Thursday, May 13, 2010


How Facebook sees its own privacy policies

Yesterday, I talked about something that’s not a privacy problem on Facebook. Today, we’ll look at what is.

The New York Times “Bits” blog published, the other day, a Q&A piece with Elliot Schrage, Facebook’s vice president for public policy. Readers had been asked to send in questions, and some were selected for Mr Schrage to answer. His answers make it clear, if it hadn’t been already, that Facebook’s erosion of its users’ privacy and of their privacy options are business decisions, made with full understanding of the effect on the users.

I found three answers to be of particular note, so I’ll comment on them here:

Q: It used to be that I could limit what strangers saw about me to almost nothing. I could not show my profile picture, not allow them to “poke” or message me, certainly not allow them to view my profile page. Now, even my interests have to be public information. Why can’t I control my own information anymore? — sxchen, New York

A: Joining Facebook is a conscious choice by vast numbers of people who have stepped forward deliberately and intentionally to connect and share. We study user activity. We’ve found that a few fields of information need to be shared to facilitate the kind of experience people come to Facebook to have. That’s why we require the following fields to be public: name, profile photo (if people choose to have one), gender, connections (again, if people choose to make them), and user ID number. Facebook provides a less satisfying experience for people who choose not to post a photo or make connections with friends or interests. But, other than name and gender, nothing requires them to complete these fields or share information they do not want to share. If you’re not comfortable sharing, don’t.

I’ll buy that Facebook might decide that certain information has to be public. I won’t buy

  1. that they should change that decision after the fact, nor
  2. that the list needs to be so broad as to include “connections with friends or interests.”

And it’s disingenuous to say that, well, people don’t have to make connections or list interests if they don’t want them made public, because a great deal of the value of Facebook, for those who find it valuable, lies in those aspects. It’s not that users aren’t “comfortable sharing” these things, but that they want to control with whom they share them.

This answer just says that Facebook has found value in forcing these items to be public, and they don’t care that some users want to be more circumspect about it. Further, even if users choose to delete some of this information now that Facebook will make it public... Facebook still has it, and will still share it with applications and partner web sites, even after the owner thinks it’s scrapped. Because that’s just the kind of experience people come to Facebook to have.

Q: Why not simply set everything up for opt-in rather than opt-out? Facebook seems to assume that users generally want all the details of their private lives made public. — abycats, New York

A: Everything is opt-in on Facebook. Participating in the service is a choice. We want people to continue to choose Facebook every day. Adding information — uploading photos or posting status updates or “like” a Page — are also all opt-in. Please don’t share if you’re not comfortable. That said, we certainly will continue to work to improve the ease and access of controls to make more people more comfortable. Your assumption about our assumption is simply incorrect. We don’t believe that. We’re happy to make the record on that clear.

Oh, please: saying that Facebook itself is opt-in, so that makes everything in it opt-in... is a cop-out. Just as with the question above, the answer is really that Facebook gets the most value out of defaulting privacy controls to “public” (thus making users opt out of things they want to keep closer, assuming that Facebook even gives them a way to do that). As long as users are hooked on Facebook, and are willing to use it no matter what changes are made, Facebook has no incentive to make it easy to keep information private.

Q: I love Facebook, but I am increasingly frustrated by the convoluted nature of the privacy settings. It’s clearly within Facebook’s ability to make the privacy settings clear and easy to use — why hasn’t this been a focus? — Ben, Chicago

A: Unfortunately, there are two opposing forces here — simplicity and granularity. By definition, if you make content sharing simpler, you lose granularity and vice versa. To date, we’ve been criticized for making things too complicated when we provide granular controls and for not providing enough control when we make things simple. We do our best to balance these interests but recognize we can do even better and we will.

And this one is just complete bullshit. There are no opposing forces here. It’s very easy for them to provide two (or more) tiers of content sharing settings: a simple set for the most common sets options (or for what they would like to be most common), and an “advanced” button to let people control more and go further.

Even Windows was able to get that. There’s a global privacy setting that sets up file access controls in a way that will work for most users. A user who wants to can make simple changes to the access controls for specific files or directories (allow another user to have certain pre-defined access settings). And for fine-tuned control, one can make advanced changes that let one get down to the nitty-gritty.

Most users never see the Windows advanced access control settings, just as most Facebook users would never use the advanced privacy settings, if they were provided. Yet for the users who want to use them, they’re necessary, and their absence is a real problem.

But, again, Facebook has no incentive to provide them unless people start voting with their fingers, and abandon Facebook because it doesn’t give them the controls they want.

Realistically, though, it’s unlikely that the exodus of a handful — even large handfuls — of techies will make any difference to Facebook’s policies. And it’s unlikely that the average Facebook user will care enough to leave. Some will grumble that they don’t really want everyone to see everything, but in the end it won’t matter enough to them, and they’ll stay and accept it.

Facebook knows this.


Dadinck said...

I just wanted to let you know that there are a ton of privacy settings on facebook. Like Facebook said, if you don't want someone to see your picture, don't post it.

There are the following categories:
-Personal information and posts
-Contact information
-Friends, Tags and Connections
-Applications and Websites

When I change something in my preferences, I can click on "Preview my page" to see what non-friends see.

Most of the items for security are set up for "friends" "friends of friends" and "everybody". Of course, if noone should see the information, then you don't include the information. There are a few "only me" settings.

There are 9 sub categories in personal information, 8 in contact information, 10 in freinds, tags and connections, 6 in applications and websites, 2 in search (including an opt-out for search engines), and a block list.

I'm not sure what you are concerned about in your blog, but Facebook has plenty of controls available for any user. You should dive in and make an account. Use your real name, birthday, gender, and a disposable e-mail account. Then tinker with the controls a bit. I think you will find that the privacy for "public" is very good and you can share almost anything with your friends.

If you are not sharing with your friends, then you don't need to post that content at all. Facebook is for sharing with your friends, not personal storage.

BTW, it looks like you have a bit of public information on LinkedIn. :-)

Barry Leiba said...

Thanks for the comments.

I know there are plenty of settings that are available to Facebook users. My issue is with the settings that aren't there. There are things (such as profile photo and connections) that you can't restrict to just "friends".

The things I hear all the time are (1) as you say, if you don't want it public, don't post it, and (2) who cares if everyone knows what music I like or what groups I've joined? My answer is that it's about choice. I may want to post something (including a profile photo) to share it only with my friends, and with no one else. You may not care who knows about your likes and groups, by he may not want to share those with the entire world.

It also matters that Facebook has changed the rules after the fact, making things more public than they used to be.

Yes, I have a lot of information made public in LinkedIn and in these pages. That's my choice. Facebook is taking away choices, and making some of the choices that remain hard to use.

And I'm not saying that it's all evil stuff (some is, like giving you privacy controls that don't completely work). Mostly, you're using their service and they get to define what that service is.

I'm just saying that I don't like it, and I'm seeing an increasing number of other techies who don't either.

Dadinck said...

Okay, I did some experimentation, and if I believe the profile that facebook shows me, the only thing you see in my profile now is my name and a picture of the ceiling.

All my friends see everything. But, if I am not posting things for my friends to see, there is no point of posting at all.