Sunday, April 25, 2010

Help me understand Facebook and Privacy?

Help me out here. I'm trying to understand how Facebook's new move to share my information with other sites is okay (Hint: I'm not a teenager, so aim your explanation accordingly). Take LikeButton.me as an example. I've never explicitly trusted this site with any information. Yet they know the names of my friends, and yet all I did was visit this site? Visit = type URL, click return.


Granted, giving out the names of my friends is not the same as giving out my credit card numbers, but it is still valuable information, right? And is it not just valuable to me, but maybe valuable to my friends as well? Shouldn't they get a say in whether their names can be mined by these sites? Rather, shouldn't I get a say in whether my name gets mined by a site that my friends visit? Is that a stupid question? And yes, I know that Facebook has previously said that my list of friends is public. But I was waiting for the first exploit, not expecting it to come from Facebook itself.

I feel so stupid right now. All those silly ideas I was working on relating to Identity 2.0 and consent to release of information (which never included friends information) were apparently wrong, apparently old fashioned and apparently ideas that belong to people over 45, as one investor pointed out last week at an event I attended.

Apparently there is great goodness that can come from these features. I can now discover the musical tastes of my friends, via services such as Pandora, and so the benefits far outweigh the concerns of the post 45 crowd. The old fashioned idea of asking my friends about their musical tastes just went poof!

Facebook does provide tools to change your privacy settings, but this whole system is opt-in by default. If you look on Facebook's site the privacy settings are explained in words that I suspect most people would not bother to read (including my teenage daughter):


Note the highlighted text. In my settings (shown below), which I get to by clicking the link above, I (don't think I) am not sharing any information with "Everyone".


In addition there is the following setting - not referenced in the above instructions - which should be unchecked:


I confirmed all of the settings above, and yet LikeButton.me still knew the names of my friends. Now this I find hard to believe, so I actually think my Dopamine levels are affecting my ability to process these instructions. Otherwise, it almost seems like the privacy controls are broken?

It seems to be that there are several problems here:
  1. Visiting any random site may now expose you to having your information read by that site. Do you generally trust every site to guard your information adequately? I don't. And I don't trust Facebook to make the assessment of which sites to trust.
  2. These sites have access to my information even if my friends visit them?!? Really, I'm struggling with believing this to be an okay scenario.
  3. Default opt-in is not right. How do we protect our children? My daughter thinks it's okay to accept any friend invite (700 and growing) and that she doesn't need to backup her Mac.
  4. The Facebook user interface to opt out of sharing your information is not clean.
  5. I am not even sure that opting out works (as demonstrated by my screenshots above).
  6. You can never opt out of sharing your list of friends
  7. Facebook privacy seems to be eroding
Back to my opening sentence. Help me understand this? I actually do think I am missing something either technical, philosophical, or perhaps being born before Atari and Apple is leaving me at a mental disadvantage.

Update #1:
Check out this good summary of the Facebook changes at spylogic.net.

Update #2:
I found yet another Facebook page to change privacy settings. I also started the steps of deactivating my account, and discovered that the user interface that tries to convince you to not deactivate your account is quite a bit better then the privacy settings pages.

1 comment:

Admin said...

It's OK, Jim. You're not alone. A privacy researcher recently told me that the younger generation's definition of privacy is different from ours. Basically, it's "Can I keep my parents from finding out whom I'm talking to, and what I'm discussing with them?" (In a more modern grammatical style, perhaps.)

Some people say, "Privacy is dead. Build a bridge and get over it." Others like you and I are concerned about the longer term consequences.

You've proved the point that if a reasonably tech-savvy individual can't verify whether or not their privacy settings are correct, or even working, then few people will really be protected.

Regardless of how evil you think Facebook has become, the reality is that we all have to think twice about what we enter, and what we do on the Internet - not because we have anything illicit to hide, necessarily; just because it's too hard to keep track of our many relationships, and how people interpret our actions when viewed through a social media lense.

Good luck and keep us posted on your travails...

- Scott (opted into "over 45" by default) Wright
http://www.streetwise-security-zone.com