Treat Facebook like a public blog

I sympathize with the privacy concerns people have been expressing for some time about Facebook.

A few months back, I encountered a nifty and sobering animated graphic showing what parts of your personal Facebook data have been visible by default and how that's changed over time. (It's also available in still-image form if the animation doesn't work in your browser.)

On the other hand: I love Facebook. It lets me easily keep in touch, in a low-key way, with a few hundred friends and friendly acquaintances. I can look at the list of my friends' most recent status updates on my phone as I walk from one building to another at work, or as a I wait for a bus, or while I'm brushing my teeth, and get a quick glimpse of what some subset of my friends are up to. Sometimes they post fun links; sometimes funny jokes or fun things their kids did or said; sometimes they ask quick questions to help with research for their novels; sometimes they post sad news, or happy news, or just interesting news.

But I think that, given Facebook's ongoing privacy issues, the key to using Facebook is to assume that everything you say there may eventually be seen by the whole world.

That's the gist of what I'm saying in this entry; the rest of this, below, is just overlengthy elaboration.

D.N. once pointed out to me, gently and indirectly but quite rightly, that my stance is a little too close for comfort to saying “I have nothing to hide, so there's nothing wrong with eliminating privacy for everyone.” Those of us who have relatively little to hide ought to help stand up for privacy for those who do have more to hide.

And of course Facebook's twin practices of (a) not making clear to users what's public and what's not, and (b) changing what's public retroactively, are reprehensible.

And my impression (not based on any evidence) is that FB's executives feel that privacy is kind of an outmoded idea, something that they'd like to help us learn to not worry about. For people who like privacy, that's not a comforting thought.

But I'm not willing to give up FB yet, and neither are an enormous number of other people. And so I think it's worth thinking about what an individual who isn't giving up FB can do to best protect themselves.

It seems to me that there are three general courses of events that could happen, given the way things currently are:

  1. Facebook continues to behave badly with regard to privacy.
  2. Facebook decides (possibly under pressure) to implement better privacy behavior.
  3. Facebook is abandoned by most of its users in favor of another system with better privacy control.

I'm not ruling out option 3, but I think it's unlikely to happen for a while. Facebook has five hundred million users right now, and it's growing. That many users create a significant network effect. Social networking sites do generally fade in popularity over time, and often end up being largely abandoned in favor of the next cool thing; but I suspect it's going to be quite a while before the next cool thing outpaces Facebook.

Option 2 might happen. There've been rumblings lately of government wanting to crack down on FB's more egregious privacy issues. And it's possible that mass protest from their users will cause FB to back down in some areas; it's happened before. On the other hand, most of what I've seen from FB executives—especially Zuckerberg, the CEO, but also others, including a Q&A with Elliot Schrage from a few months back—suggests to me that they don't really get why anyone would care about privacy. Schrage said it's “just not true” that they don't care about privacy, and mentioned repeatedly that they have to get privacy right or users will leave; but then he went on to suggest that using FB is optional, and that if you opt in to using it, you have to go with the way they do things. (I'm exaggerating and possibly misreading, but he did say things like “Please don't share if you're not comfortable.”)

Anyway, so my point about option 2 is that it seems to me that FB is likely to resist any pushes toward more or better privacy. Protecting user privacy is not something that seems to me to come naturally to them. I'll be glad if I'm wrong about this, but so far (see abovelinked animated diagram) they seem to be moving toward less privacy rather than more.

Which is to say, I expect that option 1 will be true for a while yet.

So for those of us who aren't willing to leave Facebook, we're left with a practical issue:

Assuming that Facebook is likely to continue to do problematic stuff wrt privacy, what's our best course of action?

Certainly pushing on them to improve is important. But that doesn't help us as individuals in the short run. How do we keep FB from revealing private information about us until such time as they're better about privacy issues?

It seems to me that there are three sub-options here:

  1. Leave Facebook (and delete—not just deactivate—your account).
  2. Carefully and constantly monitor FB's changes to privacy settings; regularly look at your pages using their profile preview (Account > Privacy Settings > Customize Settings, then “Preview My Profile” at the top to preview as someone else; I'm glad they provide that, and wish more other sites had something like it); regularly tweak your privacy settings (no matter how well hidden they may be) to prevent the lapses you want to prevent; and hope that they don't keep implementing features that don't let you adjust the settings. Also, be aware of issues you have no control over, like the fact that if any of your friends use FB apps, those apps likely have access to a fair bit of your data.
  3. Never put any information in Facebook that you wouldn't be comfortable posting to the general public.

As you've probably guessed by now, my preference is option 3.

I know that lots of people use Facebook for private things, and I know that many or most of those people are doing so under the belief that FB will keep things private. When FB exposes those private things, FB is definitely wrong. I don't mean to excuse FB here, or to blame the victims.

But we've now seen FB make privacy-related errors—sometimes bugs and glitches, sometimes bad policies, sometimes just poor communication—over and over again over the past few years.

I think at this point we have to stop expecting that things we post there will remain private.

Which is too bad. It's always hard to find a good place to have truly private interactions online, especially if you want to chat privately with multiple close friends.

But the core of what I'm saying here is that I feel that FB is not a good place to do that.

Wrote this entry in mid-May, didn't get around to lightly updating it and then posting it 'til late October.

Why did I remember to post it now? A few of the reasons:

  • In July, a security consultant downloaded the public information from 100 million Facebook profiles, and published that information online, which means that even if those users decide to make some of their info private later, it'll still be out there in public.
  • In mid-October, the Wall Street Journal revealed: “Many of the most popular [Facebook] applications [...] have been transmitting identifying information [...] to dozens of advertising and Internet tracking companies.”
  • In late October, a new Firefox extension was released that hijacks Facebook and Twitter accounts (and accounts of other popular web services) by watching traffic on public WiFi networks. If you ever use a non-secure WiFi network to get to an account on a major website, your account may be vulnerable.

2 Responses to “Treat Facebook like a public blog”

  1. Nonny

    Actually… I want to say there’s been interviews with the founder of Facebook in which he basically said he didn’t see privacy as a concern, and that people on the Internet should expect that their information will eventually be public. Here’s one that a quick search turns up, although I don’t know if that’s the one I read originally.

    With Facebook’s constant privacy and security issues, I don’t post anything there I wouldn’t say publicly. It just doesn’t seem wise.

    I’m interested to see how Diaspora takes off when it releases. It’s supposed to be a more privacy-conscious Facebook-like social networking site. Unfortunately, I suspect people will continue to use what they know… which is Facebook. :-

  2. Vardibidian

    May I just add—as a matter of courtesy, please don’t put on Facebook anything about anybody else without clearing that they are OK with it being public.

    I, of course, have the photo-of-underage-drunk-me posted by an old buddy (my recollection is that I was, in fact, not drunk but clowning with a bottle, but that’s not what the photo shows), and although I could remove the tag, that doesn’t mean that the association is not saved in various places. I’m not concerned about it for myself, but one of the other people in the photo went into law enforcement… Anyway, the point isn’t so much the photo issue, which is well-known, as any notes or status updates that are notionally ‘private’. While any information in them will probably never become public, that isn’t necessarily true, and it’s a good idea to check that it’s all OK.



Join the Conversation