Monthly Archives: May 2010

Facebook’s Engineered Privacy Loopholes

Facebook is getting a lot of attention over its privacy policies for a variety of reasons. Depending on who’s offering up the criticism, the complaints include:

  • They change the rules too often.
  • The rules are too convoluted and too hard to figure out.
  • The rules err on the side of sharing private information without permission, so Facebook can profit.

So far, Facebook seems to be Teflon. The fun and attraction of engaging on Facebook outweighs most people’s concern about privacy–assuming they understand the privacy risks. But I, for one, am starting to get creeped out. And my threshold is pretty high.

A few months back, during the last highly public change in Facebook privacy policy, I went into my account settings and navigated all the features to establish my settings. I was a little pissed that they assumed I would want to share all kinds of personal stuff they didn’t ask my permission to share, but I figured the change in policy was public, and I was able to re-establish control over my private information. I didn’t think much more about it.

This week, something happened that really made my antennae go up. I logged into my account, and a helpful little dialog box appeared, displaying two private email addresses that I use, and have never linked or associated with Facebook. Facebook wanted to know if they could link those accounts to my name. WTF? 1) Where did they come up with those addresses? 2) How did they associate them with me? Any answer you come up with is creepy. Either they were sniffing around my computer, or they were crawling the web looking for other possibly related instances of “me” that they want to unify so they can leverage and sell the data. How they knew these addresses were mine, and not one of the other Chris Kentons on Facebook is interesting, but gives depth to the creepiness–they’re digging around. This is getting far too deep into my private life for comfort–especially by a company so demonstrably cavalier about how it shares my information.

So I decided to review my privacy permissions, and I found some things that need a lot more scrutiny. Facebook is not just playing fast and loose with privacy details, they’re burying settings that will share information you’ve told them not share. Check it out for yourself.

Go under the Account tab in the upper right hand corner of your Facebook page and choose “Privacy Settings”. A list comes up of all the various categories of settings you can choose. Many have complained this is too hard to navigate; Facebook claims it offers greater granularity of control. Whatever. Start with your Personal Information and Posts settings, where you can decide what personal information to share with whom. Facebook helpfully assumes you want to share everything with everybody. So turn everything to “Friends”, so that you’re only sharing your private information with Friends. You’re safe and secure now, right? Not even close.

Go back to the main Privacy Settings page and go down to “Applications and Websites”. Another long list of options to navigate, one of which is “What Friends Can Share About You”. Click to edit settings, and check it out. All the things you just said you only wanted to share with Friends are now, by default, checked to allow Friends to share with other people about you. Huh? So, I’ve just told Facebook I want to keep my photos, my family relationships and religious information just to my friends, but now buried two sections deep under another, different privacy topic, Facebook is allowing my Friends to share that information around? Houston, we have a problem. I Googled this topic and, sure enough, people have found themselves in some awkward situations because of this loophole.

I’m sure Facebook can make a passionate case about trying to make the web more social, and that social doesn’t come without sharing. I’m sure they can argue all day long about how these granular controls allow all of us to have minute control over the information we share. But here’s the thing. I don’t want minute control. I want simple control. Stop sharing my shit with everyone on the web. Stop assuming I want to share everything, and assume I want to share nothing, except who I say I want to share things with. Stop hiding little loopholes under nested lists of settings that allow you to get around the permissions I just set. Stop changing the privacy policy every month to allow you to reset all my settings to your “Share Everything” default. Just. Stop.

Social is *not* about sharing everything with everyone. Social is about making choices about the company we keep. And it’s starting to look like it’s time to make a choice about Facebook.