This time, it’s Randall Stross at the NY Times, in a column “When Everyone’s a Friend, Is Anything Private?“:

Facebook has a chief privacy officer, but I doubt that the position will exist 10 years from now. That’s not because Facebook is hell-bent on stripping away privacy protections, but because the popularity of Facebook and other social networking sites has promoted the sharing of all things personal, dissolving the line that separates the private from the public.

As the scope of sharing personal information expands from a few friends to many sundry individuals grouped together under the Facebook label of “friends,” disclosure becomes the norm and privacy becomes a quaint anachronism.

Facebook’s younger members – high school or college students, and recent graduates who came of age as Facebook got its start on campuses – appear comfortable with sharing just about anything. It’s the older members – those who could join only after it opened membership in 2006 to workplace networks, then to anyone – who are adjusting to a new value system that prizes self-expression over reticence.

No, no, NO.

Self-expression and the popularity of a platform for “the sharing of all things personal” doesn’t mean that privacy has become a “quaint anachronism”. Just the opposite. The importance of privacy — and the importance of understanding the complexities of what we think of as privacy — has emerged as issue #1 wrt online social networks. This is obvious to anyone who witnessed the reactions to Facebook’s News Feed or Beacon (which wasn’t just “over-30 graybeards”), or who follows the excellent scholarship & commentary on privacy in social networking sites (like danah boyd or Bill McGeveren or Dan Solove or Fred Stutzman, just to name a few).

Stross likely doesn’t realize it, but he’s right that sites like Facebook have “[dissolved] the line that separates the private from the public.” In few realms of our lives can we truly identify a strict dichotomy between public and private information. Instead, everything is contextual. And, yes, that’s what makes thinking about privacy difficult, but that doesn’t mean we throw in the towel. Instead, we accept the challenge and work to create policies and build technologies for the sharing of information that properly reflect a contextual notion of privacy, rather than a binary one.

And if less than 20 percent of Facebook users change their privacy settings, as Stross reports, that doesn’t mean we simply say privacy is now quaint and wash our hands of the affair. Rather, we must work to educate users and give them the tools to manage and control their personal information flows.

We have much work ahead of us, friends….

UPDATE: Please read Fred Stutzman’s excellent (as expected) analysis of Stross’s article here, including a criticism of much of Stross’s statistical assumptions (I was too upset to even attempt that level of refutation).

And, for the full takedown, read our friends at Sex, Drugs, and Intellectual Freedom.

A few days ago, Gilad’s eyes opened wide and he called me over to look at his computer. He was on Facebook and he had just discovered a privacy loophole. He had maximized his newsfeed to get as many photo-related bits as possible. As a result, he was regularly informed when his Friends commented on other people’s photos, including photos of people with whom he was not Friends or in the same network as. This is all fine and well. Yet, he found that he could click on those photos and, from there, see the entire photo albums of Friends-of-Friends. Once one of his Friends was tagged in one of those albums, he could see the whole album, even if he couldn’t see the whole profile of the person who owned the album.

There are multiple explanations for what is happening. This may indeed be a bug on the part of Facebook’s. It’s more likely a result of people allowing photos tagged of them to be visible to Friends of Friends through the overly complex privacy settings that even Gilad didn’t know about. Either way, Gilad felt as though he was seeing photos not intended for him. Likewise, I’d bank money that his kid sister’s Friends did not think that tagging those photos with her name would make the whole album available to her brother.

danah correctly sees this as yet another failure of technology designers to understand that privacy is inherently contextual.

danah also notes how “Facebook’s privacy settings are the most flexible and the most confusing privacy settings in the industry”. This conundrum is what prompted me to draft instructions for students on “How to Change your Facebook Privacy Settings”. (Next I plan to make a YouTube video walking them through these various steps).

Finally, danah asks for more feedback regarding particular privacy settings within Facebook:

When I post a photo in my album, let me see a list of EVERYONE who can view that photo. When I look at a photo on someone’s profile, let me see everyone else who can view that photo before I go to write a comment.

This echoes many of the suggestions made by Kathy Dwyer in her recent presentation at AoIR on “Designing Privacy Into Online Communities”.

So much work to do here….

This afternoon I had the pleasure of presenting on a panel titled “Values in Design: Defining a Privacy-Aware Model for Web Access to Archives,” organized by Nancy McCall, Archivist at Johns Hopkins University Medical Archives, and her colleague Phoebe Evans Letocha. Our panel was chaired by Paul H Theerman,
the Head of Images & Archives, at the National Library of Medicine. Here is the panel description:

Philosopher Helen Nissenbaum‘s construct of contextual integrity addresses challenges for protecting privacy in the age of information technologies. It is especially relevant to issues that archivists face in managing holdings in a digital environment. Focusing on ways the construct may apply to archival theory and practice, the speakers demonstrate how contextual integrity may be applied to archival models on the Web and to current processing standards, as well as best practices that may be applied to minimally processed collections.

I opened with a broad discussion of contextual integrity (my slides in PDF form), followed by more detailed presentations by Nancy and Phoebe related to their attempts to use CI as a framework for creating access models for medical archives.

What I found most striking about our discussion was the while much of my own use of contextual integrity has been as a tool to expose hidden or overlooked privacy concerns, the archivists at Johns Hopkins are using CI as a framework to help create more contextually-aware schemes to enable access to the archives for research purposes, access which is often constrained by HIPAA. Contextual integrity has afforded them greater flexibility in making access decisions to the archives. Very cool.

UPDATE: I’ve also uploaded my slides to the panel’s wiki page, and will try to get Nancy and Phoebe’s up there as well.

Given that I have less control over who can see my profile at Facebook, there is some information I’m simply not willing to share on that platform. But since Moli provides me a simple way to manage multiple personae, it is perhaps more likely that I would divulge more personal information. If I can create 4 different personae (say, one highlighting my professional life, one detailing my music and cultural interests, one focusing on my sexual fetishes, and one for my family members), I certainly will be disclosing much more personal information than my single Facebook profile. And while I can set the privacy levels for each profile, Moli gets to see it all….all linked to my single account with a common e-mail address, zip code, birthdate and gender.

Well, Moli was paying attention, and contacted me in order to address my concerns and discuss their platform and technologies in more detail. So, a few days ago, I had a wonderful phone call with Moli’s president, Judy Balint, and a few other of their technical and marketing people. They made it clear that they designed the technical infrastructure that Moli uses with concerns about privacy at the front of their mind. In fact, as many of the execs come from the financial industry, they took the approach of considering users’ social networking data like financial transaction data, and build in the kind of security and privacy measures that you’d expect to see at an online broker. Approaching the design of a social networking site as if you have a fiduciary duty (they didn’t use that term, but it seems apt) with respect to users’ data seems like the right way to go.

The folks at Moli also pointed out that the registration data collected from users (e-mail address, zip code, birthdate and gender) is stored in separate databases than their profile data. Also stored separately is any clickstream data they collect from users when using the site. They made it clear that these different sets of data are never combined for marketing purposes, and that any data analysis is done on aggregate numbers. While this is good practice, it doesn’t mean the three sets of data couldn’t be merged or queried against each other if necessary. If someone wanted the registration info for a certain profile, Moli certainly would be able to provide it. That’s the broader concern, and it isn’t just paranoia — remember that Brazilian officials requested Google provide user information based on activity on their social networking site Orkut. Of course, this isn’t a problem unique to Moli, but if my fears are correct that users might share more personal information with Moli that they might on other social networking sites, the potential harm is greater.

Again, I applaud Moli for understanding that privacy is contextual in nature, that I might share some personal information in one context and not another. Designing a system to allow me to manage my privacy between contexts is an important step forward. And ensuring that profile data is segregated from registration data also shows their commitment to protecting user privacy. Dangers still exists, but hopefully their focus on designing for privacy will exert pressure on other social networking services to build in more privacy protections as well.

In the wake of mounting criticism, Facebook executives are discussing changes to a controversial advertising tool that publicizes users’ Web activities outside of the popular social network. Alterations to the recently introduced Beacon system could be announced as early as Nov. 29, BusinessWeek.com has learned.

Executives of the three-year-old company were in deep talks over proposed changes late into the afternoon on Nov. 28, according to a person familiar with the matter. At issue is the Beacon program, which alerts members’ Facebook “friends” to purchases and other activities on third-party Web sites. A spokesperson for the company declined to discuss changes, reiterating an earlier statement: “Facebook is listening to feedback from its users and committed to evolving Beacon.”

I’m worried that any action will be too little and too late.

In September of 2006, Facebook launched the mini-feed, ignoring (as I’ve mentioned previously) how the new “feature” impacted the norms of personal information flows — that the contextual integrity of the flow of information within Facebook was disrupted. When they tried to address the concern, the expanded privacy settings were defaulted to the maximum sharing of personal information — hardly a stance revealing a commitment to protecting user privacy. (We also must not forget that the mini-feed was automatically activated for every user.)

Now, a year later, they repeat the same mistakes. In pursuit of advertising revenue, Facebook builds a system whereby Facebook cookies are retrieved at third-party e-commerce sites, users are given 20-seconds to opt out (the default is to participate, and the screen disappears with the option still checked if no action is taken), and users’ likenesses are appropriated to shill for products. With all this, Facebook has again disrupted the contextual integrity of personal information flows, and made it difficult for users to opt-out of the potentially privacy-threatening situation.

I fear any attempt by the execs at Facebook to save face (and stave off an FTC investigation) will fall short.

QUICK UPDATE: Facebook has indeed made changes — more here.

• Social Ads: Allows marketers to target ads based on user profile data, and also places brand-related events within a user’s news feed. For example, if I rate or rent a video from Blockbuster.com, that off-site activity is noted in my Facebook mini-feed, along with an advertising message from Blockbuster.

• Beacon: Provides a way for Facebook users to declare themselves fans of a brand on other sites and send those endorsements to their Facebook feeds. This is the code that allows Facebook to display my brand interactions off-site. Victoria Secret can activate Beacon, and my purchases there can be displayed on my Facebook profile.
• Insights: Aggregation and visualization of marketing data that goes deep into social demographics and pyschographics which Facebook will provide to advertisers in an aggregated, anonymous way.

Together, these “enhancements” result in a dramatic shift in personal personal information flows. User data intended to enhance one’s social interaction on Facebook is now shared with marketers. And transactions on off-site properties now can flow into one’s social interactions.

Unfortunately, I have been much too busy to keep up with this story, let alone blog on it extensively. Thankfully, others have provided all the necessary insight regarding the multi-faceted privacy concerns implicit in Facebook’s new ad strategy.

(Links and analysis continue after the fold)

Fred Stutzman, naturally, has been all over the story. (If you’re interested in social networking, and not ready Fred’s blog, you’re missing out.) His initial reaction:

[H]ere’s my couple-sentence version: SocialAds = deep targeting using your profile and network data, Project Beacon = your friends (and Facebook) know when you buy stuff on other websites.

Facebook has fulfilled its destiny: it is now Adbook. The data you share in Facebook is incredibly rich. Marketers can target based on your interests (You like Dylan? Buy the box set.) or your friends interests (Seven of your friends love Crocs, buy some Crocs.). Take the internal data, and mash it with the external data collected from Beacon – and you’ve got some seriously powerful targeting information.

He warns that “Facebook must approach this new turn with caution, this is a critical moment.”

Stutzman follows-up with an excellent post comparing Facebook Ads to the News Feed debacle, where Facebook disrupted the norms of information flow by automatically distributing users’ profile updates to all of their friends. With Facebook Ads, our privacy boundaries are similarly challenged:

In the case of Newsfeed, Facebook users were forced to reconceptualize their audience. Nissenbaum’s Contextual Integrity theory explains our reaction to Newsfeeds; the reshaping of privacy norms is a traumatic event. Beacon is somewhat different, so I want to lean on Altman for my explanation. With Beacon, Facebook’s boundaries are remapped. Users will be forced to realize that their Facebook identity “follows” them through the web. As a result, Facebook users will be forced to reevaluate all of their activities on the social web.

…For the past six months or three years, we’ve been cultivating our persona in Facebook. We’re used to boundaries, we know where Facebook ends, and we can segment Facebook as a “part” of our social web experience. With Beacon, Facebook users will be forced to confront the interconnection of their Facebook identity with the social web; the boundaries that existed previously no longer apply. Altman argues that our cognition of privacy boundaries are based on observable, mappable phenomena. We know that our homes are private because people can’t see through walls. With Facebook Beacon, the walls that we used to understand are gone – our identity, designed for a single place with focused interaction, now follows us everywhere. This is extremely significant.

Stutzman has also sniffed some of the actual data flows present when using Beacon, as well as a link to instructions for blocking it.

Complimenting Stutzman’s important privacy analysis from a social/cultural perspective, there are important legal implications with Facebook Ads. Thankfully, Dan Solove at Concurring Opinions is on top of it. In particular, he questions whether Facebook has properly gained user consent to use their likeness in the Social Ads (note how the user’s profile image appears in the Social Ad included above):

What is deemed to be valid consent to appear in the ads? It seems as though Facebook might be assuming that if a person talks about a product, then he or she consents to being used in an advertisement for it. But such an assumption might be wrong, and the use of a person’s name or image in an advertisement without that person’s consent might constitute a violation of the appropriation of name or likeness tort.

According to the Restatement (Second) of Torts § 652C: “One who appropriates to his own use or benefit the name or likeness of another is subject to liability to the other for invasion of his privacy.”

To avoid violating this tort, Facebook should first ask a user, before using her name or likeness, for permission to do so in an advertisement. Otherwise, the user might have an appropriation claim. It is wrong to assume that just because a user visits a website or rates a product highly or speaks well of a product that the user wants to be featured in an ad.

Bill McGeveran continues this thread, noting how privacy law treats things differently when personal data is used for advertising purposes:

Privacy law, as it should, treats advertising uses differently from other uses. One of the four common-law privacy torts forbids “appropriation.” Specifically: “One who appropriates to his own use or benefit the name of likeness of another is subject to liability to the other for an invasion of his privacy.” (Restatement (Second) of Torts Section 652C) Even more significantly, several states including New York and California have statutory provisions that are similar. New York’s well-known statute creates both a misdemeanor and a civil cause of action for “[a]ny person whose name, portrait, picture, or voice is used within this state for advertising purposes or for the purposes of trade without the written consent first obtained.”

I don’t see how broad general consent to share one’s information translates into the specific written consent necessary for advertisers to use one’s name (and often picture) under this law.

…The famous 1902 case that led directly to adoption of the New York law (and eventually to the tort as well) involved a teenager whose picture was used without her consent on advertisements for flour. Look at the Facebook ads and see if they seem any different to you.

McGeveran expands on these, and similar, legal issues in a follow-up post, concluding:

There is so much power and promise in various embodiments of social networking. But the privacy issues involved are profound and I am concerned that this Social Ads innovation may indicate a cavalier attitude to consent and an incorrect presumption that social networkers don’t care about their privacy. They do, they should, and so should the companies seeking to harness the power of social networks for their own benefit.

Elsewhere, David Weinberger provides a key summary of how the default settings for Facebook Ads are transforming privacy norms by forcing users to acquiesce to the collection of personal data:

When Blockbuster gives you the popup asking if you want to let your Facebook friends know about your rental, if you do not respond in fifteen seconds, the popup goes away … and a “yes” is sent to Facebook. Wow, is that not what should happen! Not responding far more likely indicates confusion or dismissal-through-inaction than someone thinking “I’ll save myself the click.”

Further, we are not allowed to opt out of the system. At your Facebook profile, you can review a list of all the sites you’ve been to that have presented you with the Facebook spam-your-friends option, and you can opt out of the sites one at a time. But you cannot press a big red button that will take you out of the system entirely.

And Nick Carr is, predictably, critical of the entire value proposition:

Facebook, which distinguished itself by being the anti-MySpace, is now determined to out-MySpace MySpace. It’s a nifty system: First you get your users to entrust their personal data to you, and then you not only sell that data to advertisers but you get the users to be the vector for the ads. And what do the users get in return? An animated Sprite Sips character to interact with.

Soon, I’ll have more time to properly grok the implications of Facebook Ads and post my own thoughts…

Here are the first few paragraphs of my contribution:

Privacy and Surveillance in Web 2.0:
A study in Contextual Integrity, and the Emergence of “Netaveillance”

This talk is an attempt to collect and organize some thoughts on how the rise of so-called Web 2.0 technologies bear on privacy and surveillance studies, focusing on two important considerations.

First, since many Web 2.0 platforms are built on the open flow of personal information, one commonly hears statements that users have no expectations of privacy when using such tools, that they don’t care that the whole world knows about their life, or that Scott McNealy’s famous quotation – “You have zero privacy anyway; get over it” – really has come true. I argue this is not true, and that users of Web 2.0 applications do maintain particular formulations of personal privacy. What has emerged with Web 2.0 systems is a more complex notion privacy – not simply based on secrecy or a strict public/private dichotomy – but a more nuanced and contextual notion of privacy. I’ll show how the theory of “privacy as contextual integrity” provides a useful framework to consider privacy in a Web 2.0 world.

Second, even considering a more contextual notion of privacy in the Web 2.0 universe, the fact remains that many users of the systems openly share streams of personal information, while also surveilling the personal information made available by friends and strangers alike. Instances of peer-to-peer surveillance, amateur data mining, etc abound in the Web 2.0 world. Many of us seek to understand the conditions under which these kinds of socio-technical systems have emerged, and what effects they might have. To help us understand and explain this phenomenon, I’ll introduce the term “netaveillance,” which might provide a useful concept around which a more robust theory of surveillance about the Web 2.0 phenomena might be built.

The text of my talk is here, and the slides are here (both PDFs).

Our panel also featured excellent contributions by Malene Charlotte Larsen, Anders Albrechtslund, Ingrid Erickson, Ben Light & Gordon Fletcher, Trevor Pinch, and a response by Søren Mørk Petersen.

A similar thing happened during a public event showcasing the final projects for class I taught a few years ago. One student’s project was to assess to privacy implications of social networking sites, so he printed out the Facebook page of each student in the class and distributed them at the public event. His fellow students were aghast that their profiles, while (relatively) openly displayed online, were now being distributed on paper.

While these examples seem like lessons on how one needs to be cautious of the personal information posted on social networking sites, McGeveran correctly points out how the professor’s actions (and the student’s in my class) violated the contextual integrity of the original posts on the Facebook site:

Compelling students to read their Facebook profiles in class like this wrenches personal information out of its proper context and puts it in a radically different space with different conventions and assumptions. Furthermore, social networking sites have privacy settings — maybe this woman took advantage of them and restricted access to her profile to her friends. And finally, changing context converts jokes and irony into something else. Acting as if everything you say could come out in a job interview would reduce our conversation to platitudinous pap. And that’s what Facebook is, a form of conversation.

Well said.

How quickly they forget.

Fred Stuztman reports (and if you’re into social networking theory and not reading Fred’s blog, you’re missing out) that Facebook recently began exposing profiles to be indexed by Google. Fred writes:

Granted, profiles are still private, but how will people feel about their profile being indexed in Google? At the same time, there seems to be no way to turn this functionality off, and Facebook help documents have no mention of this new “feature.”

These types of context-leaps have caused problems for Facebook in the past. When newsfeeds were turned on with no privacy, Facebook failed to understand that privacy was both quantitative and qualitative. A context jump from “searchable within Facebook” to “searchable in Google” is a big deal. The fact Facebook was not upfront with its users in saying “we’re going to be letting Google in to index our userbase” is troubling. Even more troubling is the seeming inability to opt in or out of this service. I’d rethink this approach.

The more things change….

UPDATE: Looks like David Dalka originally discovered this a few weeks ago, and demanded a “noindex option for my profile so that community users can fully see and search my profile when inside the community while not allowing outside search engines to index it.” Seems Facebook still hasn’t acted on this issue.

In the dissertation, I discuss in more detail how the growing shift in information-seeking activities from public libraries (as well as bookstores) to Google represents a potentially significant shift in existing informational norms regarding the collection and flow of personal information. More to come…