Groups ask Feds to ban Facebook's 'frictionless sharing'

A collection of advocacy groups today asked the Federal Trade Commission to ban Facebook's recently announced feature that allows automatic sharing of news articles and other information if users choose to enable it.

In a letter sent to the FTC, the groups allege that Facebook's automatic sharing feature announced last week at the F8 developer conference is an "unfair and deceptive trade practice" that violates federal law. The letter also raised concerns about Facebook's practice of collecting data about users even if they're logged out. (See CNET's F8 coverage.)

"Facebook's frictionless sharing and post-log-out tracking harms consumers throughout the United States by invading their privacy and allowing" for information to be used in ways consumers never expected, says the letter (PDF), which was prepared by the Electronic Privacy Information Center and signed by other liberal advocacy groups, including the Center for Digital Democracy, the ACLU, and the Center for Media and Democracy.

"Frictionless sharing" is one of the more intriguing--and controversial--services Facebook announced at the F8 conference this month (see CNET coverage and privacy concerns).

The idea is simple: Facebook can become a deeper part of your life by automatically reflecting what you're doing, with your permission, even if you don't click the Like button. When you use certain apps, the mere act of reading an article can place it in your Facebook news feed. Wired's Steven Levy has dubbed it "a remote-control autobiography."

Andrew Noyes, manager of public policy communications at Facebook, told CNET that "some groups believe people shouldn't have the option to easily share the songs they are listening to or other content with their friends. We couldn't disagree more."

EPIC Executive Director Marc Rotenberg told CNET: "The main point is that Facebook is encouraging users to 'share' information in ways that they do not truly control because it is Facebook that ultimately determines who will have access to the information users provided." (Here's an illustration of how Facebook's defaults have changed over time.)

Today's letter follows, as CNET previously reported, another one yesterday from two members of Congress who asked the FTC to investigate the possibility that Facebook violated the law when using cookies to record data about users who were not logged in.

Australian technologist Nik Cubrilovic highlighted the company's practices in a blog post on Sunday, which said that Web sites that use Facebook's "Like" buttons or other features import code from Facebook.com. That code, in turn, is executed by visitors' Web browsers and allows Facebook to use a unique cookie to learn what user is visiting these third-party Web sites.

Cubrilovic said in a followup post the next day that Facebook responded by making "changes to the logout process" and has "explained each part of the process" in detail.

Today's letter to the FTC from EPIC and the other advocacy groups said:

Facebook's tracking of post-log-out Internet activity violates both the reasonable expectations of consumers and the company's own privacy statements. Although Facebook has partially fixed the problem caused by its tracking cookies, the company still places persistent identifiers on users' browsers that collect post-log-out data and could be used to identify users. "Frictionless sharing" plays a leading role in the changes Facebook announced at the recent F8 development conference, and works through the interaction of Facebook's Ticker, Timeline, and Open Graph. These changes in business practices give the company far greater ability to disclose the personal information of its users to its business partners than in the past. Options for users to preserve the privacy standards they have established have become confusing, impractical, and unfair.

This approach eliminates what Mark Zuckerberg called the friction of clicking buttons to share information. It's true it could raise privacy concerns, and has already led to worries about how the Internet is becoming more boring--but, on the other hand, the Facebook users who turn it on presumably don't mind a bit of data exhibitionism.

EPIC and the other groups who signed today's letter, however, suggest that the possibility of misuse is enough to warrant the FTC banning Facebook's new technology. "Encouraging or prompting users to share personal information is detrimental to consumer privacy not only because the information will be exploited by Facebook and third parties for advertising and other purposes, but also because Facebook could unexpectedly and improperly" alter its terms of service, the letter says.

EPIC previously asked the FTC to pull the plug on Gmail, Google Docs, Google Calendar, and Google's other Web apps until government-approved "safeguards are verifiably established"--which the agency declined to do. EPIC also claimed, to no avail, that Google's Gmail service is illegal.

Berin Szoka, president of the free-market group TechFreedom, which is based in Washington, D.C., said today that: "What this really reveals is that (EPIC and its allies) just don't understand why people want to share information. There are lots of users who want to broadcast what movies they're watching, what music they're listening to, or what articles they're reading. Once again they're presuming to dictate what's appropriate for everyone else."

"Just because (EPIC director) Marc Rotenberg thinks that sharing is so dangerous it shouldn't be automated, that doesn't mean the rest of us should have to live in his antisharing world," Szoka said.

Update 12:05 p.m. PT: Facebook sent CNET two responses to a request for comment:

Ticker/Timeline allegations: Some groups believe people shouldn't have the option to easily share the songs they are listening to or other content with their friends. We couldn't disagree more and have built a system that people can choose to use, and we hope people will give it a try. If not, they can simply continue listening and reading as they always have. If people do try the new apps announced by Facebook last week, they'll find that they have complete control over whether their information is shared and with whom. For example, we've invested heavily, including consulting several privacy organizations, to build an authorization dialogue that is obvious, easy to understand, and has a privacy setting built in. In addition, if someone doesn't want an app story to be seen by their friends, we offer numerous controls both before and after the fact. They can choose not to take the action on Facebook, remove it from their Timeline, delete it completely, change their privacy settings, or disconnect from the app at anytime.

Cookies being set when users are logged out: There was no security or privacy breach--Facebook did not store or use any information it should not have...Even though we weren't using this information, it's important to us that we address even potential issues, and we appreciate the issue was brought to our attention. When (the researcher) provided us with additional information that allowed us to identify these three cookies, we moved quickly to fix the cookies so that they won't include unique information in the future when people log out. We value the security community and their willingness to provide feedback on issues that they identify. This is why we established our Whitehat program to provide a direct line of communication to this community. Since then, we've also established a Bug Bounty program that provides financial incentives and rewards for researchers to report potential security issues.