Was Facebook Critically Negligent About Privacy? The Jury is Still Out.
I’ve been wanting to write this post for quite some time, but I’ve been in meetings and working with clients. So like so many things on the actual Web, it had to wait.
In short, its been alleged that Facebook does not have, nor has it ever had, any system in place to protect users’ privacy from Facebook employees. In short, anyone who works for Facebook can get into the system and change, delete or otherwise tamper with someone’s personal data.
True or not, issues like this are why you have to assume that anything you put on the Internet is not private, regardless of the privacy controls of the site you’re using. On Facebook, your friends can copy the URL of your “private” photo and embed it anywhere. And Facebook will serve it. See:
That’s why I don’t share anything online that I wouldn’t be comfortable sharing with the entire world.
That said, I don’t think the FB team is going to start editing or sharing my profile with the entire world. It’s the sins of omission I’m worried about. If someone’s laptop goes missing due to carelessness a la the Veterans Affairs Department, you’ve got a world class flustercluck on your hands.
I know that internal security is critical because employees can go bonkers, but I wouldn’t have handed my personal information — none of it essentially private — over to anyone I didn’t trust. And it’s going to take more than a rumor to change that.
If the rumor is true, then Chuq Von Rospach’s observation really hits the nail on the head:
Bottom line: when you’re too small to worry about, you can get away with a lot of stuff — and if you don’t realize that the “grace period” will end at some point, you don’t put the controls and systems in place to protect yourself — and then when people start calling you on it, how do you respond?
But we have to keep in mind that this might not be true. There’s been no communication from Facebook about it as of this writing. And until the predicted lawsuit actually surfaces, we can’t really jump all over Facebook for something we don’t even know if they did yet. (Update 9/28/07: The rumored lawsuit has turned out to be unverifiable, and as O’Neill puts it, “unlikely.”)
That’s not to say that I’m calling the people who are reporting this liars. I just don’t want to jump to conclusions before we have all the facts. And I’m certainly not taking my profile down, yet.
Welcome to our community! If you like what you see, you may want to subscribe to our RSS feed!
{ 3 comments… read them below or add one }
To clarify,
I have updated the blog post … The apparent lawsuit was strictly a rumor and ended up not being verifiable. It was poor judgment for me to post about that but I have since updated the post. The security issues still remains but the “rumored lawsuit” does not seem likely. Sorry!
Thanks for the clarification! I’ll update the post to reflect your update.
And I think you were pretty responsible about it. You did say that it was a rumor, not a verified fact. I just worry that people take the ball and run with these things without thinking it through.
It’s like seeing a rumor in print makes it true.
Teresa,
I would like to go on the record as saying the following:
1. The Facebook Privacy Policy is Swiss Cheese:
There ARE gaping holes in Facebook’s privacy policy. If you go to the post on Jobmatchbox that you reference above you will see that the privacy policy of facebook was quoted and compared to those of MySpace, Google, Yahoo and Microsoft. I checked this morning, 10/5/07, and the policy has not changed. They do not have ANYTHING suggesting even a hint of limitations on how their employees can interact with your data on Facebook.
2. My source, who is as much a Facebook insider as you could ask for, told me that there are no privacy controls in place inside of the Facebook organization whatsoever. This is consistent with the lack of any currently published policy limitations on employee use of user data for their own entertainment, user impersonation, etc. When I compared the Facebook “security policy” to that of their competitors it concerned me, a lot, which is why I felt compelled to write about it.
Here are the PUBLISHED security policies from Facebook and Yahoo, you be the judge of what one allows vs. the other:
Facebook:
“Security
Facebook takes appropriate precautions to protect our users’ information. Your account information is located on a secured server behind a firewall. When you enter sensitive information (such as credit card number or your password), we encrypt that information using secure socket layer technology (SSL). (To learn more about SSL, go to http://en.wikipedia.org/wiki/Secure_Sockets_Layer). Because email and instant messaging are not recognized as secure communications, we request that you not send private information to us by email or instant messaging services. If you have any questions about the security of Facebook Web Site, please contact us at privacy@facebook.com.”
Yahoo:
“Confidentiality and Security
* We limit access to personal information about you to employees who we believe reasonably need to come into contact with that information to provide products or services to you or in order to do their jobs.
* We have physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you.
* To learn more about security, including the security steps we have taken and security steps you can take, please read Security at Yahoo!.”
3. The only lawsuits related to Facebook that have been floating the web that I am aware of are the ones that have made national headlines because of people who claim that they either own Facebook’s source code, or because they happen to be NY or CT and think that Facebook isn’t protecting their users. Even the NY and CT lawsuits were not in the same domain as what Nick suggested. I asked him to clarify to his readers that I wasn’t suggesting a lawsuit had happened, just that Facebook’s Privacy and Security policies were not sufficient.
Leave a Comment