Have We Got Privacy Wrong? Lessons from Facebook: Part I

Facebook has recently announced clearer privacy settings which appear to be 'one click' away from wherever the user is on the site. It remains to be seen whether these new changes are merely a case of giving with one hand and taking with the other, a charge directed at Facebook in the past over adopting an overzealous default-on policy instead of allowing users the choice of opting-in to new features. Cynics might suggest that the recent controversial revised Terms of Use of Facebook-owned Instagram is exactly this. The widely publicised outcry surrounding Instagram which led to a partial retraction of the changes still leaves much to be desired on the privacy front, as the Electronic Freedom Frontier (EFF) highlights.

What is surprising in all of this is Facebook's resilience to such "scandals". The sequence of events usually goes as follows:

1. A shocking story breaks. Take the discovery that photos removed by users were not actually deleted from Facebook servers in over three years; worse still, that anyone could still access these photos if equipped with the direct URL of the "removed" photo (Ars Technica - "Over 3 years later, "deleted" Facebook photos are still online").

2. Following the outcry some users vow to abandon the service and switch to an alternative. Other social networks like App.net and Diaspora have attempted to capitalise on user discontent by claiming to solve the grievances people have with Facebook, but so far have not made any significant inroads.

3. Panic subsides, people quickly forget and everything goes back to normal before another privacy scandal occurs in a few months time. Each time with no significant change in the Facebook user base.​

All this would lead to the conclusion that users simply do not care about their privacy.

If there is anything that I have learned from my time on the Internet it is this: nothing is truly private. As the saying goes, "If you're not paying for something, you're not the customer; you're the product being sold." (Interestingly, Lifehacker (link) traces back the origins of the maxim to a MetaFilter user in a lively discussion about the then latest Digg redesign back in 2010. Oh, how times have changed...)

Probably the second largest service behind Google which utilises this business model, but certainly by no means the only example, is Facebook. The social network reached a landmark 800,000,000 users this year. As of December 2012 the UK has over 33 million Facebook accounts (link). To put these numbers in context, over 50% of the UK population has a Facebook account. Whichever way you look at it, these are scary numbers when you consider the general lack of privacy awareness of the Facebook usership. You need only look at the popularity of viral so-called "disclaimer clauses" which, to be absolutely clear, are not legally effective and therefore do not in any way protect users. Here's the latest one which has been widely circulating: "Mashable - Don't Fall For Fake Facebook Privacy Notice". There is something truly odious about the perpetrators preying on the fears of other Internet users by spreading entirely false advice.

online_communities_2.png

A graphical representation by xkcd. (link) The kingdom of Facebook has grown larger still since 2010...

Of course, it would be unfair to blame the users for any widespread ignorance -- ultimately the buck lies with Facebook itself. For one, it has been notoriously tardy about implementing stronger and simpler privacy controls over the years. A new "privacy scandal" surfaces every few months with remarkable frequency, the latest concerning old private messages appearing on user profiles accessible to the user's entire friend list (ABC News - "Users Vow to Desert Facebook Amid Latest Privacy Scandal").

Most would accept that Facebook has a positive duty to ensure that:

i) users understand the Terms of Service and any subsequent changes to it.
ii) any amendments are adequately publicised.

However, I do not think this goes far enough, and certainly does not reflect the size of Facebook as an Internet player and the responsibility to all Internet users this confers. Much in the same way large companies are encouraged to follow ethical practices through Corporate Social Responsibility, Facebook, through merely being an Internet company does not absolve itself of any responsibility to the wider online community. Some might argue that these duties to society are all the more apparent now that Facebook is a publicly traded company (following an IPO in May 2012). Thus I argue that Facebook has an additional duty to ensure that:

iii) any implications on the privacy of the user are clearly explained.
It is undeniable that every Facebook user accepts the Terms of Service when signing up and consequently are generally bound by such terms, however, I see many parallels between online service agreements and the EULAs we have all encountered installing software. I do not think it comes as a surprise to many to find that most people do not actually read licence agreements in full (there is even software which claims to ease the pain of reading pages of legalese by highlighting "interesting phrases" in the EULA for you). That said, the jury is out about whether EULA agreements are legally binding or not. Edward Desautels of The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) advises to take the cautious approach, see "Software License Agreements: Ignore at Your Own Risk".


ji19S.png

Haven't we all...
 
Back
Top