Facebook: Insurmountable(?) Challenges to Privacy Protection in a Social World
In September 2010, Canada’s Federal Privacy Commissioner officially completed a two year investigation of Facebook’s privacy practices. As a result of this process, Facebook was compelled to make several improvements to its site, to the benefit of its 500+ million global users. Yet there was little of a self-congratulatory air to the Commissioner’s statement, which noted ongoing concerns with the site’s privacy compliance. PIPEDA, Canada’s data protection statute, has been hailed historically as a model for privacy protection in an increasingly challenging environment. It attempts to balance the legitimate interests of businesses against privacy rights of individuals, primarily by ensuring users are well aware of the privacy choices they make and the consequences thereof. In this sense, ultimate responsibility for privacy remains with the user.
Facebook once had a simple solution to this problem. The site was built around the concept that users came to Facebook to share with real-life friends. On the basis of this ideal, Facebook would assume that when you post information to the site, you intend your friends and networks to see it. It then provided users with the opportunity to share either more broadly or more narrowly through the controls, if they so chose. This assumption, while not ideal (perhaps I don’t want my co-workers to see my high school reunion photos), did reflect the average expectations of users on Facebook. It’s been hypothesized by many (and by Facebook itself), that commitment to this ‘friends only’ ideal as an underlying design principle was the reason people felt secure enough on the site to build information repositories and friend networks.
In the past year, Facebook has transitioned its user base away from this ‘friends’ based approach and towards a dramatically different set of ideals. Facebook is now committed to making a new Internet where the default is ‘social’. The new ideology being that a more ‘open’ world is a better world.
Many have expressed scepticism over this seemingly altruistic objective, pointing out that this ‘better world’ happens to be one that places Facebook at the centre of a social web and maximizes its profit margins. Others have debated whether such a world is, in fact, desirable. In defence of an open world, some point to shifting perceptions of privacy, to a new generation that is far more willing to ‘share’ in ways that older folk have difficulty understanding. Research shows, however, that these same youths are far more active in their attempts to limit the extent to which their information is available on the web than adults; that if you ask the most gregarious of teens whether they wished their parents or teachers or University recruiters to see their posted photos of last Friday’s party, the answer is an unqualified no. The youths of today may be willing to share more, but exhibit a wish to control the context in which that information is shared, and how it will be used.
Given the ever-increasing complexity of Facebook settings, privacy policies, and arrangements with third party developers, not to mention the at times dizzying number of new ‘features’ added to the service on a semi-regular basis, it becomes a task of Sisyphean proportions for those wishing to share only with friends to maintain that level of information control. And now, each time a user adds a new item of information to Facebook, each time Facebook introduces or transitions new settings, each time it introduces a new feature, the underlying assumption now is that you want to share everyone, including application developers, search engines, personalized websites your friends visit while logged in. If you don’t want the new feature or new setting, the onus is now on you to study it and take whatever series of steps are necessary to turn it off.
While, in response to repeated and sustained public outcries, as well as the quiet, behind the scenes, efforts of our Privacy Commissioner’s office, Facebook has made some recent improvements to its site, these have focused on transparency. It is easier now, with a bit of effort, to find and change some settings and to see what information you must sacrifice to platform developers before playing their games or visiting their websites. But, with Facebook’s new commitment to building a more open Internet, with their demonstrated willingness to change the privacy landscape at will, it’s hard to say with confidence that information entrusted to it today will not be exposed by some new feature tomorrow.
Without a commitment to privacy-sensitive defaults; to holding back from developers information they don’t need; to asks its captive audience if they want to participate in new features instead of simply imposing on them, information control and privacy on Facebook will remain an ephemeral thing at best. While there is no one-off solution to the problem of privacy online, without a clear requirement for privacy by default Facebook changes will continue to reflect their ideal of information sharing, not that of their users.