There is something about Facebook that I have just come to not trust. I think the issue centers around the changes in their policies of late that have left me feeling a little less secure, and feeling like it’s more and more likely that my personal information could be shared without me really realizing that it’s happening. For example, the EFF published an article on the changes to Facebook’s privacy settings (see Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly) that just left me feeling cold on the whole thing. Now I see there’s an update to Facebook’s Site Governance Policy, and I wish I didn’t have to read it, but I feel that I need to since this is the first change that they’ve made since updating their privacy settings.
See, it’s things like this statement that occur near the beginning of the document that bother me:
Scope. This privacy policy covers all of Facebook. It does not, however, apply to entities that Facebook does not own or control, such as Facebook-enhanced applications and websites.
Yes, it is true that Facebook doesn’t own the sites of third party vendors, however they are allowing these third parties to write applications that interact through Facebook with their users. So this leaves a gap, Facebook should start off with a requirement that any third parties interacting with Facebook users minimally comply with Facebook’s own standards. How does Facebook make certain that this is true? Simple enough – Facebook has already established a connection with TRUSTe. Why can’t they specify that any third party applications and / or vendors comply with TRUSTe? If TRUSTe isn’t enough, why not use a third party to resolve these kinds of things. In fact, I have been thinking for a while that it would be a good idea for the EFF to maybe branch out in this direction: offering a service that uses a set of established privacy criteria to judge if two (or more) institutions are compatible on their privacy statements / options / etc.
This next statement is worrisome as well:
Transactional Information. We may retain the details of transactions or payments you make on Facebook. However, we will only keep your payment source account number with your consent.
Okay, so at least they aren’t keeping my bank account or credit card numbers. But, they are keep track of the transactions I’ve made through their site. That’s definitely information that the government may want to subpoena at some point in one of their grand-sweeping-investigations-for-whatever-reason. Fortunately, I am a little less concerned about this for several reasons:
- I have never made any transactions through Facebook
- Our current administration is a little less zealous about going on witch hunts, and more focused on addressing the real issues
- There’s nothing in any transactions I’ve done (on or off line) for me to be concerned about.
Then there’s information that you are making public, and might not even be aware of it:
Certain categories of information such as your name, profile photo, list of friends and pages you are a fan of, gender, geographic region, and networks you belong to are considered publicly available, and therefore do not have privacy settings.
Why don’t most of these things have privacy settings? My friends are my business, not someone else’s (especially not a spammer or other businesses). My geographic region is public information? Really? Since when? The networks I am in is public information? So great, anyone that joins a network can spam me using the network information.
Some of the content you share and the actions you take will show up on your friends’ home pages and other pages they visit.
Umm, okay, this is kinda okay — I know my status updates show up on friend’s home pages…and if I explicitly share content, that’s the intent of sharing it. But, this is a vaguely worded statement “Some of the…” and “other pages they visit.” is just a wee-bit open ended of a statement. This should be clarified — right now as a policy, it’s possible to drive a Mac Truck through it.
Now consider this statement carefully:
Even after you remove information from your profile or delete your account, copies of that information may remain viewable elsewhere to the extent it has been shared with others, it was otherwise distributed pursuant to your privacy settings, or it was copied or stored by other users.
Okay – I understand the concept that if I shared information with others, and they chose to make copies, I cannot (easily) stop them. However, this sounds like Facebook doesn’t take responsible action to remove information from their system when I delete it… They only remove it from my immediate profile, but if it shows up in someone elses profile it isn’t removed from there. Personally, this is a pretty big FAIL.
I think this was mentioned in the EFF article, but it’s worth mentioning again:
The default privacy setting for certain types of information you post on Facebook is set to “everyone.”
This means that some of your Facebook information is viewable to everyone – even without logging into Facebook. Bears thinking about and checking your Facebook privacy settings. And, this is a definite example of why I feel less secure with Facebook. When you have to check your default settings to make sure things aren’t being shared with the world that you want secure that is a problem.
You can choose to opt-out of Facebook Platform and Facebook Connect altogether through your privacy settings
This is another item that I have had an issue with: most of these things should be Opt-In, not Opt-Out. The idea that you have to go out of your way to turn something off is the wrong way to handle it. Why do I think this way? If you have to Opt-In to something, you are more likely to make certain you understand what you are turning on (well, okay, maybe not, but it does make it the users obligation to understand what they are doing). By having things turned on by default many people just “assume” that what the system (platform) does is correct and for the best, which may not be the case.
You can block specific applications from accessing your information by visiting your application settings or the application’s “About” page
Another item I have issues with: having to go in and turn things off in Apps. This should be designed such that when you are allowing an application to access your information, the application has to ask you for the specific items it wants to access. I’ve seen some applications do this: good for them. However, there are many that don’t. This has meant, for me at least, that I have had to go through all of the Apps that I allowed access to my profile and turn them off — especially the ones that kept nagging me for stuff. They just got severely annoying.
Continuing on down the Privacy Policy, there is a whole section dedicated to “How We Share Information“. Now, I’m just going to say as a start: this section is too long and complicated. It should be as simple as: we don’t share information unless you Opt-In or direct us, a partner, or application to share your information. There is the questionable situation of “legal” issues, and those really need to be handled on a case by case basis with a strong bias towards keeping your information private.
That being said, I’ll pick out a few of the more worrisome points:
We share your information with third parties when we believe the sharing is permitted by you…
That’s one of the worrisome points right there: “we believe”. That doesn’t mean that they require some validation, just a belief, which is far too subjective, in my opinion.
To advertise our services. We may ask advertisers outside of Facebook to display ads promoting our services. We may ask them to deliver those ads based on the presence of a cookie
So, the cookies that Facebook uses to keep track of our status can also be used for advertising? That seems rather suspect to me.
We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law.
Now, I don’t want to tell Facebook that they should put them selves in the way of a legal issue, however “good faith” shouldn’t be the measure here. There should be a firm, solid legal basis for compliance with a subpoena or any request of a legal nature. Even worse is this part of the statement:
This may include sharing information with other companies, lawyers, courts or other government entities.
Umm, no. Court orders / subpoena’s and Government Entities are one thing. But, lawyers and companies are something else altogether. Under no situation should our private information be shared with anyone that doesn’t have a specific and legally binding reason to have access to our private information.
The bigger concern I have with this clause is this: no where does Facebook state that they will notify the user if there has been a request for their private information from the site. This seems to me to be a major problem. As private individuals we have the rights to understand and any all circumstances under which our private information is being accessed. I would say this should be even more of a concern when there are legal issues tied to the access of this information.
Transfer in the Event of Sale or Change of Control. If the ownership of all or substantially all of our business changes, we may transfer your information to the new owner so that the service can continue to operate. In such a case, your information would remain subject to the promises made in any pre-existing Privacy Policy.
Admittedly, this isn’t a concern just with Facebook, but any company that handles a lot of your private information. This is something that is always worth being aware of…you never know who could end up your information. (For example, who would have guessed that News Corp. was going to buy out MySpace?)
Limitations on removal. [...] Additionally, we may retain certain information to prevent identity theft and other misconduct even if deletion has been requested.
IMO, the above statement seems somewhat odd. If you have deleted your account because you don’t want people to have your information, Facebook thinks they need to keep part of your information? Seems somewhat odd, and I would love to hear a clarification as to what they are trying to prevent.
okay, so that brings us pretty close to the end of the Privacy Policy document. And, as you can see, there are a lot of things that I feel that users really need to be aware of in this document, as well as some things where I just feel the policies need to change. And, as if that weren’t enough, there are plenty more documents to go through on Facebook’s site, such as: Statement of Rights and Responsibilities and Facebook Site Governance Page just to name a couple. There’s a whole list of pages that are worth looking at at the end of Privacy Policy document, including:
- reporting a deceased user
- reporting an impostor
- reporting abusive content
- reporting a compromised account
- requesting deletion of data for non-user
- removing Friend Finder contacts
- reporting and blocking third-party applications
- general explanation of third-party applications and how they access data
That’s just a lot more information to sort through than I have time or space to work on. And, I suspect, it’s more information than the average user of Facebook can keep track of. It’s this basis that I have problems with many of the social media sites now, and keep feeling that I am a little less secure than I was just a few years ago: the documents are getting more complicated, the interactions are getting more complicated, the things that you can do to protect yourself are getting more complicated.
IMO – someone needs to start telling these companies: you are dealing with PEOPLE not legalistic lawyer-bots. Make policies that are understandable by people and don’t take several hours to interpret, and require that you have to watch carefully for every time there is some change on your website.
Related posts: