Analysis: Some Facebook Privacy Issues Are Real, Some Are Not

Facebook has consistently pushed its users to make more personal information public over the last several years. It believes doing so will allow it to offer better products to users, and the marketers and developers who want to reach them.

But some users, privacy groups and politicians have matched its moves with vocal protests, lawsuits and more recently, official investigations. The controversy only appears to be intensifying.

Below, we’ll closely examine the Facebook privacy issues being debated, from social plugins to Instant Personalization, to the terms of service changes, and many others besides. We’ll provide a straightforward description of what each change was, followed by our analysis of how serious the issues are around each change.

We’ll follow up in a separate article with our  broader conclusions about the changes, the issues and what they mean for Facebook, its users, and everyone else. Before we delve into the specifics, here’s a quick overview of the new risks, and some background.

The Risks

Some criticism of certain aspects of these launches seems fair, like the way that Facebook directed users to make profile interests public. But some people also seem bewildered by the sheer number and complexity of the changes, and are assuming the worst about all of them as a result.

Fairly or not, critics are advocating for regulations or other forms of restrictions on how Facebook handles user privacy, and are even recommending that users leave the site.

The issues are creating new risks not just for Facebook users, but for the company and its ecosystem of developers and marketers.

One risk is that a significant number of people actually do stop using Facebook completely, possibly out of fear of how their data might be used, but also because they are fatigued by the constant changes. This hasn’t happened yet, despite many critics predicting that it would over the years. But there could still be a tipping point, where the build-up of issues finally convinces people to leave en masse.

The other risk is that agencies from national governments, particularly the United States’ Federal Trade Commission, impose stiff new regulations on what product changes that Facebook can make going forward, thereby limiting its ability to improve its products.

This Is Not a New Debate

This round of Facebook changes is arguably not any more significant than past privacy-related ones — like the launch of its news feed, Connect, the application platform, Beacon, the altered publisher tool, and the regularly edited terms of service, to name a few. But the stakes have risen.

Facebook has grown to be the largest social web sevice in the world, with nearly 500 million monthly active users by our most recent estimate. It has turned a profit, and now it appears to gradually be moving towards an initial public offering.

The company is typically aggressive about how it is trying to become more open. Sometimes it moves hastily, or provides an unclear interface, or pushes users to do things that some of them don’t want to do. It has had these sorts of problems before and it has gotten a lot of criticism as a result — Facebook’s critics of today have had years to hone their techniques.

The news feed was met with user outrage when it launched years ago, because Facebook aggregated data about users’ activities in an easy to view way. Even though the data it used was available already, users felt betrayed because that availability became far more obvious. But everyone got used to it, and the news feed has become Facebook’s main avenue for sharing information; in fact, it has been so successful that many other companies have built similar products to help users process information more easily. Facebook overcame users’ gripes, and that success seems to have given it the confidence to keep pushing regardless of criticism.

But Facebook has not been entirely successful in blowing through criticism. Its doomed Beacon advertising system, for example, tracked users’ activity across the web and shared it with their friends without asking permission to do so. The idea sounded promising — but the product itself violated user privacy. Facebook dropped the service eventually, after damaging months of public attacks and multiple ongoing lawsuits (some frivolous, of course).

The company has not been immune to governmental pressure over the years, either. It was forced to accommodate changes from the Canadian privacy commissioner last year. The changes to privacy features in December and the streamlined permissions dialogue introduced last month were, in part, efforts by the company to comply with the commissioner’s requirements.

Facebook’s moves in December set the stage for the current controversies. The main issue was that it required users to go through a transition tool (pictured) that set them up with new privacy settings. The process was confusing to many, and it directed users to make more information public in ways they might not have understood.

Privacy groups had a field day at that point — issues like these allow them to show themselves as fighting for the public good against powerful, selfish interests. Following waves of press coverage, ten of them filed a complaint with the FTC against Facebook. The FTC said it was looking at the situation, but it hasn’t said much since. Meanwhile, other governmental bodies, like the European Commission, have begun investigating on their own.

But these issues, like all the ones before them, have yet to hurt Facebook’s traffic. The most recent measurements from March and April show it booming in the US and around the world, as we’ve covered here and here.

So far, none of the late April changes have had significantly bad results, either.  There are no reports of users being harmed as a result of them, and Facebook itself tells us that traffic is up by nearly every measure following the launch.

We examine what the specific changes were below. Then we look at how people have responded, and whether their complaints are well-supported or not. In a follow-up article, we conclude with our view of how all the issues add up to impact Facebook — or don’t.

Personal Profile Information and Privacy Settings Change

The changes: On April 19, two days before major product launches at its f8 developer conference, Facebook introduced a significant update to how people can express interests in their profile.

Some users have extensively filled out their profiles with a wide variety of personal information, including their work and education history, and interests like music, movies and books. The company suggested that users automatically re-categorize their interests (though not other private personal information) into publicly-available Pages, so that a user from San Francisco, for example, would display that city’s Page.

If users didn’t want to do this, their other option was to delete the information completely or re-add it in the “Bio” field — neither of which were clearly pointed out.

Users were presented with a transition tool that asked them to add these Pages to their profiles. It featured two big buttons on the lower right: “Link All to My Profile” and “Ask Me Later.” The third option, “Choose Pages Individually,” was relatively de-emphasized. It was a link without a button, in smaller text than the other two, and over on the lower left part of the window. Explanatory text at the top of the tool said that the information would be public.

Adding a layer of complexity to this change were two more that Facebook pushed out at the same time. It re-arranged user privacy settings, a move based on the terms of service change it introduced at the beginning of April (we’ll look at the terms further down). Facebook made what it calls “General Information” public, with no option to hide it, as part of that terms change. This includes your and your friends’ names, profile pictures, gender, connections, and any content shared using the Everyone privacy settings. The only other option is to not provide this information in the first place, or delete it if you already had.

What Facebook did decide to keep private for users is key personal information — everything not defined as General Information — which it moved to a new category in its privacy settings, called Personal Information and Posts. This includes users’ biographies, birthdays, sexual preference, religious and political views, photo albums, your own posts, the ability for friends to post to your wall, the visibility of friends’ posts on your wall, and comments on posts on your wall.

The other category in privacy settings includes what Facebook has newly defined as “Friends, Tags and Connections.” This information can be private in nature, but it includes a social element; your friends also can decide whether or not to reveal the fact that you’re friends with them. They can decide to tag you in a photo or video, and so forth — you can decide to untag the photo, but you can’t delete the photo itself because it belongs to them. The complete list of information in this section includes: friends, family, relationships, photos and videos of yourself, current city, hometown, education and work, activities, interests and things you like.

Facebook makes this information public by default. You can hide it on your profile from anyone who visits, but you can’t hide it on the Page you’re connected to.

Finally, Facebook created a new category of Pages called Community Pages. These are non-commercial Pages for things like causes, ideas or internet memes, and they are more limited in nature. They don’t have owners and do not include some options, such as publishing to fans’ news feeds. Users who had items in their personal information section that did not match with existing Pages had those items converted to new Community Pages.

The point of all of this is to make it easier for users to find and share their interests with each other — which is what Facebook exists to do in the first place.

The issues: The three changes — the profile transition, the privacy settings switch and Community Pages — resulted in what appears to be a high level of user confusion, and criticism from privacy groups and politicians, including four US senators.

From some users’ perspectives, it was not clear why lists of personal interests and other details should suddenly turn in to Pages. Facebook users have already had the option to become fans of Pages, but that process was purely opt-in because you had to go to a Page and select the option yourself.

Facebook purposefully minimized the option for users to individually edit the Pages within the new transition tool. Instead it directed them to convert everything. If users did not read the tool carefully — which is a reality of how most people use the web — they clicked through and then discovered what had happened.

The company does not provide flexibility for them to do anything besides make the information public in its transition tool and privacy settings, or remove the information altogether, or re-add it in the user “Bio” section (which can be kept completely private).

“We recognize there has been confusion on this point and are creating more material on the site to explain all of the options people have,” Facebook tells us.

The other catch here is that some users had previously selected some of this information to be private. The transition tool did clearly warn them that the information was going to be public, but it did not state that their privacy settings would be automatically altered to reflect this fact, an issue we noted at the time.

The addition of Community Pages further confused the situation. Some users, for example, said they had previously listed their own businesses as interests, only to discover that they inadvertently created a Community Page for their business that they now have no control over. They can’t delete it and they need to go through an appeal process to make it an official Page they can control.

When we asked Facebook about the transition process, the company says that less than 20% of its users had filled out the profile information, while more than 70% had already connected to Pages about their interests. It says this is one of the main reasons it made the changes. It also notes that users who had filled out interests before had not had the option to add them as Pages, instead.

The changes do not amount to outright deceptions, but they are misleading to the portion of users who have filled out their interests assuming everything would stay private. Facebook’s rationale is understandable but so are the negative reactions.

Social Plugins and the Open Graph

The changes: Facebook introduced new ways for other web sites to integrate site features at f8 through a set of five widgets, each with specific functionality. If you’re logged in to Facebook, you can immediately see information about your friends and what they’re up to on other sites. You can go to many news sites today, like CNN, to see the widgets in action — or “plugins” as Facebook calls them — and then see what news articles your friends are sharing.

Facebook’s intent is to allow users to get more value out of other web sites by seeing what their friends are sharing, and by sharing more information with their friends — and in doing so, it is also trying to make the sites themselves more valuable.

The plugins also allow you to share information back to Facebook. The main one is called the Like Button. It takes Facebook’s Like feature and allows developers to provide it on any web site. So you can be reading a news article, click on the “Like” button above the article, and immediately share a link to it on your wall and in your news feed.

Facebook does not provide user data to sites that use the Plugin. It keeps everything on its own servers, similar to how embeddable YouTube widgets show videos that are hosted on YouTube.

It also launched what it calls the Graph API. This allows developers to access a wide range of user data. General Information and other data that users have disclosed is readily available, and developers can request more through special permissions.

Developers can also get additional access to users through the Open Graph Protocol. They can publish updates to any user who has Liked an item. And they can create their own version of the Like button that doubles as a way to have users become fans of their Page.

The issues: Seeing a friend’s profile picture and shared stories appear in a widget on another site might surprise some people. Much of the controversy over this issue revolves around what data is being shared with third party sites.

However, the plugins are designed so that no data is shared with third party sites by default. Some people have misunderstood how the plugins work, though, and claim that data is being widely shared.

Facebook does track users who visit sites that have its widgets, but it has had various widgets available for years that it tracks, and it has not done anything differently with the new plugins, at least in their simplest implementations.

The company, along with Google, Yahoo and many other market leaders, tracks users through browser cookies and a range of other legal methods. Some other web companies have provided more transparency around this process, but only after governmental pressure — most of the industry is still opaque about its practices. However, proposed congressional legislation could more broadly impact how web companies use and share data.

Recommended articles