Is Everything on Facebook Public?

Facebook has been home to no shortage of awkward or destructive moments for some users with one woman getting fired for speaking ill of her boss, another woman losing insurance benefits after the company dug up photos of her on holiday and thirteen employees of Virgin Atlantic being sacked for comments made on the website. It is clear that many users willingly put up private information without due consideration of the consequences of certain eyes viewing it.

Did these users bring it on themselves? Is Facebook responsible for its handling of privacy in these cases and similar ones? Facebook has certainly been under attack a lot for “privacy concerns”, so what can be done about it if these attacks are justified?

Even for non-incriminating data, fears and controversy have been bubbling over Facebook’s alleged lack of respect for privacy either by changing the default privacy settings for personal information to be more permissive over time or by holding personal information indefinitely (however it is now possible to delete permanently should users so wish). The issue is particularly controversial again in light of a 2004 instant message conversation involving Facebook founder Mark Zuckerberg showing a lack of concern for people’s private information, albeit at a time when Facebook was a small website just for Harvard and not the global business it is today.

Whilst the behaviour of Facebook and its founder can be criticised in several ways, how much do users have themselves to blame for a lack of protection of their own information? In fact, while discussing Mark Zuckerberg’s comments from 2004, one Facebook user made the following assertion:

Everything you post on Facebook is public. If you don’t want it public, don’t post it.

One could be forgiven for being incredulous that people would willingly post information on a public website that is private in any way. That we see so many examples of information being shown to an unintended audience suggests that the privacy controls Facebook provides to allow users to restrict who sees what information are either ineffective or aren’t being used.

If the latter case were true, the public exposure of things intended to be restricted to a private audience is indeed attributable to the carelessness of the users in question. However, what if there is more truth in the former and blame can be placed on the privacy settings themselves? Perhaps they are not a good way to control the spread of your information?

The nature of the Internet and the World Wide Web is that data are copied at near instant rates with little to no effort nor expense. The result is that a compromising photograph or slip of the proverbial tongue need only be seen and copied by one person for one no longer to have full control thereof. Celebrities and organisations that try to get bloggers to take down private or copyrighted images and information fight an uphill battle against the Streisand Effect — a phenomenon where attempts at censorship usually result in the target information being spread even more widely than it otherwise would have been.

With this in mind, it could be said that the only way not to have private information on Facebook leak out is not to put it there at all. This approach treats Facebook as an entirely public website. Whilst the privacy controls can keep a lot of things restricted to friends only, one should still only puts up things that wouldn’t be catastrophic if they leaked beyond that circle.

This does sound like a safe absolute, but does it preclude some of the benefits and user needs of social networking? Is it possible to maintain the utility of a social website whilst simultaneously having true control of private information?

At a very basic level, social websites such as Facebook operate as a self-updating address book. Friends, contemporaries and colleagues can all change telephone numbers, addresses and email addresses over the years. Thus having one point of access to find the current email address or mobile phone number of someone is certainly convenient. Even the inversion of that process — whereby a user can change their mobile number in one place and know all their contacts have the updated version automatically — has benefits.

However, we do not necessarily want our contact details harvested by anyone outside of our circle of trustworthy people and moreover certainly not by spammers. In light of this, there is a need for this information to have access controls with which to restrict to friends or even a subset thereof.

This is still subject to the same problem that one of your friends need only pass the details on for the information to have leaked outside your trust circle, but this is no worse than what we had before in that one cannot stop one’s mobile number being given away by someone who already knows it.

This is not to mention all the private conversation users may wish to have amongst friends whether it be one-to-one correspondence or discussions within a select groups. Clearly, the ability to restrict access to such things is useful.

So, assuming we not only have a need for some level of privacy in our interactions on social networks, but we competently use the appropriate settings to control it, is there still any need for concern? Facebook’s targeted advertising effectively monetises your user information and with the past record of criticisms over its treatment of privacy, can we trust the company at all with even modest amounts of personal data? Are the privacy settings effective enough?

We can look back well before the formation of Facebook to find people were communicating over computer networks for quite some time. One of the longest-running systems is that of email itself. Many people have few reservations about engaging in very private conversations via email with a justified expectation that their discourse will not automatically appear to the public eye.

Yet many people use free services such as Gmail, Hotmail and Yahoo to send, read and store all their emails. They have willingly allowed a third party storing every conversation they’ve had, perhaps even after deleting the email (it’s not unlikely that many services would keep backups for 30 days or some other period of time). So, what’s different here? Why is there not a privacy scare once a week over leaked emails?

The key difference here is that email is not one website or service. SMTP which still defines how email is sent over the Internet was first defined in 1982 and is a fully open standard that any person or service may freely implement. This allows Hotmail users to send emails to Gmail users and Gmail users to send emails to a company’s own email system with few problems. This contrasts the “walled garden” approach of Facebook from which you cannot possibly send messages to Myspace or Bebo. Furthermore, there is in fact no real way for users of any of the major social networks to interact outside of their own website.

So, why should Facebook knock down those walls and let people interact with Myspace users? Isn’t that their own decision? In a competitive marketplace, why should companies be forced to encourage users to move to rival websites? It is a common free market mantra that freedom comes from not regulating companies too much, but paradoxically consumer choice can be increased with the right regulation in the right places.

The US government has brought many legal actions against Facebook and the very fact they are so concerned with the privacy problems demonstrates there is a perception of an issue for society’s well-being in general if they are allowed to proceed unchecked. Breaking down the walls and forcing interoperation between services — just as we already have with email — could be a simple and elegant way to do address these issues with economic pressures, rather than fire-fighting with litigation.

Unintentional and arguably deliberate abuses of privacy from a website that knows its userbase will barely wane as a result is behaviour idiosyncratic of a monopoly — a company that doesn’t have to woo customers has much more of a carte blanche to behave as it wishes. Noting that there are few fears over Hotmail, Yahoo or Gmail giving away private email data, it is clear that an email service values maintaining loyal customers over taking risks that could jeopardise people’s confidence in the service.

Were Facebook to be operating with the possibility that people would walk away over scandalous behaviour — not a realistic option while people can only contact their Facebook friends through the site itself — it’s very likely they would be more cautious with how they treat their customers.

So, how exactly would Facebook open up its walled garden and interoperate with other websites? The key step is to define a standard protocol just as email has SMTP. Once there is an established mechanism for a user to have a “profile” page on any website and for that user to nominate identities that may or may not see more information than the public can, we already have the crux of a social network.

Not only does this give people the ability to jump ship to another service if they are unhappy with their current one in any way, but they can — just as with email — set up their own “ship” by enabling their own website as their personal profile page. This gives ultimate trust for those with a desire to have total control of their data. By extension, a company can run its own internal social network as part of an employee/phone directory that interoperates with other networks (and the profiles act as an electronic business card), but with the ability to configure limits on how much employees can make public. This is analogous to companies running their own corporate email system to protect and control the uses of business inboxes.

Such a mechanism would give customers true consumer freedom and exert the appropriate pressures Facebook arguably needs in order to be more respectful of people’s information. With that incentive, Facebook could more readily be a repository of private information without fear that it could all end up public, be it through carelessness or malice.

Large companies like Facebook can easily handle several prosecution cases a year and while they maintain a walled garden whereby users cannot easily leave for another service, it seems these cases will have little effect on their numbers. Perhaps a stronger and simpler incentive would be the economic pressures from true consumer freedom.