy screw-ups lately as regular code pushes seem to be chock full of irregularities. On Tuesday night a glitch in the system exposed private email addresses. During a routine code push, a bug caused hidden email addresses to appear for about 30 minutes at around 6:45 p.m. EST.

During a regular code push in February several users received misdirected personal messages — including Editor Zach Seward (doh!). And we’re not talking two or three errant messages — Seward said his inbox was flooded with 100 personal messages intended for other people. After being unable to access his account for a little while, he logged on to find that all but two had been removed.

With 400 million users, perhaps the ‘book’s gotten too big for its britches? But that leads to the perpetual question: With all these privacy issues, will the kids (and parents and grandparents) start abandoning Facebook? It seems every six months I see a gaggle of articles suggesting that users are burned out on Facebook and they’re leaving in droves.

What do reporters use to back up this melodramatic claim? One or two jaded users who are probably publicizing their departure from the social network because they couldn’t get enough attention on it.

Yet month after month, we keep seeing the number of Facebook users go up. “Fleeing from Facebook!” sounds like the media trying to force a trend than actually report on it — wanna see a site bleeding users? Perhaps you’ve heard of MySpace… The decline of MySpace, however, has more to do with functionality issues; at the moment, it’s arguable there’s no rival for Facebook in terms of usability.

Of course, Facebook’s proposed policy changes come on the heels of the outrage over Google Buzz. At the South by Southwest Interactive Conference a few weeks ago, Danah Boyd, a social media researcher at Microsoft, said where Buzz’s tragic flaw was Google’s assumption that if users didn’t want to play Buzz, they would opt out. Facebook did something similar in December when it automatically set data options to public when a users failed to address the popup warnings.

Is Facebook making another bad assumption with “Reverse Beacon”? Well, at least they’re testing the waters instead of diving in headfirst like Google did with Buzz.


  1. Users of the Facebook service, all 400 million+, use it for free as it is funded, by an advertisements supported model, unlike MyLife or Reunion, whose business model is subscription based. So once you take the advertising as a given in exchange for your use of a free service, some will argue that if you are going to see advertisements, you might as well see ones that are aligned with your interests, with advertisements served using BT (behavioral targeting). However, capturing and potentially sharing personally identifying information (name, hometown, birthdate) is where things get dicey, which is what separates Facebook from publishers and ad networks who use cookie based behavioral targeting which does not employ personally identifying information. Clearly, their is much evidence to support that BT provides great lift in ad response, but Facebook will need to make sure to balance advertiser revenue objectives with privacy issues so as not to hamper its continued growth and explosive use.

  2. If adverts are simply being targeted based on profile information, then that is fine. If portions of profiling information (partly anonymised or not) to the advertisers for later use that needs more careful thinking about. I have no problem with being served an appropriate ad based on my location/job role but I do not feel an advertiser should have access to these values in combination with my name/email/phone as part of an advertising report if I have viewed or clicked their ad.

    Could the author post some more specific information on exactly how the proposed changes would play out?


    • I think that’s part of the problem, Joe — no one’s quite sure how the partner program will play out. Simply, Facebook will share your data with a partner site that it’s given the thumbs up to so you can have a more “personalized” experience. The company seems to be forcing people to opt out of the program — from Barry Schnitt’s blog today on the policy:

      “In addition, partners who participate in this test will be required to provide an easy and prominent method for you to opt out directly from their website and delete your data if you do opt out. There will also be new features on to help you control your experience when you visit these sites.”

      What enraged users and privacy advocates about the December policy changes was that if a user didn’t pore through Facebook’s settings, he or she automatically was set to public. Nobody likes to have someone else sign them up for something and later have to… Opt out.

      Users have the feeling this is not what they signed up for — and in truth it’s not. Transparency is also an issue here as Scnitt’s language is nothing if not vague. The actual policy language isn’t much better — read page 6 of the redline version.

  3. Thanks Gavin. Just had a read of that doc. At a glance it looks like the if you have left a single security settings as ‘available to everyone’ then if you (or a Friend!!) install an app, the app gets access to that information. Which for me as a technical person is fine if its true, although I know lots of people who shouldn’t have to think about stuff like that. I don’t like when it starts talking about applications having to adhere to the rules as opposed to the rules being enforced. The API is fairly extensive, and I cannot tell without setting up a little app where and how requests for specific pieces of information are authorised – perhaps they aren’t at all and as the doc suggests, we are relying on the app developers themselves to ‘not look at’ our info. Are there any other technical people who have taken the time to test just how open this is?


Please enter your comment!
Please enter your name here