Michael Zimmer.org

A few days ago I blogged about how I was able to check my wife into a local liquor store using Facebook Places without her permission, despite Facebook’s insistence that “No one can be checked in to a location without their explicit permission”. This check-in has remained visible in my news feed, and depending on my privacy settings, may be viewable by any logged in Facebook user. Presumably there also is a database at Facebook that contains a record of my checking-in my wife into this location. Again, all without my wife’s explicit consent to participating in this new “feature”. Now, four days later, my wife had a chance to react to the notification she received from Facebook regarding my tagging her, and I thought I’d share a few more reactions to her attempt to opt-out of Places altogether.

Facebook has finally launched its location-based service: Places. Places allows Facebook users to “check in” wherever they are using a mobile device, and let’s their friends know where they are at the moment.

Facebook has tried to do a better job addressing privacy with Places compared to previous launches of new “features”. Particularly, Facebook brags that “no location information is associated with a person unless he or she explicitly chooses to become part of location sharing. No one can be checked in to a location without their explicit permission.”

But as I’ve played around with the service, I’ve uncovered a problem with Facebook’s assertion that “no one can be checked in to a location without their explicit permission.”

In response to recent Facebook privacy fiascoes — the privacy upgrade downgrade and inevitable backtracking, Zuckerberg’s (and other exec’s) various ill-informed remarks, etc, etc — I’ve co-authored an op-ed with Chris Hoofnagle, the director of information privacy programs at the UC Berkeley School of Law’s Center for Law & Technology, where we criticize Facebook’s “perfection of privacy public relations.”

The piece appears in The Huffington Post, and is titled “How to Win Friends and Manipulate People”. Here’s an excerpt:

These events represent the perfection of privacy public relations. Guided by earlier battles fought by tobacco and drug companies, information-intensive firms have learned how to use rhetoric to distract the public while successfully implementing new programs. They are the Machiavellis of privacy.

GigaOm highlights an interview with Nancy Baym, associate professor of Communication Studies at the University of Kansas and author of Personal Connections in the Digital Age, on the limitations in Facebook’s approach to privacy.
The interview covers various important issues, but Baym’s main concern is that Facebook has a “fundamentally naive and Utopian” view of what privacy means online, stemming  from the fact that the company is run by “a bunch of computer science and engineering undergrads who don’t know anything about human relationships.”
I agree. I …

By now, this series of events is very familiar:

Facebook launches new “feature” with little or no warning
Feature is automatically activated for millions of users
Users get confused and angry
Backlash and criticism occurs; users threaten to leave
Zuckerberg blogs that he has listened, tells you everyone really wants to share everything, but in the end backtracks a bit

This happened with NewsFeed, Beacon, changes to Facebook’s terms of service, and so on. And it happened again today.
Amid the rising criticism about recent changes, Facebook announced new privacy settings and practices, promising users more, …

On Sunday, Facebook’s Mark Zuckerberg finally broke his silence regarding the most recent spate of privacy problems with his social networking service, and published an op-ed in the Washington Post titled, “From Facebook, answering privacy concerns with new settings.”

I finally got around to giving it a close reading today, and my initial reaction was visceral — it pissed me off. In just over 500 words, Zuckerberg succeeded in sounding condescending, bragging about things Facebook can’t really brag about, and over-simplifying the core issues at hand. But in the end this doesn’t matter, because I don’t even think Facebook’s 400 million users were the intended audience.

Last Friday (May 21, 2010), I had the great pleasure of being a guest on Science Friday, the weekly science and technology show hosted by Ira Flatow, airing live each Friday on NPR’s popular Talk of the Nation radio show. The show’s topic was Protecting Your Privacy On Social Networking Sites, and I was joined by Rich Mogull of Securosis, and Kevin Underhill, a lawyer and author of the “Lowering The Bar” blog.
You can listen to the entire show, and read the transcript, here. (Apologies for any …

The May 31st Time magazine cover story is on Facebook and privacy. It is pretty much a straight recap of recent privacy issues and debacles surrounding the social networking company. Nothing all that new.
But one passage caught my eye (emphasis added):
Zuckerberg believes that most people want to share more about themselves online. He’s almost paternalistic in describing the trend. “The way that people think about privacy is changing a bit,” he says. “What people want isn’t complete privacy. It isn’t that they want secrecy. It’s …

In Facebook’s vice president for public policy Elliot Schrage’s infamous Q&A session with the New York Times readers, he made this statement:
The privacy implications of our ads, unfortunately, appear to be widely misunderstood. People assume we’re sharing or even selling data to advertisers. We’re not. We have no intention of doing so. If an advertiser targets someone interested in boats, we’ll serve ad impressions to people with ‘boats’ on their profile somewhere. However, we don’t provide the advertiser any names or other personal …

Facebook’s Mark Zuckerberg has a history of speaking his mind on privacy, and what he speaks is often fraught with problems, ignorance, and arrogance. But, today, I found a new statement that brings Zuckerberg’s hubris to a new level: “Having two identities for yourself is an example of a lack of integrity.”

According to Zuckerberg, the person responsible for the world’s most popular website for sharing information about oneself, wanting to manage your flows of information in such a way that might present a different version of your “complete” self to your friends, family, co-workers, and more distant friends shows a lack of integrity.

Zuckerberg must have skipped that class where Jung and Goffman were discussed…

In an attempt to stem the rising outrage over its most recent round of privacy failures — Instant Personalization & Connections — Facebook’s vice president for public policy, Elliot Schrage, answered readers questions at The New York Times’s Bits blog. As with other corporate expressions of Facebook’s approach to privacy, his answers reveal a gross misunderstanding of the nature of privacy in our (social) networked world.

Like many, I am considering leaving Facebook due to its most recent round of privacy failures — Instant Personalization & Connections — which represent only the latest in a continuing de-evolution of privacy protection on the popular social networking platform.
But what will happen if I remove data from my profile, or delete my account altogether?
Facebook’s Privacy Policy notes the following in section 7. How You Can Change or Remove Information:
Limitations on removal. Even after you remove information from your profile or delete your account, copies of that information may …

Facebook recently announced a variety of proposed changes to its Privacy Policy and Statement of Rights and Responsibilities. The changes to these governing documents point to the following matters, each with its own unique privacy implications: hints of a new location-based service, clarifying that sharing with “Everyone” means everyone, and, most notably, that Facebook may share your visible data directly with certain third party websites.

This final point has gotten significant attention, but would like to point out a few aspects of Facebook’s new language that reveals — yet again — that Facebook simply fails to understand the nature of privacy, especially in our online information ecosystem.

Speaking of the research ethics related to automatically harvesting public social networking data, we are confronted this week with the story of Pete Warden, a former Apple engineer who has spent the last six months harvesting and analyzing data from some 215 million public Facebook profile pages.
According to Warden, he exploited a flaw in Facebook’s architecture to access public profiles without needing to be signed in to a Facebook account, effectively avoiding being bound by Facebook’s Terms of Service preventing such automated harvesting of data. As a result, he amassed …

I’m currently in Savannah, GA to participate in a workshop on Revisiting Research Ethics in the Facebook Era: Challenges in Emerging CSCW Research at CSCW 2010.
This is my first time at CSCW, and looking at the set of papers for this workshop, it should be an excellent experience. I’ve submitted a brief analysis of the “Tastes, Ties, and Time” Facebook dataset release (my larger paper is going through its final edits for publication). You can download the short analysis here: Subject Privacy and the Release of the “Tastes, …