Archive for the ‘Privacy’ Category

by Nicole Ozer, Technology and Civil Liberties Policy Director, ACLU of Northern California

On June 16, ten of the nation’s top privacy organizations sent a joint letter to Facebook (PDF) detailing outstanding privacy concerns. Facebook’s response glossed over many of the critical points raised about necessary next steps. The following reiterates our concerns and addresses Facebook’s response to our June 16 letter. We look forward to discussing these issues and Facebook’s plans in more detail to resolve these issues.

1. Fix the “app gap” by empowering users to decide exactly which applications can access their personal information and exactly what information these apps can access.

Facebook Says: It has heard the concerns of the privacy groups and plans to address them in an upcoming revamped data permissions model.

The Facts: The announced plan is an incomplete solution that does woefully little to resolve the app gap. Your personal information may still fall through the privacy cracks when your friends run apps because, by default, Facebook will continue to treats apps your friends run like it treats your friends themselves, giving those apps access to most of your information without your notice or consent.

Facebook’s announced data permissions model falls short in the following ways:

• You can’t choose which apps get access. Facebook’s planned adjustments will not allow you to proactively select which apps get access to your information. The only way to keep your information from flowing to any apps your friends run is: (a) to go through the list of 700,000+ apps and explicitly block every app you don’t want to access your information; or (b) to use the “nuclear option” and stop using apps entirely in order to prevent your friends from sharing your information. This is essentially an “all or nothing” decision, because it simply is not feasible to protect data by blocking individual apps since new apps are added every day.
• Your personal information is available to apps your friends run by default. The Facebook controls that exist to limit what a friend’s apps can see about you allow access to most of this information by default. You must find the app settings and adjust them to control the information that flows to apps. (Click here to find them.)
• You can’t protect all personal information. Facebook’s plans do not include settings to prevent your friends’ apps from accessing information such as “likes” and work history. If your friend can view this information, so can every random app your friend allows to do so.
• You have no way of knowing which apps have accessed your information. Facebook’s plans do not provide any way for you to know what personal information has been accessed by your friends’ apps, which makes it difficult to make informed choices about your privacy.

Necessary Steps to Protect Privacy: In order to fix the app gap and make sure that personal information about users is only accessed by people and developers that they trust, Facebook needs to give users complete and meaningful control over which apps can access their information and what information these apps can access.

2. Make “instant personalization” opt-in by default.

Facebook Says: Instant personalization is “widely misunderstood,” and that there is no privacy concern because the only information that instant personalization partners receive from Facebook is public information.

The Facts: When you visit an ordinary web site, the site doesn’t automatically know who you are. But when you go to an “instant personalization” site while logged into your Facebook account, the site knows exactly who you are, including your real name, profile picture, and other public information on your Facebook profile.

It’s like entering a store that automatically scans your wallet or purse when you walk through the door and then links everything you do in the store to your personal information—without first asking you for permission.

Necessary Steps to Protect Privacy: You should not have your identity and information disclosed to “instant personalization” sites without your consent just because you are a logged-in Facebook user. Instead, instant personalization should be turned off by default and users who want this feature should affirmatively opt in.

3. Avoid collecting identifiable information received from “social plugins,” including the “like” button, unless the user actually interacts with the plugin.

Facebook Says: Its social plugins are just like every other widget on the web.

The Facts: Social plugins are different from other widgets on the web because they can connect your online activity to all of the personal information attached to your Facebook account, creating an even more detailed profile of you. Facebook can track every time you visit a page with a social plugin, even just a “like” button, and connect this activity to your Facebook account—even if you don’t use the plugin or click on the button at all. Web site developers who don’t recognize this distinction may be violating their own principles or privacy policies unknowingly by using the like button and other social plugins.

Necessary Steps to Protect Privacy: Facebook should be fully transparent about the information that is collected through social plugins, and should not retain any information about individuals who do not actually interact with the plugin. Facebook should also ensure that the “like” button does not transmit information to Facebook about third party site visitors who do not click on the button.

3a. Restore the logout button to a prominent position.

In addition, it has also come to our attention that Facebook has moved the “logout” button to a submenu, making it harder to find. This makes it more difficult for you to log out of the service and be able to surf the web without having your online activity linked to your Facebook account.

Necessary Steps to Protect Privacy: Facebook should restore a prominent logout button on its main page to make it easier for users to log off and help them to keep their Facebook and non-Facebook activities separate.

4. Give users control over every piece of information they share.

Facebook Says: It has taken away privacy settings for information like name, profile picture, and network because “it has been [its] experience that people have a more meaningful experience on Facebook if they share some information about themselves.”

The Facts: Facebook’s refusal to give you control over every piece of information that they share is inconsistent with its stated principle that “People should have the freedom to decide with whom they will share their information, and to set privacy controls to protect those choices.” Not allowing users to choose for themselves is simply contrary to this policy.

Necessary Steps to Protect Privacy: Users should have full control over who (or what) can see every piece of their information, including the fields that are currently “publicly available.” Facebook should also continue to streamline privacy settings so that protections for all personal information can be easily configured.

5. Use HTTPS by default to protect users from outside threats.

Facebook Says: It is currently testing SSL access to Facebook and hopes to provide it as an option in the coming months.

Necessary Steps to Protect Privacy: We look forward to an announcement about using HTTPS in the coming months in order to better protect users from privacy threats. Once tested, Facebook should make HTTPS the default rather than require users to select it as an option.

6. Provide users with simple tools to export their content and connections from Facebook.

Facebook Says: It imposes no restrictions on users that prevent them from exporting the content that they have posted themselves on Facebook and has open APIs that permit applications to export this information.

The Facts: Facebook does not provide its own tool to automatically export your data. Thus, if you want to port your data from Facebook to another service, you must rely on workarounds involving some “approved” automated third party application to export your own content and connections — or get Facebook’s permission to create your own tool to do so.

Necessary Steps to Protect Privacy: Facebook should include built-in functionality that makes it easy for users to export their own uploaded content and contact list so that users can rebuild their social network on another service.

by: Ann Pietrangelo, Care2

“Our intention was to give you lots of granular controls; but that may not have been what many of you wanted. We just missed the mark.” — Mark Zuckerberg

Internet privacy in general is of great concern, but Facebook is definitely in the hot seat. The latest wave of protest comes following the instant personalization pilot program that “helps you connect more easily with your friends on select partner sites. These sites personalize your experience using your public Facebook information.” 

Lots of people love the feature — the problem stems from the fact that users are opted-in by default and must choose to opt-out.

Facebook has many privacy options and, for the most part, they work well. Unfortunately, the number of options has grown to an almost unmanageable amount. Users are often unaware or just plain confused about what they are sharing.

Having to opt-out of a feature that shares private information is not acceptable to most of us. Facebook could have easily avoided the uproar by installing an opt-in feature instead.

Mark Zuckerberg, Founder and Chief Executive of Facebook, says he has heard the complaints about user privacy and is working to correct errors and misconceptions.

In a May 24 piece for the Washington Post, Mr. Zuckerberg said, in part:

“Facebook has been growing quickly. It has become a community of more than 400 million people in just a few years. It’s a challenge to keep that many people satisfied over time, so we move quickly to serve that community with new ways to connect with the social Web and each other. Sometimes we move too fast — and after listening to recent concerns, we’re responding.

The biggest message we have heard recently is that people want easier control over their information. In the coming weeks, we will add privacy controls that are much simpler to use. We will also give you an easy way to turn off all third-party services.

Many people choose to make some of their information visible to everyone so people they know can find them on Facebook. We already offer controls to limit the visibility of that information and we intend to make them even stronger.

Here are the principles under which Facebook operates:

– You have control over how your information is shared.

– We do not share your personal information with people or services you don’t want.

– We do not give advertisers access to your personal information.

– We do not and never will sell any of your information to anyone.

– We will always keep Facebook a free service for everyone.”

Read the entire text of Mark Zuckerberg’s article.

With Facebook on the defense over privacy, new startups are angling for a slice of the pie. A New York Times article names several newcomers working on breaking into Facebook’s market: Pip.io, Appleseed, Diaspora, Collegiate Nation, OneSocialWeb, Crabgrass, and Elgg, to name a few worth keeping your eye on.

Despite protests like “QuitFacebookDay,” and “FacebookProtest,” which are garnering plenty of attention, I wouldn’t count Facebook out. They’ve dealt with privacy issues before, and membership is still growing.

Lawmakers are responding to public concerns and are considering legislation to address internet privacy issues.

• April 26: Senator Charles Schumer (D-NY) called on the Federal Trade Commission to investigate Facebook: “I am asking the FTC to use the authority given to it to examine practices in the disclosure of private information from social networking sites and to ensure users have the ability to prohibit the sharing of personal information,” Schumer continued. “If the FTC feels it does not have the authority to do so under current regulations I will support them in obtaining the tools and authority to do just that.”
• May 4: U.S. Representatives Rick Boucher (D-VA) and Cliff Stearns (R-FL) released a discussion draft of legislation to assure the privacy of information about individuals both on the internet and offline.
• May 18: The Electronic Privacy Information Center sent a letter to the Federal Communications Commission requesting investigation into Google’s collection of user data off its “Street View” application, saying that it appears to violate federal wiretap laws.
• May 19: U.S. Representatives Joe Barton (R-TX) and Edward Markey, (D-MA) wrote to Federal Trade Commission Chairman Jon Liebowitz about Google’s recent revelation that it gathered information sent over Wi-Fi networks.

The internet is tailor-made for information sharing. Some of us are willing to share more of ourselves than others and, with that in mind, Facebook owes it to its members to simplify privacy settings.

We need stricter privacy laws when it comes to the internet, but that does not absolve us of the personal responsibility to think before we post.

16 May 2010

by Suzanne Ito, ACLU

Facebook reportedly called an “all hands” meeting to discuss its privacy policies. That’s because they are facing a brewing revolt among Facebook users alarmed by the company’s, ahem, cavalier attitude toward protecting your privacy.

In recent months, Facebook has rolled out some very privacy-unfriendly practices, from the “privacy transition” that took away privacy controls to “instant personalization” that instantly shares your personal information with third party pages without your consent.

At every step, we’ve worked to get word of these changes out, and pushed back, because at the ACLU, we believe Facebook users deserve control over their personal information.

Facebook’s founder Mark Zuckerberg has claimed that “the default is social.” But to Facebook, “social” seems to mean making your personal information public to the entire world.

Tens of thousands have signed an ACLU petition making clear that people need the ability to control who they share information with.

And we’re not the only ones criticizing Facebook for its failure to live up to its own stated principles and its “lametastically lame” response to the public outcry. Even Congress and European governments are getting in on the act. In fact, plans for “Quit Facebook Day” and calls for a Facebook alternative have been getting louder, and an effort to build an open-source, user-centric social network was featured in The New York Times and has since garnered over $120,000 in donations (and counting) to support its efforts.

Now, $120,000 might be chump change to the reported $35 billion value of Facebook, but if these cries of revolt continue and users continue to jump ship, chump change might be all Facebook has left.

So let’s hope Facebook is ready to listen. We like being social — but we want to choose how and with whom our personal information is shared. If Facebook wants us to trust it, it needs to take this opportunity and recommit itself to the principle that users have control over their own information.

Now is the time to send this message loud and clear. If you haven’t already, sign our Facebook petition and tell Facebook you want to take back control of your personal information!