When is "opt out" a "cop out?"

As many expected would happen, Mark Zuckerberg did an op-ed column with a mild about face on Facebook's privacy changes. Coming soon, you will be able to opt out of having your basic information defined as "public" and exposed to outside web sites. Facebook has a long pattern of introducing a new feature with major privacy issues, being surprised by a storm of protest, and then offering a fix which helps somewhat, but often leaves things more exposed than they were before.

For a long time, the standard "solution" to privacy exposure problems has been to allow users to "opt out" and keep their data more private. Companies like to offer it, because the reality is that most people have never been exposed to a bad privacy invasion, and don't bother to opt out. Privacy advocates ask for it because compared to the alternative -- information exposure with no way around it -- it seems like a win. The companies get what they want and keep the privacy crowd from getting too upset.

Sometimes privacy advocates will say that disclosure should be "opt in" -- that systems should keep information private by default, and only let it out with the explicit approval of the user. Companies resist that for the same reason they like opt-out. Most people are lazy and stick with the defaults. They fear if they make something opt-in, they might as well not make it, unless they can make it so important that everybody will opt in. As indeed is the case with their service as a whole.

Neither option seems to work. If there were some way to have an actual negotiation between the users and a service, something better in the middle would be found. But we have no way to make that negotiation happen. Even if companies were willing to have negotiation of their "I Agree" click contracts, there is no way they would have the time to do it. Some companies take opt-out so far, giving the user so much control over privacy settings that users become confused by the interface and don't use it, or have trouble finding the settings they do want.

The reality is that opt out is often a cop-out alternative to finding a way to make things work without exposing data. There are systems which allow users to do useful functions, even social media, without making all that they do public. Not long ago, all applications ran on PCs and while they did all sorts of things with our data, the information never left your house. Companies like Flickr developed APIs so that programs running on home PCs could get access to private photos and do useful things with them, without exposing those photos to those who were not invited to see them. I believe there is a middle ground (which I write about on this blog under the name data hosting between handing all your data over to 3rd parties, and having to run everything on a home PC, that still offers more of the protections that the home PC had.

When we allow the opt-out cop-out, we may feel we can protect ourselves, but the privacy bar is lowered for the vast majority of users. But isn't that their business? If they want to have no privacy, why should we interfere?

This is a difficult question with several subtle answers.

  1. As noted, most of these users say they want their privacy protected. They just don't feel that strongly about it because they have not been exposed to a a major privacy invasion. Given the choice, they do want more protection.
  2. As users lower the bar on privacy, it becomes more and more difficult for people who want privacy to obtain it. "Everybody else is making everything public? What's your problem?" "If you're innocent, what do you have to hide?" Protecting other people's privacy protects your own. This does not mean you have a paternalistic duty to protect them beyond what they truly want, but that it is reasonable to protect your own interests to fight for what they also want with less intensity.
  3. There is real danger that as the apparatus of a surveillance state are installed, even without being switched to "full surveillance" mode, you have changed the question to being one of just throwing that switch. When you permit the apparatus to exist, the switch will be thrown -- and it has been thrown in many countries, and even in the USA with warrantless wiretaps.
  4. Police, juries and the general public don't understand the danger of finding things in big seas of data that aren't actually there. Even scientists trained not to do this sometimes fall prey to this mistake.
  5. Many shy people are just wired that way. In a non-privacy world, they are psychologically unable to participate.
  6. As I outlined last week, there is a market pressure to reduce privacy which must be countered. When a leader structures things so that 99% of users will take the default and 1% will opt-out to protect their privacy, the next competitor sees no need to even allow opting out to gain those few activist users.

After 9/11, it was commonly declared that we must give up some of our rights, particularly privacy, to get added security. And anybody who has flown knows this the result of this well -- a travel-ruining experience that adds little. However, one post-9/11 step really did enhance security -- stronger doors on the cockpits. These strong doors had no cost in civil rights.

We must push not to accept "you can opt out" as an answer. Instead we want the metaphorical strong cockpit door. It may be harder to do from an engineering standpoint, and in some cases it may not be possible at all, but it should always be striven for.

We'll only be able to convince web sites to truly protect our rights if we can sit down and negotiate with them. Users can't negotiate, and privacy control panels create the illusion of negotiating, but letting you tweak the terms. But you can only choose among the options they have decided they like. Opt-out control panels may seem like they enable user choice but they can actually harm it. Real choice comes only in being able to put your terms forward in negotiations. The only way users can negotiate with a company is as a group. They don't actually have to be an organized group, but giving the users the illusion of choice dissolves their collective strength. It is a way to silence the troublemakers and keep the sheep in line, and those no victory for the user.


Ok, I see a lot of content-free hand-waving above but what *exactly* are you worried about on facebook falling into the hands of THE AUTHORITIES? Your birthdate (they already have that)? Your favorite bands? Idiotic and pithy things one says? We posted real idiocy on Usenet for 25 years for every single person with access to usenet (albeit by today's standards a rather exclusive club of only some several million), there was no privacy at all on content. What happened? Well, I'm sure among the millions of people someone got into a fistfight or maybe even arrested for something dumb they posted (like the child pornographers but they deserved to lose.) But in general.

Can you be specific without resorting to metaphors like stronger airplane cabin doors? I think I understand why I don't want planes hijacked. They weigh tens of thousands of pounds and fly through the air at 500mph with thousands of gallons of fuel and hundreds of people on board. I'm not finding it easy to extrapolate that to some stranger discovering my marital status.

Yes I can imagine a dystopic world where telling everyone that you're going on vacation for a month, the jewelry is in the top drawer of the upstairs master bedroom, and a spare key is in the mailbox, might lead to negative results. I can imagine being dumb and hurting oneself with any tool.

But I'm looking at the info on my facebook area and about the only thing I might be the slightest bit sensitive about is the list of people who agreed to be my friends because they encompass a huge range and I suppose someone could somehow read something into it all I wish they hadn't. But they're my friends (and in a few cases relatives.)

He who steals my purse steals trash? I don't get it, where's the beef? IN THE CONTEXT OF FACEBOOK (ok, or similar, but not TSA or cockpit door design.)


As I wrote earlier, Facebook is making a play for the coveted spot of being identity monopoly on the web -- the 'single sign on' location where you log in, and that logs you in to a large fraction of other web sites. But instead of earlier attempts like Microsoft Passport, Liberty Alliance or OpenID, Facebook is offering sites not just a login ID or even a real name or reputation, they are offering up the largest collection of personal data about you around, including your social graph.

And they recently moved to make all this public, so you can't stop facebook partner sites and others from seeing it.

Imagine that in China, when they decided to round up all the members of Falun Gong, they had access to their social graphs. Would make it pretty easy to find them all, and throw in a few who just look suspicious.

Or take Mahir Arar, a software developer from Montreal, whose social graph showed he had once witnessed a car loan of somebody who was on a suspicion list, and so when he was changing planes at JFK, he was taken by U.S. authorities and sent to be tortured for a year. (In Canada, the head of the RCMP had to resign over this, but there were no consequences for the U.S. officials who arranged the torture.) Tell me, does being tortured due to a misunderstanding of your social graph count as scary enough?

The stuff on Facebook is for your friends, not for outsiders.

So he's an "ignorant slut" for suggesting that people be allowed to keep information private?

In your "perfect world", would everyone else know everything there is to know about you?

Or read http://en.wikipedia.org/wiki/Jane,you_ignorant_slut#Jane_Curtin.281976-1980.29

It's not really an insult to people of the age Barry and I am. (I've known Barry for 25 years.)

However, you are right that privacy needs to be defended.

This is what I got when I posted:

user warning: Unknown column 'style' in 'field list' query: SELECT scid, filter, style, effect, action FROM spam_custom WHERE effect != 4 in /home/brad/www/drupal/includes/database.mysql.inc on line 172.

So much for privacy!


"There is real danger that as the apparatus of a surveillance state are installed, even without being switched to “full surveillance” mode, you have changed the question to being one of just throwing that switch."

Does anyone seriously believe that a surveillance state (which, to be sure, some people actually see as an advantage; don't assume everyone shares your world view) which wants to flip the switch in order to abuse citizens via their data will just leave them alone if that data is not available? A dictatorship which views its citizens as means to its own end will not become less evil just because it doesn't have access to Facebook data.

Logistics make a big difference. When you need to put tanks in the streets or surround everybody with secret police or make everybody Stasi to report on their relatives, that's a huge undertaking and it makes it much more clear what the government is doing.

If you put all the apparatus in place while trusting the government (or corporations) and then give them a secret "police state on" switch, it becomes much easier to throw that switch.

Believe it or not, I say make them put tanks in the streets.

Perhaps surveillance "society" is a little more accurate. Its not just the state, but also all those powerful corporations that continue to find more ways to watch individuals. How much does this matter personally? For most people, likely not a lot most of the time. But whether the issue is commercial exploitation, political persuasion or state coercion, the more comprehensive personal data available the greater the potential abuse of the individual. So what if eastern European phishing scammers, know who FB users trust and their personal interests? Just doesn't seem prudent to make individual's personal information available without constraint.

Hey Brad, speaking of privacy, it looks like you use Google analytics here. Vaguely analogous to the current FB controversy, I don't care too much how you analyze my site viewing habits, but I'm not sure I trust Google's intentions on a global scale. Between their partnering with NSA, getting hacked by the Chinese, and grand ambitions, I don't like the idea of Google having a comprehensive personal profile of me. How about post on Google analytics data collection and its privacy implications?

I don't think I use analytics, but I do have Adsense ads. I am concerned about what they might learn from people's surfing logs, but the data on Facebook (and stuff like it) becoming commonly public scares me more, as that's the real deal, not potential analysis of patterns. 99% of people don't even have a login or otherwise identify themselves to this site.

I doubt keeping this info out of the hands of someone like the Chinese govt will make much difference, if they want you they can just beat it out of you for a few years. Same for Dick Cheney.

They have my cell phone records, they have my cable TV viewing habits I assume (I'm guessing every time I change the channel it's recorded), my landline records, I know I've had to cooperate on warrants from LEOs to obtain email logs, all your credit card records are basically there for the taking if you're a three-letter agency (I could tell you a story which'd curl your toes, in a nutshell, forget about it, the credit card agencies got out of tax problems or whatever by trading 100% full access to their records a long time ago.) All travel records of course, both domestic and foreign.

The boy with his finger in the dike comes to mind as a metaphor.

I'm not sure what the correct reaction is, but focusing on facebook revealing my favorite band doesn't seem a good place to start other than the target has some PR value and for good reason.

As to SSO, ok, we all rejected all those previous attempts, mostly by Microsoft, to do this kind of thing, mostly we rejected it with a big yawn (wtf? [CANCEL]).

Personally what I'd like is the opposite in a sense, more transparency in govt, particularly in budgeting, down to the smallest detail practical. I live in Boston where cronyism of the ugliest sort sucks the coffers dry while they close library branches for want of a few hundred thousand dollars a year against a $2B budget (and then when the library system closed the branches for a $3M total savings they said, I am not kidding, Oh?! You reduced your budget by $3M! Cool! Then let's just reduce your budget allocations by $3M...wha? huh?)

Actually I don't fret about the library branches per se but it's just amazing to watch, and of course the trillions sucked down in this recent disaster (you deposited a dollar with your bank, they took that dollar to the casino and lost it, now they want another dollar from you to replace it, of course you'd say no so we got the govt to take it from you for this, how many times would you like to buy back this same dollar you supposedly owned...ahahahahaha sucker!)

Heck, I went thru crap like this in my 12 years in the NYC public school system but at least back then it was just bullies and you could avoid them or get a few of your friends and beat the crap out of them. Now we call this kind of behavior "governance".

Transparency in govt would help with a lot of the BIG problems you outline, probably more than hassling facebook who probably is, like those library branches, just a tool in all this at best.

What a mess, good luck, I know your heart is in the right place and you're a smart guy but I'm not sure this is where to focus the energy.

But I don't think that means we want to build the apparatus for massive surveillance of the people.

The argument "but they already have other stuff" is exactly why I don't want to give them any more. It starts with, "what's the harm in them having one little thing like X" and moves to "Why are you worried about Y, they already have X."

Add new comment