Schneier on Security
A blog covering security and security technology.
« Did Hezbollah Crack Israeli Secure Radio? |
| Screaming Cell Phones »
September 21, 2006
Facebook and Data Control
Earlier this month, the popular social networking site Facebook learned a hard lesson in privacy. It introduced a new feature called "News Feeds" that shows an aggregation of everything members do on the site: added and deleted friends, a change in relationship status, a new favorite song, a new interest, etc. Instead of a member's friends having to go to his page to view any changes, these changes are all presented to them automatically.
The outrage was enormous. One group, Students Against Facebook News Feeds, amassed over 700,000 members. Members planned to protest at the company's headquarters. Facebook's founder was completely stunned, and the company scrambled to add some privacy options.
Welcome to the complicated and confusing world of privacy in the information age. Facebook didn't think there would be any problem; all it did was take available data and aggregate it in a novel way for what it perceived was its customers' benefit. Facebook members instinctively understood that making this information easier to display was an enormous difference, and that privacy is more about control than about secrecy.
But on the other hand, Facebook members are just fooling themselves if they think they can control information they give to third parties.
Privacy used to be about secrecy. Someone defending himself in court against the charge of revealing someone else's personal information could use as a defense the fact that it was not secret. But clearly, privacy is more complicated than that. Just because you tell your insurance company something doesn't mean you don't feel violated when that information is sold to a data broker. Just because you tell your friend a secret doesn't mean you're happy when he tells others. Same with your employer, your bank, or any company you do business with.
But as the Facebook example illustrates, privacy is much more complex. It's about who you choose to disclose information to, how, and for what purpose. And the key word there is "choose." People are willing to share all sorts of information, as long as they are in control.
When Facebook unilaterally changed the rules about how personal information was revealed, it reminded people that they weren't in control. Its eight million members put their personal information on the site based on a set of rules about how that information would be used. It's no wonder those members -- high school and college kids who traditionally don't care much about their own privacy -- felt violated when Facebook changed the rules.
But public perception is important. The lesson here for Facebook and other companies -- for Google and MySpace and AOL and everyone else who hosts our e-mails and webpages and chat sessions -- is that people believe they own their data. Even though the user agreement might technically give companies the right to sell the data, change the access rules to that data, or otherwise own that data, we -- the users -- believe otherwise. And when we who are affected by those actions start expressing our views -- watch out.
What Facebook should have done was add the feature as an option, and allow members to opt in if they wanted to. Then, members who wanted to share their information via News Feeds could do so, and everyone else wouldn't have felt that they had no say in the matter. This is definitely a gray area, and it's hard to know beforehand which changes need to be implemented slowly and which won't matter. Facebook, and others, need to talk to its members openly about new features. Remember: members want control.
The lesson for Facebook members might be even more jarring: if they think they have control over their data, they're only deluding themselves. They can rebel against Facebook for changing the rules, but the rules have changed, regardless of what the company does.
Whenever you put data on a computer, you lose some control over it. And when you put it on the internet, you lose a lot of control over it. News Feeds brought Facebook members face to face with the full implications of putting their personal information on Facebook. It had just been an accident of the user interface that it was difficult to aggregate the data from multiple friends into a single place. And even if Facebook eliminates News Feeds entirely, a third party could easily write a program that does the same thing. Facebook could try to block the program, but would lose that technical battle in the end.
We're all still wrestling with the privacy implications of the Internet, but the balance has tipped in favor of more openness. Digital data is just too easy to move, copy, aggregate, and display. Companies like Facebook need to respect the social rules of their sites, to think carefully about their default settings -- they have an enormous impact on the privacy mores of the online world -- and to give users as much control over their personal information as they can.
But we all need to remember that much of that control is illusory.
This essay originally appeared on Wired.com.
Posted on September 21, 2006 at 5:57 AM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
As a result --I lie about my personal details on just about every website i use.
But for places where i can't do that. What can we do. Get the laws "fixed" or what?
"people believe they own their data" -- and in most European countries, they do. Companies cannot handle your data without your explicit agreement, which you can retract anytime. If some company violates this, you don't have to go to court immediately, you just complain to the privacy ombudsman.
Frankly, the US approach to privacy and data protection is just insane. No wonder that people are surprised when they face its consequences.
akin to "words mean what I want them to mean, nothing more, nothing less."
"civil liberties are attacked when I say they are being attacked..."
The line between no-one caring and everyone caring is fine and wiggly.
That seems much more sane to me. There's another issue as well- having privacy protecting laws in your country is great, but on the Internet, I can just as easily set up shop in a country that doesn't have those laws.
I'm not sure that adding an "opt-in" is the right approach at all. Once the data is on the site, that's game over, the information is public, forever and ever. De-selecting the option just gives the illusion that the data is protected. And illusory security is worse than no security, right?
Instead, somehow, the message needs to get out to people that revealing personal information to your friends on a social networking site is precisely the same as having that same information broadcast to the world on CNN, and forever attached to your name in a giant database that you can never correct.
I don't blame Facebook at all, in fact I have a lot of sympathy with them. The only worry I have is the image they project. All the social networking sites deliberately hide behind a fun, casual, "hey, we're all just hanging out here, why don't you come on over" facade. Whereas in fact, everything you do while using these sites should be weighed very, very carefully before committing yourself. If people treated the sites as seriously as they deserve, I'm not sure they would have a business model left.
Seeing their lives broadcast via RSS might have been a pretty rude shock to many of these people, and I'd prefer to find a better way to get the message out. But at least a few of them are now going to be looking these issues hard in the face, and that's no bad thing.
But a 'privacy profile' is useless without the backing of the law. Under your suggestion, if a company goes bankrupt the liquidators will be able to sell the database containing your information to the highest bidder. Or perhaps the company will get sold. Or perhaps someone in the company sells a computer that happens to still have an old version of the database banging around on its hard drive.
Once any of these things happen, whoever gets the database next will be able to do whatever they want with it.
Don't these kids know about the Internet Archive or Google Groups? Those are the two real monsters that should not be.
"[P]rivacy is more about control than about secrecy."
I'm not sure that trying to talk about "ownership" of data is useful. Copyright is one attempt to create a framework of ownership over information, but has a complex definition, covering derivative works, fair use, etc. The kind of "ownership" that might protect privacy would need a different, but probably equally complex, definition, and would have the same kind of enforcement problems as copyright does.
My experience is that the young folk who use Facebook and similar services are for the most part much more sophisticated than older users. The youth tend to have an innate sense of the nature of privacy and lie in at least part of their profiles (their real friends will know which parts to believe).
I'd be willing to bet that most of the Facebook users weren't bothered that their latest music pick was published widely. I'm thinking that what really frightened them was that not only would Alice would be told instantly when Bob dropped her from his friends list, but Chuck and Diane would also know. And there's no way to lie about that so there is no way to control it. Or worse, if Frank found out that Alice suddenly had a new male friend on her friends list.
It goes without saying that the kids posting lies on their profiles is much less naive than relying on legislation -- which like privacy policies can be changed at any time without notice -- which almost certainly would not have applied in this situation.
I think that an important distinction needs to be drawn here. If you tell your insurance company "I am a smoker", you probably should be able to expect that that's private information. You disclosed it for the purpose of them granting you a policy. You probably should be able to expect that they will not disclose it publicly.
But if you tell MySpace that you fetishize teddy bears, by entering that into the public part of your profile on their service... then that's not private information. You aren't actually telling MySpace, you're telling the world. *You*, not MySpace, have already chosen to disclose it publicly when you post it. It's a totally different situation from the insurance company. Anyone in the world can view your profile by visiting your profile, and if you don't really want lots of people to know about it, you are depending solely on your expectation that very few people will visit your profile unless they already have some connection to you.
That's literally security through obscurity. I have no sympathy with it, and I think it's wrong to attempt to bolster it for the same reason I think it's wrong to attempt to support DRM: it's a model that inevitably must fail, and the belief that it could work if only we could get it just right and patch the last hole, is injurious.
Publicly-disclosed material should be made as public as possible, and we should focus our efforts on making sure that nothing private gets publicly disclosed in the first place. MySpace users need to be drawing the line before their sensitive information goes onto their profiles at all, not just before it goes onto RSS.
It's lower-profile, but Livejournal is going through exactly the same contortions right now with a feature called "tracking". Different parts of your Livejournal presence are restricted in different ways, with a fair bit of customizability; "tracking" allows someone who already has access to something to easily keep track of when that thing changes; the feature does not disclose any information to anyone who didn't already have access to it anyway; but it makes it easier to pay close attention to the information you have access to; and many users think that makes a difference.
Cf. the status of stock quotations, and "database copyright" too: *convenient* information is claimed to be a different product with a different value from the same information in less convenient form. I'm of the opinion that we, or at least the law, should not recognize convenience as a different kind of access.
'What can we do. Get the laws "fixed" or what?'
Well, for starters you can go over to Kim Cameron's Identity Weblog and check out his "The Laws of Identity". http://www.identityblog.com/
'How many members ever read that policy, let alone read it regularly and check for changes?'
@t3knomanser: "There's another issue as well- having privacy protecting laws in your country is great, but on the Internet, I can just as easily set up shop in a country that doesn't have those laws."
You're right -- this already happens.
One terms-and-conditions statement I came across (from eBay in the UK, IIRC), said "by using the service you agree that we can store your account data in the US, where your inconvenient little EU privacy laws won't protect it".
An important point to mention about this is that NO new information was disclosed through the feeds. The rules for who could access your information did NOT change. It was an aggregation, every part of which was only visible to whomever could access it before.
People got outraged that it was now easier to get at the information they already published. They relied on SECURITY BY OBSCURITY, with the obscurity being the sub-optimal user interface of the site.
I think most people using a service like LiveJournal or MySpace quickly find out just how public it is. There are a large number of "friends-only" journals on LiveJournal for specifically that reason.
If you post to a truely public site with data (like Usenet, as I saw referenced above as Google Groups), or to a public portion of something like MySpace or LJ, it's public, and anyone can see it, and you need to know you did that.
But if you post to an access-controlled group of people, via a service like MySpace or LJ, that's different. It's not "public", it's access-controlled. It's only public if they change their rules to make it public.
There may not be a legally binding contract on that, but a handshake agreement of sorts is there. I think that's the line that gets crossed that really outrages people.
I tell someone else something, that's not explicitly marked as public-to-the-world, and then it becomes so, I'm going to be upset about it.
However, I'm betting that the real source of the "drama" over Facebooks tracking feature was the social implication of tracking friending and de-friending. Which some people wrap up a lot of ego in.
Some kid was arrested for "unlawful photographing in violation of privacy" for distributing graphic pictures of his female classmates on CD. He apparently got the pictures from internet sites to which the girls had themselves submitted pictures.
According to the sheriff: "A lot of girls simply sent these photos thinking it was secure site, or that only a friend would see this."
I guess I'm one of "the young people" on Facebook.
@Tom Davis: You are drastically over estimating the youth. People at my university are always astounded at how much I can learn about them in as little as 5 minutes. They don't connect posting things on the internet with reality.
I had several friends and associates email me about this egregious violation of privacy with the Facebook feed. I sent out several replies, with varying degrees of politeness, pointing out that they already post this crap all over Xanga, MySpace, blogs, Facebook, and a lot of other sites. They aren't losing any privacy with this feed, the feed is simply an aggregation. The public seems to equate privacy to how easy it is to get information at once rather than what information can be had.
I am on Facebook and MySpace. I was on Facebook back in college as a cheap personals service. Worked out ok too. Met some women who had some similar literary and musical interests, few dates. I signed up on MySpace only so that my fiance could list me as her betrothed.
My generation is no more privacy or security savvy than my parents. We simply have different means of search and distribution.
Facebook may also collect information about you from other sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service through the operation of the service (e.g., photo tags) in order to provide you with more useful information and a more personalized experience.
We may use information about you that we collect from other sources, including but not limited to newspapers and Internet sources such as blogs, instant messaging services and other users of Facebook, to supplement your profile. Where such information is used, we generally allow you to specify in your privacy settings that you do not want this to be done or to take other actions that limit the connection of this information to your profile
As someone who (still) maintains a Facebook profile I don't think it's quite right to call this a privacy issue. No privacy was lost, because your information was availible to the same people in both cases. The problem was that the news feeds presented personal data to passive viewers rather than active viewers. Someone who aggregates all that data, manually or with a script or with someone else's script is making a choice to actively seek that information. The news feeds present the same data to passive users; users who take no action to get it, and in many cases don't even want it. Presenting all this wholesale for everyone to peruse casually at each login was (for me) what caused the outrage. It doesn't seem to fit into my usual notions of privacy and data control, but what else can you call it?
The instant you connect to another site you lose a little bit of privacy and it only gets worse the longer you stay, the more you type, and the more you upload; such is the nature of the Beast.
What I don't understand is the apparent outrage and subsequent 'revolt' by Facebook members that their publicly available 'personal' information can be easily aggregated for all to see, but no such call to action is seen when the government ubiquitously continues to gather the same information and more. Has the erosion of civil liberties been accepted, purportedly in the name of fighting terrorism? Or, are the masses simply more willing and able to take on business (whether the violation is real or perceived) than to challenge the beauracracy and secrecy of government?
This is an education problem. As Bruce pointed out, once the information is out there it is only a matter of time and interest before somebody indexes and cross-references it.
Users of social websites need to be told this. In bold type. Near the submit button.
I wanted to clarify that Facebook did not change the privacy options. There was absolutely no change to the information that was available to other users. The only change that occurred with the introduction the "the feeds" was that all information which users had previously CHOSE to reveal to their friends/network was combined into an easily readable and accessible format. Admittedly the method of delivery changed, but I think it is important to note that none of the actual privacy options changed.
>They don't connect posting things on the internet with reality.
Something that Bruce and the commenters so far have not mentioned is that many, or most, regular users of Facebook have a "Friends" list that reaches into the triple digits.
These highly active, vocal users disliked the Facebook feed because of two things.
1. There was so much activity on their feed (due to so many Friends) that it was near useless.
2. Some people listed as "Friends" were hardly that close in real life, so broadcasting Facebook updates to them was uncomfortable. Especially about details such as relationship status, and anything else perceived as personal.
If users only had a "Friends" list that included true friends instead of merely social bookmarks, there would have been much less outrage. People were, as it has been said, relying on security through obscurity in making updates to their profile while having massive Friends lists. The tools to control what your feed does/does not broadcast nicely handle any problems.
It's too bad, though. The feed was not to blame -- it was the gigantic Friends lists. If people adjusted their behaviour (by keeping a realistic Friends list), then everything would have been okay. However, not "Friending" someone can create worse undesirable social drama among high school and young college students.
In physical environments, there is a certain amount of "pragmatic privacy" provided by the physical layout. People across the room can't overhear your conversations, people in the kitchen can't see you in the bathroom.
In an online "environment", that sort of privacy can be provided by the UI structure itself, and the user community for any given forum (inter alia) will adjust their expectations and behavior to match that forum. When you change the UI structure without notice, that can seriously piss people off, because it disrupts the social structures they've built on top of that UI.
Yup David, exactly. The interesting question: should Facebook have caved to the complaints, as they did, or should they have explained that their users will need a one-time adjustment to their social structure, to accommodate an overall better experience?
Facebook needs an alternative to having someone listed as a full "Friend." Perhaps have a second list marked as "People I like" or be able to completely deny your feed to individual people, invisibly, and without any other change to their action. Of course, for some people, making that change for 200+ friends would be rather tedious, so they'd still complain. If the feed had been around since the inception of Facebook, the service would have been better off.
There appears to be a strong sentiment here that it is honourable to take advantage of the weak and the careless.
Closely associated, lies the conviction that it is discreditable of the victims to protest and immoral to suggest collective defense.
In the real world, this secondary list is called "Acquaintances".
I swear, if only more people would read Miss Manners' books, all this crap about friends, acquaintances, and privacy would be a lot less of a problem. And I'm not suggesting this just for the idea of general courtesy, but to remind gentle readers that even 100 years ago and more, there were scoundrels and social bounders who were NOT your friends. The more things change, the more they remain the same.
And now that I think about it, I recommend her books to Bruce, to Facebook, and to anyone else who really wants an understanding of privacy. Besides that, she's at least as witty and insightful a writer as Bruce is.
"What Facebook should have done was add the feature as an option, and allow members to opt in if they wanted to."
I agree 100%
I find it amusing that this generation is just figuring out that nothing that crosses is posted to a public (or even semi-private) site, group or list should be considered private.
A friend at work wisely used pseudonyms when posting to usenet way back in the 80s. If his real name were attached to it now, some employers might shy away.
Given how easy it is to search 20-year-old usenet archives, plus the way companies change policies or get purchased and sell off or open up previously locked-up data, it's silly to think that anything posted anywhere that's even vaguely public will not be visible to absolutely everyone.
Don't post anything, anywhere that you wouldn't want your mother and your prospective employers or voters reading today or 20 years from now.
Making policy statements about your data is important, and I think the initiative called the Policy Aware Web is very interesting: http://www.policyawareweb.org/
Of course, it still remains to see if these policies will be respected, but knowing a person's prefences makes it a whole lot easier to follow them.
"How many members ever read that policy, let alone read it regularly and check for changes?"
A good fit for http://www.goodiff.org/ ...
This isn't a privacy issue. This is a gossip issue. It is a social network and there will be gossiping. Facebook just made themselves the biggest gossip in the world. People do not like gossips when they are talking about them personally. Facebook changed their policy on the feeds to avoid the fate of a gossip, being shunned, i.e., no one telling them personal information anymore. That is, members quitting.
Very generally speaking, if you're going to hang your personal info out in cyberspace and do not want it used by unauthorized persons, you should post in binary, maybe, or base 6 and a half. Although a little dated, remember "Let the buyer beware" always.
@David Harmon, that is a brilliant analogy and I hope that you don't mind that I'm already using it in feedback to LiveJournal (I quoted you). I can delete my comment there if it really bugs you, though.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..