Facebook’s Engineered Privacy Loopholes

by Chris Kenton on May 14, 2010

Facebook is getting a lot of attention over its privacy policies for a variety of reasons. Depending on who’s offering up the criticism, the complaints include:

  • They change the rules too often.
  • The rules are too convoluted and too hard to figure out.
  • The rules err on the side of sharing private information without permission, so Facebook can profit.

So far, Facebook seems to be Teflon. The fun and attraction of engaging on Facebook outweighs most people’s concern about privacy–assuming they understand the privacy risks. But I, for one, am starting to get creeped out. And my threshold is pretty high.

A few months back, during the last highly public change in Facebook privacy policy, I went into my account settings and navigated all the features to establish my settings. I was a little pissed that they assumed I would want to share all kinds of personal stuff they didn’t ask my permission to share, but I figured the change in policy was public, and I was able to re-establish control over my private information. I didn’t think much more about it.

This week, something happened that really made my antennae go up. I logged into my account, and a helpful little dialog box appeared, displaying two private email addresses that I use, and have never linked or associated with Facebook. Facebook wanted to know if they could link those accounts to my name. WTF? 1) Where did they come up with those addresses? 2) How did they associate them with me? Any answer you come up with is creepy. Either they were sniffing around my computer, or they were crawling the web looking for other possibly related instances of “me” that they want to unify so they can leverage and sell the data. How they knew these addresses were mine, and not one of the other Chris Kentons on Facebook is interesting, but gives depth to the creepiness–they’re digging around. This is getting far too deep into my private life for comfort–especially by a company so demonstrably cavalier about how it shares my information.

So I decided to review my privacy permissions, and I found some things that need a lot more scrutiny. Facebook is not just playing fast and loose with privacy details, they’re burying settings that will share information you’ve told them not share. Check it out for yourself.

Go under the Account tab in the upper right hand corner of your Facebook page and choose “Privacy Settings”. A list comes up of all the various categories of settings you can choose. Many have complained this is too hard to navigate; Facebook claims it offers greater granularity of control. Whatever. Start with your Personal Information and Posts settings, where you can decide what personal information to share with whom. Facebook helpfully assumes you want to share everything with everybody. So turn everything to “Friends”, so that you’re only sharing your private information with Friends. You’re safe and secure now, right? Not even close.

Go back to the main Privacy Settings page and go down to “Applications and Websites”. Another long list of options to navigate, one of which is “What Friends Can Share About You”. Click to edit settings, and check it out. All the things you just said you only wanted to share with Friends are now, by default, checked to allow Friends to share with other people about you. Huh? So, I’ve just told Facebook I want to keep my photos, my family relationships and religious information just to my friends, but now buried two sections deep under another, different privacy topic, Facebook is allowing my Friends to share that information around? Houston, we have a problem. I Googled this topic and, sure enough, people have found themselves in some awkward situations because of this loophole.

I’m sure Facebook can make a passionate case about trying to make the web more social, and that social doesn’t come without sharing. I’m sure they can argue all day long about how these granular controls allow all of us to have minute control over the information we share. But here’s the thing. I don’t want minute control. I want simple control. Stop sharing my shit with everyone on the web. Stop assuming I want to share everything, and assume I want to share nothing, except who I say I want to share things with. Stop hiding little loopholes under nested lists of settings that allow you to get around the permissions I just set. Stop changing the privacy policy every month to allow you to reset all my settings to your “Share Everything” default. Just. Stop.

Social is *not* about sharing everything with everyone. Social is about making choices about the company we keep. And it’s starting to look like it’s time to make a choice about Facebook.

{ 4 comments… read them below or add one }

Rob Downing May 25, 2010 at 7:08 am

This is, indeed, disturbing on the part of Facebook. It’s compounded by the cavalier attitude taken when confronted. However, what is most disturbing is that personal information is shared with advertisers, privacy settings be damned! These settings do not apply to their (Facebook’s) relationship with their sources of revenue. Making the world more social is just lip-service to the underlying pursuit of revenue.

cheap prada sneakers June 8, 2010 at 6:12 am

nice article,thank you for sharing

Jonathan Knowles August 16, 2010 at 6:41 am

It all goes to show that there is no such thing as a free lunch. Facebook users are naive to believe that Facebook will not eventually find a way to make them pay for the service that they are using. But it is shocking to learn that Facebook is doing so in such an underhand manner – I, like many, had assumed that setting “Privacy Settings” to “Friends” was all I need to do to keep my data within a network of my choosing.

Rob Downing August 16, 2010 at 12:29 pm

I know my implicit assumption was that they would (eventually) be funded by advertising revenue, preserving the subsidized nature of the community, in the same way that it is done elsewhere (e.g.: Google or Yahoo groups).

The Wild, Wild Internet is indeed being tamed…

Leave a Comment