As highlighted in this week's Cyber Risk Report, the FTC is raising concerns on how consumer data is collected and shared within the context of social media. Facebook is at the front and center of this issue with its user base estimated at over 400 million people globally. But it should also be top of mind for a different reason: its privacy policies seem to be shifting with regularity, dragging an increasingly complex and confusing interface for managing that privacy along in tow. Wired's Eliot Van Buskirk stated that Facebook is "leaving the onus on users to figure out its Rubik's Cube-esque privacy controls." I agree.
When security professionals are left scratching their heads trying to twiddle the nerd knobs or decipher the market-speak of Facebook's opt-out dialogs, how does this bode for an ordinary user?
The success of Facebook over the last several years has been a remarkable example of the growing interest in social media. No longer the walled garden of university students (who ironically are now having to make tough decisions to "unfriend" their parents), it has left its peers far behind and created a lucrative database of personal information. The original purpose of this data was to amuse, embarrass, infuriate, overstimulate, or underwhelm your "friends" -- in the Facebook world, a friend means two persons who mutually agree to share personal information. As it grew, Facebook introduced new features and functionality that encouraged interaction and longer dwell times on its site, often through applications developed by and connected to third parties. As with "friends," you had to give your permission to these applications.
That now appears to be evolving as Facebook attempts to monetize its service through the sharing of data outside of the "garden" -- changes which raise a number of questions and help grow its list of "friends" in the U.S. government. This isn't the first time Facebook's attempts to share data in confusing (at best) or subject to multiple interpretations (at worst) ways caught someone's attention; the now-defunct "Beacon" program resulted in a US$9.5M settlement in December, 2009.
One of the overarching issues in question is what should constitute a default level of privacy. Facebook is understandably struggling with this due to its roots as a walled garden and its growing competition with Twitter, which has an all-or-nothing approach to privacy: either your tweets are protected (and off of the "public timeline") or they are not, period. You can change this at any time with a single setting: check the box "Protect my tweets" and no one but your friends can read your updates until you decide to revert the setting. Of course, anything that was shared while you weren't protecting your tweets is still being broadcast into outer space to confuse the aliens. Compare this to the growing number of categories for which Facebook requires you to make decisions about who can or cannot see your information. I seem to understand what a "friend" is on Facebook; what is a "friend of a friend?" Kevin Bacon jokes aside, how many degrees of separation are allowed? Why should I even have to think about this?
Balancing privacy, trust, and a successful business model is by no means an easy task -- just ask a few celebrities who have been in the news in the last year. What customers expect as a default behaviour in the context of your previous actions is what I believe is causing the friction between Facebook and some of its critics. Seth covers this well through his own thoughts, which I share. But accessing privacy settings and making decisions for multiple applications need not be complex or confusing. As Seth remarked during an internal meeting last week: "It's like trying to solve a Rubik's cube where the colors change every time you turn it." I'm hopeful that despite the sometimes raucous debate, Facebook will balance the trust that its users historically took for granted with a realistic need to evolve their business. User Interface (UI) simplification is one way to help reach that goal.
thanks to Wordsmith.org for the anagram