The peril of the Facebook anti-privacy pattern


There's been a well justified storm about Facebook's recent privacy changes. The EFF has a nice post outlining the changes in privacy policies at Facebook which inspired this popular graphic showing those changes.

But the deeper question is why Facebook wants to do this. The answer, of course, is money, but in particular it's because the market is assigning a value to revealed data. This force seems to push Facebook, and services like it, into wanting to remove privacy from their users in a steadily rising trend. Social network services often will begin with decent privacy protections, both to avoid scaring users (when gaining users is the only goal) and because they have little motivation to do otherwise. The old world of PC applications tended to have strong privacy protection (by comparison) because data stayed on your own machine. Software that exported it got called "spyware" and tools were created to rout it out.

Facebook began as a social tool for students. It even promoted that those not at a school could not see in, could not even join. When this changed (for reasons I will outline below) older members were shocked at the idea their parents and other adults would be on the system. But Facebook decided, correctly, that excluding them was not the path to being #1. If you don't protect user privacy, building a service is easier. You never have to worry what you can and can't do with data once you have declared them public. You can't have a leak of what is already disclosed. This allows greater innovation, and in particular it allows innovation outside the company, or outside the community. When everybody can see your data, everybody can figure out and try out cool new things to do with them. Some will be stupid; some will be dangerous; some will be popular, and even useful.

When a site is protecting privacy, even if it is the largest -- especially if it is the largest -- outside competitors will see if they can do something new without following those rules. Ignoring the constraints is the easiest way to get an edge on a big player. Small players are not subject to much scrutiny by privacy watchdogs, and because they start off violating a privacy rule, they do not have the "legacy burden." They don't have to sell a change of policy to users. They don't have to generate a UI so users can opt in or opt out. Even if they do they can set the default as they like.

This new approach may turn off some users, but the hard reality is that it won't impede a new business much. There are always plenty of early adopters ready to try something new and cool, and because of the fundamental theorem of privacy -- nobody cares about privacy until after they've been through an invasion -- only the most privacy aware will avoid the service.

As the upstart grows, the larger, older player will find itself forced to take notice. Users may be migrating, or complaining that the old service is not as full featured as those of upstarts. There is strong competitive pressure to abandon the old protections. Worse, there is an added disadvantage -- the old service needs to now develop a UI to support both the old and new systems, and it doesn't want to have a giant and complex UI.

A good example of this is Twitter. When Facebook added a feed about what friends were doing, it caused some uproar, even though only your friends could see it. But Twitter arose and by default, all your updates were visible not just to followers but the whole world, and they were archived forever. You could try to use Twitter with a "protected" account, as I did, but you quickly realized you were missing out on what Twitter was about. An ecosystem of external apps grew up around Twitter without the Twitter company having to do anything, because the data were public. Protected Twitter users could generally not use these new, hot apps.

A company like Facebook had to look at Twitter and salivate over what they could do, without the legacy constraints. And indeed, before long, the Facebook feed was modified to look more like the Twitter feed, though still largely available only to friends. But now the new default makes your wall available to outsiders.

This trend will continue. New sites will arise that expose more data, and sites like Facebook will feel pressure to widen what they make available, even if there is no revenue reason for doing so.

Facebook as the internet identity gorilla

This becomes even more troubling as Facebook makes a play to be the main provider of what is sometimes called "identity" services on the internet. Federated identity began with services like Microsoft Passport (now called LiveID) which mainly attempted to be a single sign-on with a fairly small amount of data. Many efforts have been pushed to expand that including the hopefully distributed OpenID system, the Liberty Alliance and a few others. Facebook, however, with 400 million users, surged onto the scene with Facebook Connect, which has quickly grown because so many users are already routinely logged into Facebook and need do nothing more to make use of it. This has expanded greatly with Facebook's partner program, which not only puts "Like" buttons onto many web sites but allows special partners to get access to much of a user's Facebook profile, including who their friends are.

While the old systems offered little more than a Login ID, Facebook offers its partners your whole life when it serves them your identity. It's been doing that for its "application" partners for some time, who were recently allowed to remember the data about you that they fetch from Facebook. Now they want to take it out to the whole web, and they have a decent shot at success.

Some of us remember a day when it was considered rude for a web site to ask your name or E-mail address. Now, with no effort, users will offer up everything to -- if Facebook gets its way -- every site. It's a potential rich experience, but at a huge cost to privacy and a big jump towards the fully instrumented surveillance state.

Users will demand the rich experience, but what they need is a way to assure that sites that want to make use of personal information only ask for, and only get, what they truly need in order to make that experience work. If they don't need your birthday, or all your friend's names, they should not get it. And this must happen all the time, not just when you take the time to use a complex privacy console to control what they will be given. This is not something individual users can or will negotiate on a site by site basis. They don't have the power to negotiate it and the companies don't have the time. Negotiation requires parties of equal power to get real give and take.

If we don't solve this, the two forces (market pressure to reduce privacy, and natural monopolies in identity provision) will drive us in a direction we don't want to go. As I have written before, I believe the only answer is to move social apps back closer to our own computers and away from the cloud, as tempting as the cloud is. Only if the data never leaves our hands will they remain under our control. We need a resurgence of the belief that software that took our data and exported it for inappropriate purposes was spyware. Facebook and its partners are now purveyors of spyware, yet no anti-spyware program is yet ready to delete it from your browser for you. Indeed, the new way the protections work, your friends are offering up information about you when they visit the partner sites, and you have even less control over that.

Facebook argues that their whole service is "opt in" because you have to join it. That's true to an extent, but ignores the fact that if social apps are going to be useful, we should find a way to do them without the pressure to strip users of all privacy, and not only offer people the choice of living in a glass house or never leaving the house at all.


I warned people about the problems of walled gardens -- especially those controlled by a for-profit entity -- years ago. They made fun of me as if I'd been wearing a tinfoil hat. Now all of a sudden this is a big deal.

People are just so stupid it boggles the mind.

Strangely, this is about the danger of open gardens, but in this case I mean ones that make their user's data open to public access. As long as sites that do that can get an edge on sites that constrain themselves to protect user rights, there will be competitive pressure to not protect user rights.

This is hard to combat. On PCs, the spyware concept arose because what the spyware products did was even more deceptive than this, and it was easy for users to understand it and want to fight it.

The new, privacy-invading competitors will not get business from those who are highly privacy conscious, but they don't need them at first. They only need them later. But they can grow and be a threat without them, and then use other leverage to bring them along.

Of course it is. None of the communications mediums (I suppose "social technologies" is the hip new term) that I use are controlled by a single centralized entity unless it's a democratically-elected government. These include telephone, SMTP email, postal mail, RSS, Usenet, SMS, etc.

I haven't had any problems with lack of control over how my data are used because I don't put any of my non-public data into a big gigantic centralized place where there's going to be temptation to misuse it. Again, exceptions for governments because there's not much I can do there.

You certainly have a point that there's a race-to-the-bottom phenomenon here that's exacerbating the situation, but the underlying cause is nothing new. The masses are just finally starting to figure it out.

I don't have a problem with Facebook selling my private data, because I NEVER GAVE THEM ANY. The closest they've gotten to me is one of my spamtrap email address.

As for the rest of the web, do you really think that my email address is ""?

But I will play the violin for you.

This reminds me of people complaining about what is on television. The simple answer: if you don't like it, don't watch it. Then the response is "but all my friends watch it and if I don't then I can't keep up". At some point, one has to think for oneself and bear the consequences.

Unlike TV, which is mostly an entertainment proposition, where not watching is an easy choice, people do like the social network systems, and do find them useful, and are even finding them essential, and not jut in the sense of keeping up with what your friends are experiencing. TV asks only for time (so it can show you ads) but Facebook is asking for more. And as I said, it is making a play at being the source of identity when you want to use other websites.

Identity is useful, but dangerous. Why not try to make it safer?

Facebook has to earn money somehow. Obviously, playing free with data is good for their
business, so I don't see how they could be pressured into changing this (if it happens, they
might fold as their revenue goes down and they can't afford their expensive backend).

But why not "just say no"? I don't think the idea of using the website of a private company as
a universal identifier is a good idea.

If someone finds social networking essential, as opposed to useful, then he has my sympathy.

This reminds me of folks who think Facebook is the web is the internet is computing. :-)

Well, for those folks those statements are true.

If Facebook were just one player in the social network and identity battles, I would agree with your statement (which matches Facebook's own statement that they believe all of Facebook is "opt in" because you have to decide to use Facebook.)

But I've seen lots of people who have recently joined Facebook who for years did not want to. They still would prefer not to but it is the only place to get certain things now, including locating many people, and even seeing pictures of your relatives. At least with today's architectures, there is a bit of a natural monopoly in social network databases. Only the one that has your associates is usable for you, and that's generally the market dominator in your geographic area or sector. It's very hard for two companies to meaningfully compete over the same zone of people, especially if one is a giant. It's even hard to get competition in the identity space once it congeals, though it is slightly easier. Many people seek "data portability" as the answer to the anti-competitiveness, but as I have written, that may just mean all your data is now out at lots of sites, with an even greater probability of losing all control of it.

As I identify in this article, there will be market pressure for Facebook to play free with the data. However, the irony is that the more secure they are in that state, the less need they have to sell off their users for revenue. (They may still have the desire but not the need.)

"But I’ve seen lots of people who have recently joined Facebook who for years did not want to. They still would prefer not to but it is the only place to get certain things now, including locating many people, and even seeing pictures of your relatives."

The same argument can be used for using Microsoft software, joining the ruling political party in a dictatorship etc.

Pictures from relatives? Don't tell me that one's relatives can't email the pictures, or even print them out and send
them snail mail.

Relatives can email pictures, or print them, but they don't. It is indeed quite convenient that they can just post them to facebook and that's all they need do to show them to the whole family and to friends. While you can ask your relatives to print and mail photos the reality is they won't do this, or if they do, it will be reluctantly, and a smaller subset of the pictures.

And in fact the same has been true of MS software, as they work to make their formats more proprietary, so that people are mailing you documents that won't load properly in anything but MS Office. We don't like that either. The ruling party analogy goes too far -- there the power of that party is backed up with guns, the lines are very clear. I'm talking about something more subtle.

Many people are criticised because they join the dictator's party. People expect more
courage (often wrongly stating that, in the same situation, they would show more
resistance). My point is that if this expectation has some value, shouldn't we expect
even more courage if the threat is not backed up with guns?

These are just two very different orders of things, dictatorships and web sites playing too lose with your data.

Facebook is a useful service, and we want innovative useful services. We just want them to be designed to not cause so many privacy risks, and they can in fact be designed that way, it's just harder.

As I have said before, most people don't focus on their privacy needs until after an invasion. So it's not surprise that millions join Facebook or Twitter regardless of their policies, and then push even those who are concerned to also join.

Add new comment