The private information Facebook now makes public

The social network's recent privacy recalculation prevents excluding your profile picture, cover photo, and other formerly hide-able information from search results.

Dennis O'Reilly Former CNET contributor
Dennis O'Reilly began writing about workplace technology as an editor for Ziff-Davis' Computer Select, back when CDs were new-fangled, and IBM's PC XT was wowing the crowds at Comdex. He spent more than seven years running PC World's award-winning Here's How section, beginning in 2000. O'Reilly has written about everything from web search to PC security to Microsoft Excel customizations. Along with designing, building, and managing several different web sites, Dennis created the Travel Reference Library, a database of travel guidebook reviews that was converted to the web in 1996 and operated through 2000.
Dennis O'Reilly
5 min read

Worker in Facebook t-shirt

You may have been one of the many Facebook users contacted by the company last week about the demise of the "Who can look up your Timeline by name" search setting. The Facebook e-mail announcing the discontinuation of the feature goes on to explain how to limit what information you share on the service. Unfortunately, there's no longer a way to limit globally the personal information Facebook shares with everyone; you can do so only for each separate post using the audience selector.

The Facebook Help Center states the following:

"Your name, gender, username, user ID (account number), profile picture, cover photo and networks (if you choose to add these) are available to anyone since they are essential to helping you connect with your friends and family."

Of particular concern to privacy advocates is the ability of third-party app developers to access your friends list. Last August, CNN's Katie Lobosco reported that at least one financial-lending company uses your Facebook friends list to help determine your creditworthiness.

According to Lobosco, if your friends have a history of late payments, your credit score with the company goes down. (Note that another credit company reduces the score of any applicant whose online form is completed in all caps, or without any caps.)

Prevent Facebook apps from accessing your private data
One of the tips in last September's article about how to secure your Facebook account easily, explains how to put a muzzle on nosy Facebook apps. The simplest way to enhance your Facebook privacy is to delete the apps. Unfortunately, removing an app doesn't delete the information the developer has already collected about you.

As the Facebook Help Center's App Privacy Settings page describes, you have to contact the developer directly using Facebook's Report a Problem feature. The page states that not all apps provide a way to contact the developer.

Facebook users are installing apps from developers who help themselves to the users' private information without offering a clear mechanism for retrieving the data. Users have no way of knowing what the information includes or how it will be used, let alone whether it is accurate. Nope, no privacy risk there.

The Facebook App Settings page lets you control the information about you that friends can share when they use apps. You can uncheck any or all of the 17 categories of information presented.

Facebook App Settings option for friends sharing your information with apps
Uncheck the categories of personal information you don't want your friends to be able to share with the Facebook apps they use. Screenshot by Dennis O'Reilly/CNET

The App Settings page indicates that you can prevent apps and Web sites from accessing other categories of information by "turning off all Platform apps." To do so, click Edit to the right of "Apps you use" on the App Settings page, and click the Turn Off Platform button.

Facebook App Settings "Apps you use" options
Disable all app sharing by selecting the Turn Off Platform button in the Facebook Screenshot by Dennis O'Reilly/CNET

Privacy promises to European users come up empty
Imagine if Facebook, Google, and other services had to notify you of the information they collect about you, how the companies will use the information, the third parties they will share the information with, and how you can restrict use and disclosure of the information.

Now imagine you're given the ability to opt out of the collection and use of your information beyond what is necessary to transact your business with the companies. Even better, imagine having to opt in to the use of your personal information in any way other than the original purpose for which you supplied the information.

These are two of the seven Safe Harbor Privacy Principles that US companies agree to comply with for their customers residing in European Union countries. Export.gov provides an overview of the Safe Harbor requirements. The principles specify that individuals be afforded access to the personal information the companies collect about them and be able to correct, amend, or delete the information.

As Politico's Erin Mershon points out, the Safe Harbor Framework is intended to allow US companies to comply with the EU's stringent privacy regulations. The rules have been a sticking point in light of the National Security Agency's widespread surveillance. Some Europeans believe US firms use the Safe Harbor Framework to avoid complying with the EU's privacy requirements.

While Federal Trade Commission Commissioner Julie Brill defends the Safe Harbor Framework, EU officials point out the lack of enforcement efforts by the FTC. Safe Harbor guidelines rely on companies self-certifying, so to a great extent the framework operates on the honor system.

At a meeting last month of the European Parliament's Civil Liberties, Justice and Home Affairs committee, an executive at Galexia, an Australian management consulting firm that researches Safe Harbor compliance, highlighted the program's lax enforcement. According to InfoSecurity, Galexia's Chris Connolly told the committee that 427 US companies make false claims about their Safe Harbor compliance.

A more-widespread compliance shortcoming relates to the Safe Harbor regulations' dispute-resolution requirements. Connolly testified that about 30 percent of the 3,000 self-certifying organizations offer no dispute-resolution options, and a large number of those companies that claim to provide dispute resolution, instead refer customers to the American Arbitration Association, which charges complainants from $120 to $1,200 per hour, with a minimum of 4 hours, on top of a $950 administration fee.

Some EU officials are calling for the cancellation of the Safe Harbor program, which has been in place for 13 years. Viviane Reding, vice president of the European Commission and EU justice commissioner, spoke at a seminar in Washington, D.C., late last month and recommended the only way for the US to restore Europe's trust is to enact privacy legislation that provides EU citizens with a right of redress when their privacy is violated, as Bloomberg BNA's Stephen Gardner reported last week.

Sounds like a law US citizens could benefit from as well. In the absence of such protections, Facebook needs to follow Google's lead with Gmail and admit, once and for all, that users have no expectation of privacy when using the social network.

This story has been corrected to state that you can limit Facebook sharing on a per-post basis via the Facebook audience selector. It has also been updated to remove details about a previous EPIC complaint to the FTC about a previous Facebook policy.