Privacy: Facebook's Achilles heel

Once people realize the serious threats posed by third parties misusing the personal information available on Facebook, they will flock to alternatives offering more protection.

Dennis O'Reilly Former CNET contributor
Dennis O'Reilly began writing about workplace technology as an editor for Ziff-Davis' Computer Select, back when CDs were new-fangled, and IBM's PC XT was wowing the crowds at Comdex. He spent more than seven years running PC World's award-winning Here's How section, beginning in 2000. O'Reilly has written about everything from web search to PC security to Microsoft Excel customizations. Along with designing, building, and managing several different web sites, Dennis created the Travel Reference Library, a database of travel guidebook reviews that was converted to the web in 1996 and operated through 2000.
Dennis O'Reilly
6 min read

The folks who run Facebook are laughing all the way to the bank. They're making money hand over fist, and all they have to do is sit back and watch as the people who comprise their product volunteer tons of incredibly personal information. Then they sell access to that information to any advertiser or other business who wants it.

Facebook claims the information they surrender to these companies is anonymous, but it's not. Companies can combine the "anonymized" information from your profile with personal data gleaned from tracking cookies and other online traces to create dossiers about you that offer a level of personal detail the National Security Agency would envy. Researchers Balachander Krishnamurthy of AT&T Labs and Craig E. Wills of the Worcester Polytechnic Institute explained how this is done in a paper published in 2009.

If you make your date and state of birth available to the public on Facebook or any other online profile, there's a good chance most or all of your Social Security number can be predicted--especially if you were born after 1988 in a state with a small population. Carnegie Mellon University researchers Alessandro Acquisti and Ralph Gross explained how this is possible in a research paper also published in 2009.

Even if you prevent anyone but your friends from viewing your Facebook friends list, researchers can infer plenty of personal information about you from any of your Facebook friends who don't keep their friends lists private. That's one of the results of a study conducted by Alan Mislove of Northeastern University and other researchers, who applied an algorithm to the profiles of thousands of Facebook users and were able to determine personal attributes of their friends whose profiles were "private."

The oxymoron of online privacy
Facebook users obviously don't care that their privacy has been compromised. They clearly don't appreciate or understand the risk, in large part because Facebook still appears to be magical to them. (Arthur C. Clarke's famous line that "any sufficiently advanced technology is indistinguishable from magic" applies not just to Facebook but to Google's search algorithms and other successful Web services as well.)

That point is driven home by the results of a recent Harris Interactive survey that found a large percentage of social-network users willing to friend strangers and trust that their new "friends" would not misuse the personal information in the users' profiles. (CNET's Don Reisinger reported on the survey in a recent post on his Digital Home blog.)

Now Facebook is planning to share users' phone numbers and home addresses with third parties, as reported by CNET chief political correspondent Declan McCullagh in his Privacy Inc. blog.

This move comes on the heels of Facebook's revamped Like feature, which allows advertisers to post to your wall and otherwise publicize your action. Facebook's Help Center states the following:

"As with other connections, the connection will be displayed in your profile and on your Wall and your friends may receive a News Feed story about the connection. You may be displayed on the Page you connected to and in advertisements about that Page. The Page will also be able to post content into your News Feed and send you messages. You may also share this connection with apps on the Facebook Platform."

McCullagh described the objections to Facebook's policy in a post from last June on the Politics and Law blog.

Electronic Privacy Information Center director Marc Rotenberg noted that the organization complained to the Federal Trade Commission that Facebook's social plug-ins "violate user expectations and reveal user information without the user's consent." Rotenberg is quoted by McCullagh as saying "the recent Facebook changes are too complex and too subtle for most users to meaningfully evaluate."

Say "no" to Facebook Social Ads
To disable Facebook's Social Ads, open the Facebook Ads page in your account settings: click Account in the top-right corner of the main Facebook window, choose Account Settings, and select the Facebook Ads tab. Choose "No one" in the drop-down menu next to "Allow ads on platform pages to show my information to."

Facebook Ads account settings
Turn off Facebook's Social Ads via this drop-down menu on the Facebook Ads tab of your account settings. screenshot by Dennis O'Reilly/CNET

It's telling that the text accompanying this setting indicates that Facebook is hedging its commitment to keep your personal information out of the hands of its partners:

"Facebook does not give third-party applications or ad networks the right to use your name or picture in ads. If this is allowed in the future, this setting will govern the usage of your information.

Because Facebook and other Web services frequently change their privacy policies, it's a good idea to revisit your privacy settings to ensure that you're sharing only the information you want to share with only the people you trust. To adjust your Facebook privacy settings, click Account > Privacy Settings. Next, choose View Settings under Connecting on Facebook.

Facebook recommends that you let everyone search for you and send you friend requests. It's safer to allow only friends of friends to search for and contact you. I also allow only friends to send me messages and view my friends list. Facebook warns you that your friends list is shared despite your choice here:

"This lets you connect with people based on friends you have in common. Your friend list is always available to applications and your connections to friends may be visible elsewhere."

I have Only Me selected for the last three sharing options: work and education; current city and hometown; and likes, activities, and other connections. This information is released strictly on a need-to-know basis, and anyone who needs to know it will find out via a medium other than Facebook.

Return to the main Privacy Settings page and click "customize settings" near the bottom of the window. Make your selections for each category (I choose Friends Only for all of them) and if necessary, click Customize on the drop-down menu to see more choices (such as Only Me). Choose Save Settings for each.

Note that my Facebook profile uses a fake birth date and other misinformation, including e-mail addresses that are not used elsewhere. As the Privacy Rights Clearinghouse points out in its extensive Social Networking Privacy fact sheet, be careful not to violate the site's terms of service.

The fact sheet provides dozens of tips for safe use of social networks, as well as links to many helpful privacy resources. Especially valuable are the sections on reading a privacy policy (hint: start at the end), social-network pros and cons for job seekers, laws protecting private online information, and fraud on social networks.

The social networks most likely to replace Facebook
No one can deny Facebook's monster success, which is beginning to rival the preeminent Internet monster, Google. (Note that many of the privacy concerns expressed about Facebook are echoed by Google's many critics--but that's a subject for a future post.) The number-one social network isn't likely to lose its momentum anytime soon, but I consider Facebook's failure to protect its users' privacy a potentially fatal flaw.

Eventually, someone will come along who does it better. Despite the daunting head start Facebook has, things can change very quickly on the Web--just ask Steve Case and Rupert Murdoch. A potential Facebook competitor is the concept of federated social networks, which are based on open-source rather than proprietary software and are being designed to link rather than lock in users of various networks.

Examples of these open social networks are Diaspora (currently in alpha) and Status.net. Richard Esguarra provides a primer on federated social networks in a post on the Electronic Frontier Foundation's DeepLinks blog.

There's no doubt Facebook and other social networks provide a valuable service. The only problem is that the people using the networks don't realize the price they're paying. When we share the details of our lives on social networks, those details become available to any business, government agency, or crook who looks for it--or is willing to pay for or flat-out steal it.

Sharer beware.