To close out the week, I’ve finally updated my quick guide for adjusting your Facebook privacy settings. Much has changed with the kinds of controls Facebook provides users, as well as what they let you control at all  (making the 2008 and 2009 versions highly outdated).

My new quick guide is not exhaustive — and Facebook’s help pages are actually quite helpful — but hopefully this can provide a starting point for controlling your privacy online. I especially recommend this for new and younger Facebook users. Details below, and a PDF handout is here.

Ways To Adjust Privacy Settings In Facebook

Have you been wondering how to be social on Facebook while still keeping your privacy under control? When you join a site like Facebook you take the chance of letting your private information run wild. By adjusting your privacy settings you’ll have more control over who sees what.

Dividing up your Friends

Is your mom really on the same level of friendship as your roommate? Is your boss on the same level as your drinking buddies? What to block certain content from an ex-boyfriend? Facebook allows you to organize your friends into different groups, which can later be used to determine who sees what.

To do this, go to https://www.facebook.com/bookmarks/lists. There’s a button at the top that says “+ Create List.” Clicking it allows you to create a list of your choosing, then add any of your friends to it. You might make lists like “high school friends” or “family” or “co-workers” or “only the best friends”.

Once you’ve split up all your friends into different lists—what’s next?

Control Who Sees What you Post

Facebook allows you to control who can see what you post using a special “audience selector” drop down menu. With each status update, photo upload, or information shared, you can click on the small “drop down” arrow to select the specific audience: public, friends, only me, custom, or one of the friends lists you’ve previously created.

Control your Default Privacy

You can also set a default privacy level of all the things you share. To get to your privacy settings, click the account menu (small blue down arrow) at the top right of any Facebook page, and choose Privacy Settings. Here you can select the default setting for you posts: public, friends, or custom.

Choose “custom” in order to select particular friends lists as your default visibility settings. You can also exclude individual people from seeing status updates or photos.

From this same privacy settings page, you can control if people can find you on Facebook, whether people can tag you in photos, your advertising and app privacy, and even whether people can view past posts.

How You Connect

These settings determine how people can find or connect with you on Facebook, including who can search for you via email or phone number, who can send you friend requests, or who can send you Facebook messages. The most open setting is “Everyone”, and the most private is “Friends” only.

Timeline and Tagging

These are important settings to control who can tag you in posts and photos, and who can see those tags:

• Who can post on your timeline?  This setting controls who is able to post on your own Wall and Timeline. The options are either “Friends” or “No one”.
• Who can see what others post on your timeline? When someone else posts on your Wall, you can control whether all friends can see that content, or only certain lists.
• Review posts friends tag you in before they appear on your timeline.  When a friend “tags” you in one of their own status updates, it will automatically appear in your own timeline, allowing your friends to view the item. You can change this setting so you must approve the tag before it will appear on your own wall.
• Who can see posts you’ve been tagged in on your timeline?  This setting controls the visibility of any tags you’ve approved (or that are automatically approved).
• Review tags friends add to your own posts on Facebook.  Sometimes a friend can add a tag to one of your own posts. These can be allowed automatically, or you can control and approve them with this setting.
• Who sees tag suggestions when photos that look like you are uploaded?  Facebook has advanced facial recognition software, so if it thinks it sees your face in a photo uploaded by someone else, it might suggest tagging that photo with your name. You can turn this feature off, or make it available to your friends.

Apps, Games, and Websites

On Facebook, your name, profile picture, gender, networks, username and user id (account number) are always publicly available, including to apps. Also, by default, apps have access to your friends list and any information you choose to make public.

You can edit these settings to control what additional information is shared with apps, games, and websites. You can also turn on “Instant Personalization” which links your Facebook account to external website (like Pandora) to view relevant friend activity off of Facebook.

Public Search

From the same “Apps, Games, and Websites” settings page, you can control whether your Facebook profile is visible on search engines like Google. Turn this setting off if you don’t want your profile page listed in search engine results.

 For more detailed help and descriptions, please spend time on Facebook’s own help pages.

For a moderate amount of time, I had been a “friend” with someone on Facebook, and we appeared to have full visibility of each others activities. Then, recently, I noticed that this person no longer appeared in my feeds or list of friends. I searched for this person on Facebook to no avail (zero results), and attempted to load this person’s Facebook profile using the custom URL, but was met with the standard error “The page you requested was not found”. This prompted me to assume that this person either (a) deactivated her/his page and left Facebook, or (b) un-friended me and tweaked the privacy settings to be essentially invisible to non friends. This didn’t bother me much, and I didn’t really think of it again.

Today, however, I noticed an update in my Ticker noting this person made a comment on some other Facebook user’s (not a friend of mine) page.  This particular action also was reported in my main News Feed. I found it quite odd that suddenly I was seeing updates from this ex-friend. I proceeded to search my friends list, and s/he wasn’t there. I searched for this person’s name, and still received no results. I tried to load this peron’s URL, and got the same error message.

However, when I clicked the user name (this person’s real name) in the status update, I was taken to her/his Facebook profile page, only it now was a different URL with a different username.** But it was my former Facebook friend: same photo, same basic info, etc. I searched the friend list, and I wasn’t there (as expected).  As far as I can tell, this person reactivated or recreated a new Facebook account, and simply decided not to friend me (fine). Yet, I’m not seeing activity from this person — this non Facebook friend — in my News Feed.

Has anyone else experienced this? Or have a possible explanation?  My only guess is that perhaps the user is using the same email address for the new account, and some code within Facebook recognizes that I used to be friends with someone using that email, therefore it is making activity visible to me. This is troublesome, of course, since people unfriend for various reasons, all with the presumption that Facebook activity will no longer be made visible to former friends.

UPDATE: I’ve now realized that this former Facebook friend and I do share one friend in common. So it is possible that her/his privacy settings allow visibility of actions to “Friends of friends”. I will investigate further….

** I should point out that the new custom username for this former Facebook friend is not, as far as I know, this person’s name. Nor does it appear to be any other version of her/his name. To compare, it would be as if I created a new Facebook account with the custom URL of /george.kerplanski. This new username — perhaps created to help obfuscate this user’s new account — appears to violate Facebook’s guidelines, which states “Your username should be as close as possible to your true name”.  I might be wrong about this, of course…

It is a well-written article, quite balanced, and features myself, the T3 principle researcher Jason Kaufman, and fellow Internet research experts Alex Halavais, Fred Stutzman, and Elizabeth Buchanan (I am friends with the latter three, for disclosure). The Chronicle also tracked down a Harvard student presumably within the dataset.

For those looking, my initial blog posts (from 2008) regarding the T3 dataset are here and here, and my full treatment of the dataset release was published here:

• Zimmer, M. (2010). “‘But the data is already public’: on the ethics of research in Facebook,” Ethics & Information Technology, 12(4), 313-325

I don’t want to rehash the entire article or episode, but would like to provide a few annotations:

The article does a nice job pointing out the dual challenges of “Researchers [who] must navigate the shifting privacy standards of social networks and their users”, as well as the “the committees set up to protect research subjects—institutional review boards, or IRB’s—[who] lack experience with Web-based research.”

These are critical revelations that we cannot take lightly. There is much work to be done to ensure researchers of all disciplines and levels recognize and respond to the complexities of engaging in this kind of research online, and that IRBs are sufficiently trained to recognize issues related to Internet research ethics.

To these ends, the Association of Internet Researchers (AoIR) has published an ethics guide (now undergoing revisions) as “as at least a starting point for their inquiries and reflection”, and we’ve held various workshops on the subject. Elizabeth Buchanan and Charles Ess have spearheaded important research on the IRBs’ awareness of Internet-related concerns, and have launched the Internet Research Ethics Digital Library, Resource Center and Commons website as a valuable resource.

And, specific to the article’s mention that I have “pointed to the Harvard case in urging the federal government to do more to educate IRB’s about Web research”, I was privileged to present before the Secretary’s Advisory Committee on Human Research Protections (SACHRP), part of the Office for Human Research Protections in the United States Department of Health and Human Services (HHS). Joined by Elizabeth Buchanan, Montana Miller, and John Palfrey (of Harvard’s Berkman Center, by the way), we discussed emerging ethical issues with Internet-based research and urged the committee to take steps to ensure IRBs and researchers were suitably trained to recognize and address these important ethical issues.

In the context of this entire debate (and some of the original comments left on my blog posts), this passage from the article is quite telling:

But Mr. Kaufman talks openly about another controversial piece of his data gathering: Students were not informed of it. He discussed this with the institutional review board. Alerting students risked “frightening people unnecessarily,” he says.

“We all agreed that it was not necessary, either legally or ethically,” Mr. Kaufman says.

Frankly, I’m troubled by this statement. I will leave it to legal experts to determine if the research violated the consent requirements of the Federal Regulations for the Protection of Human Subjects (45 CFR 46), but from an ethical standpoint, I argue the researchers did have an obligation to respect the intentions of those students who might have restricted their Facebook profiles to only be visible to members of the Harvard community. The researcher’s own codebook acknowledged that the assistants used to access the profile data might have had preferential access to a profile, and that “a given student’s information should not be considered objectively ‘public’ or ‘private’”. This realization should have triggered an ethical concern over whether each students truly intended to have their profile data publicly visible and accessible for downloading.

This is the crux of the issue, and my earlier attempts to learn if and how this apparent waiver of the consent requirement was deliberated by Harvard’s IRB were unsuccessful. Perhaps now we can gain a bit more understanding of why it was deemed that consent wasn’t necessary (and I hope it was a more nuanced decision than simply avoiding “frightening people unnecessarily”).

I agree with the article’s conclusion that the “biggest victim” in this episode is academic scholarship.

The uniqueness of this dataset is of obvious value for sociologists and Internet researchers, and it wasn’t my goal to shut down this research project. It is unfortunate the researchers haven’t been able to find a suitable means of re-releasing the data, but just like the AOL search data release forced us to rethink methods of anonymization before again releasing large datasets of transaction logs, I’m hopeful that this episode can prompt meaningful consideration and debate of our understandings of privacy, anonymity/identifiability, consent, and harm when it comes to Internet-based research.

Finally, I wanted to provide a brief response to the implicit accusation made in the article that I’m a part of some kind of “academic paparazzi”.

I’m not even sure what this means. Perhaps someone thinks I spend my time trolling through other people’s research hoping to find a place where they slip up so I can have a “gotcha” moment? Hardly. I had never written on research ethics until I came across this particular case. I saw a passing mention of the data release on another scholar’s blog, and the ensuing discussion there about how the presumed anonymity of the dataset should be questioned due to its unique data variables. So I started to explore, and my discoveries followed. I’m not out to get anyone, but rather have taken quite a number of proactive steps to help researchers (both the T3 team and more broadly) address these complexities.

The complexities of research ethics and methodology in today’s Internet-based environment is complex, and I’m just starting to scratch the surface. But I don’t take this lightly; I’m a scholar, not a paparazzo.

As I conclude in my full article:

The purpose of this critical analysis of the T3 project is not to place blame or single out these researchers for condemnation, but to use it as a case study to help expose the emerging challenges of engaging in research within online social network settings. …The T3 research project might very well be ushering in ‘‘a new way of doing social science’’, but it is our responsibility scholars to ensure our research methods and processes remain rooted in long- standing ethical practices. Concerns over consent, privacy and anonymity do not disappear simply because subjects participate in online social networks; rather, they become even more important.

I hope that’s the takeaway from all this.

Richard Metzger, whose Wall the photos was removed from, has shared additional details about the incident over at BoingBoing, which illuminated possible reasons for the images removal:

On Friday afternoon, one of my fellow bloggers at Dangerous Minds, Niall O’Conghaile did a quickie cut-n-paste blog post about a “kiss-in” protest scheduled for that night in London at a pub where two young men had been asked to leave earlier in the week because they were kissing. You can read Niall’s post here. He decided to use the above photo because he felt that it was inoffensive (Some outlets have reported that this photo came from the London “kiss-in” page on Facebook, but this is not true, it was Niall’s choice and he found it on Google Images).

I posted this to my own Facebook wall as a matter of course. I put up all of the Dangerous Minds content on my wall. Sometime mid-day is when this would have gone up.

I didn’t really pay that much attention to the matter, but before we went to sleep that night, my wife Tara McGinley, who also blogs at Dangerous Minds, mentioned that this heavy metal kinda guy “Jerry” had written a bunch of childish and homophobic things about this picture on my Facebook wall, saying that he found it “disgusting.” Predictably, a bunch of people jumped all over him and right around 10:30pm Tara noticed that “Jerry” had deleted all of his comments and vamoosed.

The next morning I woke up around 6am to find a note from Facebook waiting for me with the ominous subject “Facebook Warning” informing me that I had posted “abusive material” which they had removed.

Metzger presumes that “Jerry” reported the image/post as sexually explicit, and that set into motion some internal processes at Facebook that led to its eventual removal. (We’ll come back to this in a moment.)

Meanwhile, buried on the 6th page of comments from Metzger’s original post complaining of the photo’s removal is a comment left by “Facebook Communication, providing the following sterile message (screenshot):

Comment from Facebook: The photo in question does not violate our Statement of Rights and Responsibilities and was removed in error. We apologize for the inconvenience.

While this comment from Facebook has been lauded as a grand apology (and I, too, mistakenly thought that The Advocate had actually received an official statement from Facebook), Metzger doesn’t let them off the hook that easily:

The so-called “apology” touted by the likes of Perez Hilton, Pink News, The Advocate and even mainstream news sources like AOL, Huffington Post and Gawker, as if some kind of “victory” had been won by the LGBT community was nothing more than generic “Oopsie! We goofed” text left by a low level Facebook employee six pages in on the comments to the original Dangerous Minds post. …This supposed “apology” was nothing more than a “comment.”

…Furthermore, it’s not saying anything specifically about a gay kiss. This generic text could also refer, for example, to a photo of a breastfeeding woman that someone reported as “abusive” (their word not mine) to Facebook’s censors. Don’t break out the champagne so fast, folks.

I similarly bemoaned in my original post on the lack of any official comment, blog post, press release, or broader explanation by Facebook on how such an “error” happened, what kind of content review processes are in place, or any promise to take better care. I have heard from private, unofficial Facebook sources that “This was all a misunderstanding. None of the content was against our TOS”, but nothing else has been publicly stated on the matter.

So, where does this leave us? Even if we accept Facebook’s generic explanation as both accurate and sufficient in this instance, many unanswered questions remain. Critical questions, indeed, considering the cruel dichotomy of Facebook’s mission to “[Give] people the power to share and make the world more open and connected” and its unquestioned power to control the platform, and thus the conditions under which people are allowed to share.

Below I provide set a open questions related this incident, and I look forward to a public dialogue with Facebook to help address these issues and hopefully resolve some of these concerns.

1. What exactly happened? I think the first issue that needs resolution is an explanation of what exactly happened here. While we can’t expect Facebook to provide details of every case of content removal, this particular situation has caused significant concern — and misinformation — that it deserves specific attention. Facebook should let us know if the image was reported as offensive, and whether an employee then decided to remove it. I suspect a suitable, public explanation can be provided that won’t divulge any private or proprietary information.

2. What was the process? Assuming that the image was indeed removed by an employee (and not just some automated process), we deserve an explanation as to how that process works. Earlier versions of a help page noted that a “A Facebook administrator looks into each report thoroughly in order to decide the appropriate course of action”. The same page now indicates that “we remove reported content that violates our Statement of Rights and Responsibilities”. What internal processes exist to make these decisions? Who is authorized? What kinds of definitions and guidelines are provided to determine if something is offensive? Is it a single person who can decide, or must multiple people concur?

3. Has the help page changed? As previously noted, the screenshot of the relevant help page notes the URL string as “/help/?faq=17292″. If you visit this page now, the description has changed. Now there is no mention of a Facebook administrator, and the answer merely states “No, we remove content reported that violates our Statement of Rights and Responsibilities“. Either I’m not able to find the correct help page (and I’ve been trying), or Facebook recently changed the text. We deserve an explanation as to whether this language has been changed, and why. What is originally incorrect (that no administrator actually looks into each report), or has the process now been changed that makes that language obsolete?

4. Have any other processes changed? In general, has this incident prompted any other changes to internal processes within Facebook for dealing with reported content. What kinds of discussions have emerged in the wake of this controversy?

I hope to hear from Facebook, and will share whatever I can.

I few days ago, Facebook removed a photo of two men kissing from a user’s Wall due to an apparent violation of the site’s terms of service. Here’s the message the original poster received from Facebook:

Hello,

Content that you shared on Facebook has been removed because it violated Facebook’s Statement of Rights and Responsibilities. Shares that contain nudity, or any kind of graphic or sexually suggestive content, are not permitted on Facebook.

This message serves as a warning. Additional violations may result in the termination of your account. Please read the Statement of Rights and Responsibilities carefully and refrain from posting abusive material in the future. Thanks in advance for your understanding and cooperation.

The Facebook Team

This act of censorship has received considerable attention (some worthwhile discussions here, here, here, and here). Certainly, it is within Facebook’s right to try to control the type of content shared on its platform, and there are some social good to be gained through content filtering and censorship (i.e., you might want to censor child porn, or links to malware sites, etc).

But there are some fundamental concerns with this case, that point to a growing censorship problem within Facebook.

First, the message sent to the user indicated that “Shares that contain nudity, or any kind of graphic or sexually suggestive content, are not permitted on Facebook.” However, if you review the site’s much lauded Statement of Rights and Responsibilities, that particular language is not present. The Statement does include the directive “You will not post content that: is hateful, threatening, or pornographic; incites violence; or contains nudity or graphic or gratuitous violence” (3.7). Again, this is probably a reasonable restriction (although not completely without controversy). That said, no where in the Rights statement does it prohibit, or suggest a prohibition, on “sexually suggestive” content. It merely restricts pornography and nudity. Therefore, not only does Facebook misquote its own Statement of Rights and Responsibilities to the user when justifying the removal of content, it misapplies said Statement.

Elsewhere, in the site’s Community Standards page (and I’m not sure how Facebook has resolved the attitudes and preferences of a “community” of 600 million users into a single shared set of standards), it notes that “We have a strict “no nudity or pornography” policy. Any content that is inappropriately sexual will be removed”. Again, the photo includes neither nudity nor pornography. How it violates the community standards remains baffling.

Second, let’s assume for a moment that the Statement does include mention of “sexually suggestive” content as mentioned in the warning to the user. Does the photo in question fit that description? Two fully-clothed adult men kissing in public? (FWIW, the two men are actors, as the photos is a promotional image from a popular British soap opera.) While the image does convey emotions and affection, and perhaps might elicit arousal for some, the image is really no different from the thousands (millions?) of similar images of male-female kisses that exist on Facebook. Why this is considered “sexually suggestive” to such an extent that it mandates removal is beyond me.

Third, it appears that this removal was done by a (at least one) human being, and not by some automated process or algorithm. The original contributor provides a screencap of a description in Facebook’s help page answering the question “Does Facebook remove everything that gets reported?”. The answer provided indicates that “No. A Facebook administrator looks into each report thoroughly in order to decide the appropriate course of action…” Based on this, it appears that a human took a look at that photo, and decided it was indeed sexually suggestive or pornographic, and then removed it. I think I’d almost rather it had been an algorithm, as it is quite troubling that a Facebook admin, wielding such power, would arrive at this conclusion.

Now, interestingly, the screenshot provided of this help page notes the URL string as “/help/?faq=17292″. If you visit this page now, the description has changed. Now there is no mention of a Facebook administrator, and the answer merely states “No, we remove content reported that violates our Statement of Rights and Responsibilities“. Did Facebook just change this language in reaction to this event? I’ll try to find out.

Fourth, if we assume that a human is indeed deciding what is “sexually suggestive” and removing photos based on his/her judgement, who is this person (or team of people), and what standards are being used? I’ve already done pretty simple searches on Facebook and found plenty of images much more sexually suggestive than this one (including nudity) — and these all remain. What does “sexually suggestive” even mean? Just suggesting the existence of human sexuality in general? Does a hug with a contemporary sex symbol count? Seriously, though, while the desire to restrict nudity and pornography is reasonable, a standard of “sexually suggestive” is almost impossible to define, and apply evenly across 600 million users, each with their own sexual predilections.

Now, there are reports that Facebook has apologized and restored the image. A statement from Facebook is provided in the Advocate: “The photo in question does not violate our Statement of Rights and Responsibilities and was removed in error…We apologize for the inconvenience.” That’s it. No blog posts, press releases, or broader explanation by Facebook on how such an “error” happened, what kind of content review processes are in place, or any promise to take better care. This lack of proper communication and contrition is very disappointing, but not really surprising.

What makes this entire situation even more troubling, however, is the news that Facebook is reportedly in discussions with the Chinese government in an attempt to bring the social network to the China. And, like Google, Facebook will have to play by China’s rules to get this done. This means Facebook will need to implement a much more robust and aggressive content filtering and censorship policy to abide by China’s wishes to limit it’s citizens’ access to information (and I’m sure the Chinese government would love to have access to Facebook’s logs of user profile and usage data, especially related to dissidents, etc). Such a move would hardly be honoring Facebook’s mission to “[Give] people the power to share and make the world more open and connected”. In fact, Facebook has already noted that it is “allowing too much…free speech in countries that haven’t experienced it before”. For a company dedicated to the open flow of information, expressing concern about too much free speech is counter-intuitive and problematic.

Google has struggled with its decision to engage in censorship within China, and ultimately left (although not really in a stand against censorship). Frankly, I’m not left with heaps of confidence that Facebook will be taking the proper path when it comes to global expansion into markets where censorship is the norm. If the way they treated a simple gay kiss is any indication, this could get messy.

UPDATE: I’ve reached out to a few contacts at Facebook with the message below, specifically seeking comment on whether the FAQ page has changed in lieu of these events. I’m awaiting a reply.

Dear Facebook:

While investigating [1] the recent controversy surrounding the apparent removal of a photo of two gay men kissing, I uncovered a possible change to the content within a relevant FAQ/help page, and wanted to seek confirmation and comment.

Note in this original blog post (4-16-2011) about the controversy [2], the user posts a screenshot [3] of a help page describing how reported content gets reviewed. The answer provided indicates that “No. A Facebook administrator looks into each report thoroughly in order to decide the appropriate course of action…”, and in includes the URL string of the help page: “/help/?faq=17292″

However, if I visit that page today (4-21-2011), the text is different [4]: “No, we remove content reported that violates our Statement of Rights and Responsibilities. If a violation has occurred, then you may receive a warning or become disabled, depending on the severity of the violation.”   There is no longer any mention of a Facebook administrator looking thoroughly at each page.

This prompts a few questions:

(a) Can you confirm that there has been a change to the text in this page in recent weeks.
(b) If so, can you describe the internal discussion and process that led to this change.
(c) And finally, have any other pages, or internal processes, been changed in recent weeks due to these events.

Thank you,
Michael Zimmer

[1] http://michaelzimmer.org/2011/04/21/facebooks-censorship-problem/
[2] http://www.dangerousminds.net/comments/hey_facebook_whats_so_wrong_about_a_pic_of_two_men_kissing/
[3] http://www.dangerousminds.net/images/uploads/facebookscreenshot.jpg
[4] https://www.facebook.com/help/?faq=17292

–
Michael Zimmer, PhD
Assistant Professor, School of Information Studies
Co-Director, Center for Information Policy Research
University of Wisconsin-Milwaukee
e: zimmerm@uwm.edu
w: www.michaelzimmer.org

TrackMeNot represents a form of technological resistance in the fight against the increasing loss of control individuals posses over their online personal information flows, and I was excited to play a very small role in its development while at NYU. Now, five years later, NYU has a thriving Privacy Research Group, filled with “students, professors, and industry professionals who are passionate about exploring, protecting, and understanding privacy in the digital age.”

Recently, two members of the NYU Privacy Research Group, Jaime Madell and Ian Spiro, have launched another privacy-enhancing technology, this time targeted at empowering Facebook users. Their creation is PostPref, a Facebook application that helps users protect the privacy of their photos.

PostPref is an attempt to remedy the lack of context on online social networks, the architectures of which tend to weaken norms of information flow by forcing the “binary” (private vs. non-private) categorization of shared information. Simply put, PostPref is a photo watermarking tool that allows users to quickly and intuitively label their photos so that others know whether they should feel free to redistribute the photos.

The concept is pretty simple: Once you authorize the PostPref app on Facebook, you have the ability to add a red, yellow, or green light, and accompanying message, to each of your photos: A “green” mark means “feel free to re-post freely.” A “yellow” mark means “please ask me first before sharing.” And a “red” mark means “do not share this photo at all!” Below is an image of myself tagged with a yellow watermark, indicating that my permission should be requested before reposting the photo.

Of course, there’s no technical restriction on what others actually can do with these photos. Anyone who has access to your photos on Facebook could download a “red light” photo and use it as they wish. (They might want to crop out the watermark to avoid making their breach of your privacy wishes obvious).

But PostPref is a good step towards putting power back into the hands of users. Facebook consistently misunderstands the nature of privacy online, and tools like PostPref help reorient services like Facebook to better respect the complex nature of privacy online.

The research paper indicates that the Facebook data was provided to the researchers “in anonymized form by Adam D’Angelo of Facebook.” (D’Angelo was then Facebook’s CTO, and left Facebook in 2008.) Curious as to what precisely was included in the data release, and what steps towards anonymization were taken, I downloaded the data (200 MB zip file) on the morning of February 11.

The data files are separated by institution, and in total include, by my estimation, about 1.2 million user accounts. The content of each institution’s file is described as containing the following:

Each of the school .mat files has an A matrix (sparse) and a “local_info” variable, one row per node: ID, a student/faculty status flag, gender, major, second major/minor (if applicable), dorm/house, year, and high school.

Thus, the datasets include limited demographic information that was posted by users on their individual Facebook pages. The identity of users’ dorm and high schools were obscured by numerical identifiers, but to my surprise, the dataset included each user’s unique Facebook ID number. As a result, while user names and extended profile information were kept out of the data release, a simple query against Facebook’s databases would yield considerable identifiable information for each record. In short, the suggestion that the data has been “anonymized” is seriously flawed.

The consequences of this ease of re-identifying the dataset are numerous.

First, while only limited profile information is within the dataset, there is no indication that any consideration was given to users’ particular privacy settings. Based on the article, all user accounts from each of the 100 networks were provided to the researchers, and as long as the user provided the data to Facebook, it was turned over to the researchers. [Clarification: when I say "all user accounts" we provided, I do not mean full profile information was given to the researchers, just the particular data fields as described above]

Yet, in 2005, users had the ability to restrict access and visibility of their Facebook profile, their demographic data, and their lists of friends (much of this control was taken away in 2009). So, a user might have restricted access to certain information to only people within her network or just her friends, and Facebook’s own privacy policy at the time promised that: “No personal information that you submit to Facebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.” This data release, and the ease by which users could be identified and linked to their data, potentially negates actions taken by users to control access to the data within the files, and seemingly contradicts Facebook’s own privacy policy.

Second, even though the specific data exposure within the dataset is limited, the fact that users can be identified and linked to their in-network social map fosters additional threats to privacy. Previous research (here and here, for example) has shown how “anonymous” datasets can be largely re-identified when there is access to other large sets of data where the subjects are already known. The “Facebook 100″ data, with the Facebook IDs intact to guide identification of users, might be useful in similar efforts.

To recap, the suggestion that the “Facebook 100″ data has been “anonymized” is seriously flawed, and its release might be putting the information of 1.2 million Facebook users at risk.

Interestingly, a few hours after the initial release of the “Facebook 100″ dataset, the researchers Mason Porter announced they were pulling the data due to an unspecified “bug”. Later that evening, the data was again made available with a message indicating that the data files were now fixed.

Again, I was curious, so I downloaded and examined the new dataset. The only change I could see was that now the Facebook ID was removed entirely from the data files, and the order of the records in each file was randomized.

Thus, the “bug” must’ve been that the data was easily re-identifiable, and the “fix” was to take additional steps to anonymize the records. Somone joked on the announcement email list that the “bug” must have something to do with Facebook attorneys, but the Porter’s message re-releasing the data jokes that no lawyers were involved, and that they “really were fixing the data files!”

To me, however, the language used in these explanations was disingenuous. The data, as far as I could tell, had no bugs that prevented its usefulness for social network analysis. No, the problem with the data was that it contained each user’s unique Facebook ID, thus allowing easy identification. The researchers Porter should have been open and honest about why the data was pulled and what they did to correct the situation.

That said, there are still a number of open questions regarding this particular dataset:

To Facebook:

• What kind of internal processes, if any, did D’Angelo follow when releasing the data to these researchers? Was he authorized to do so?
• Was this kind of large data release routine? How many other similar releases have taken place?
• Does Facebook consider releasing this information, with Facebook IDs, in compliance with the privacy policy in effect in 2005? If so, how?

To the research team:

• Was the data received by Facebook already obscured with numerical identifiers replacing student majors, minors, and high schools, or did you add those?
  • UPDATE: I have received word from one of the researchers, Mason Porter, that the data sent to them by Facebook was indeed already obscured with numerical identifiers in the place of actual student major, minor, and high school information.
• Did your IRB review the data used for the research, and approve the subsequent data release?
• Was there any “bug” in the data, or was the attempt to gain greater anonymization of the data the sole reason to pull it from public access?

Obtaining answers to these questions can help us better understand the uniqueness of this situation, and to put better processes and protections in place to prevent similar data releases that falsely believe data is sufficiently anonymized and respecting of users’ privacy expectations.

I hope Facebook and the researchers are willing to engage in a discussion, and I’ll report back on any communication, as allowed.

UPDATE (Feb 15, 6:00pm): I have been in contact with one of the researchers, Mason Porter, who confirmed that the data sent to them by Facebook was indeed already obscured with numerical identifiers in the place of actual student major, minor, and high school information. I’ve inserted this reply into the question above. I have also made a few minor changes to the main text, clarifying that the email messages reporting the “bug” in the data came from Mason alone, and should not be attributed to the entire research team.

UPDATE 2 (Feb 15, 6:10pm): The link to the full, revised dataset (http://people.maths.ox.ac.uk/~porterm/data/facebook100.zip) is no longer active.

UDPATE 3 (Feb 16, 9am): Added a clarification that when I say “all user accounts” were provided to the researchers, I do not mean full profile information was given, just the particular data fields as described above.

UDPATE 4 (Feb 16, 11am): Mason Porter, one of the authors, has posted an explanatory note on his blog indicating that he’s been in contact with the Facebook Data Team, and per their request, “I have taken down the data, and I will be working with them to eventually post a version of the data set with which both they and I are happy.”

This year, I participated in three main events: a pre-conference workshop on “Ethics and Internet Research Commons:  Building a sustainable future”, a session on “Networking and Social Sites” where I presented a paper on “The Laws of Social Networking, or, How Facebook Feigns Privacy”, and a panel discussion titled “On the Philosophy of Facebook“. Details below…

:::

Ethics and Internet Research Commons:  Building a sustainable future

This pre-conference was organized primarily by Elizabeth Buchanan, and featured brief talks by Charles Ess, Alex Halavais, Annette Markham, Malin Svenningson, and myself. We presented case studies that revealed key ethical challenges and identified important components of ethical decision making for Internet researchers, including:

• How does cultural specificity define research ethics and regulation?
• What constitutes a public text online and in what ways can and should they be used in research?
• Why do we consider firewalls and passwords to be the “gold standard” for determining if something was meant to be kept public or private?
• How do researchers work towards the imperative of sharing data while adhering to human subjects regulations?
• What ethical guidelines should be applied to trace data?
• How do researchers handle “closeness” in ethnography in ethical ways?
• What oscillations take place when a researcher is first known as a member of a group and then as a researcher?
• How is “empirical imperialism” affecting research ethics?
• What are the virtues of deception?

An excellent summary of the entire day is over at the Internet Research Ethics project website, which includes links to my slides.

:::

The Laws of Social Networking, or, How Facebook Feigns Privacy

I participated on an excellent session titled “Networking and Social Sites”, which also featured Robert Bodle and Christian Thorsten Callisen.

Bodle’s presentation, “Opening the social media ecosystem: the tenuous nature of interoperability, crossposting, and sharing among dominant social media sites, services and devices”, explored the values, characteristics, and conditions of interoperability between Facebook and its third party developer ecosystem. He found that while Facebook’s APIs provide new ways to share and participate, they also provide Facebook a new means to achieve market dominance, as well as undermine privacy, data security, contextual integrity, user autonomy and freedom.

Callisen’s talk, “The Old Face of ‘New’ Social Networks: The Republic of Letters”, was a historical contextualization of the so-called digital revolution within the longer history of “the virtual”. He showed how the Republic of Letters was essentially a networked virtual community for the reciprocal sharing of information, complete with its own techniques for simulating co-presence, protocols for information transfer and interaction, and varying levels of transparency and encryption.

My presentation, “The Laws of Social Networking, or, How Facebook Feigns Privacy”, was an expanded thought piece inspired by this blog post, where I suggest three natural laws that thwart attempts to provide users of social networking sites sufficient means to control their information flows:

• The first law is somewhat obvious: Social networking sites are incentivized to promote the open and unfettered flow of mountains of personal information.
• The second law, perhaps more of a corollary, follows naturally from this: Providing users robust and easy-to-use tools to control their personal information flows is counter to this profit maximization motive.
• Thus, the third law: Provide users privacy controls only when you must, and position them as both a great a sacrifice, as well as something users probably shouldn’t bother with; make privacy hard.

To support this argument, I discuss various public comments by Facebook’s management team, and show how the laws become encoded within the design of Facebook’s architecture and recent privacy “upgrades”. I concluded that the existence of the laws of social networking create — and perpetuate — a great power imbalance where users lack robust privacy controls, leaving them with limited ability to manage their personal information flows.

The rough text of my remarks can be downloaded here, and my slides are available here.

As an aside: I found it amusing that the most tweeted comment from my talk was a completely off-the-cuff remark criticizing Facebook’s claim that users have control over their information simply due to the existence of privacy controls. I noted that all the controls to fly  a 747 are in the cockpit too, but that doesn’t mean anyone can fly a 747.

:::

On the Philosophy of Facebook

Recognizing that Facebook’s Mark Zuckerberg has built his social networking empire on the belief that “information wants to be shared“, a particular philosophy of information that directly impacts the values built into the design of Facebook, ranging from its user interface, privacy policies, terms of service, and method of governance, I organized a panel to explore the philosophy of Facebook and its broader implications for norms of privacy, identity, governance, sociability, and online life generally.

I was lucky to welcome the following speakers to IR.11 to discuss this important topic:

• Kate Raynes-Goldie, Curtin University of Technology, Australia
• Anthony Hoffmann, UW-Milwaukee, USA
• Korinna Patelis, Cyprus University of Technology, Cyprus
• Trebor Scholz, New School University, USA
• Dylan Wittkower, Coastal Carolina University, USA

Unfortunately, we only had 1 hour (!!) for the panel discussion, but it was a very good 60 minutes; one of the few times I’ve heard Marx, Hegel, Kant, Rawls, Deleuze and Guattari, etc discussed at length at AoIR. We concluded that perhaps an entire pre-conference on the topic is in order for IR.12 (in Seattle in 2011).

Now, four days later, my wife had a chance to react to the notification she received from Facebook regarding my tagging her, and I thought I’d share a few more reactions to her attempt to opt-out of Places altogether.

First, it is important to note that until my wife took any action, my ability to check her into places in this fashion remained. She’s a busy person, and generally only checks her personal email account a couple of times a week. Today was the first chance she had to log in and view the message Facebook sent regarding my attempt to check her into the liquor store.

Notice how the email prompts you with an enticing green “Allow Check-ins” button, and only a smaller textual link to learn more about what this is all about. Remembering that I’ve been talking about Places around the house the past few days, my wife figured she didn’t want anything to do with it, so she just ignored the email altogether. I suspect many others would do the same, and as a result, there was zero opportunity here to adjust the privacy settings to prevent any future interaction with Places or fully opt-out of the feature.

Next, my wife decided to log into her Facebook account itself. She’s not all that active on Facebook, with her last meaningful update being a note in May about, coincidentally, my appearance on NPR’s Science Friday about Facebook and privacy. Thankfully, and to Facebook’s credit, upon logging in she was immediately met with a prompt to act upon my attempt to check her in to the liquor store.

Here, the two primary options are “Allow Check-Ins” and “Not Now”. There’s again a secondary text link to “Learn more”.  My wife, again, didn’t want anything to do with Places, and said out loud “how do I just turn it off”. Obviously, there’s no simple way of doing that from this prompt, as clicking “Not Now” just makes the prompt disappear, but nothing else happens. There’s no suggestion to go check out your privacy settings. Hopefully users will click “Learn more” to discover what Places is and their privacy options; but in the case of my wife (a very well-educated and web-savvy user), she just clicked “Not Now” and was left with nothing.

Thankfully, I suggested she go to her privacy settings to properly opt-out of the Places feature. But once there, she was met with what appeared to be the same array of privacy options that was launched earlier this year.

Looking more closely one notices, embedded in the light gray list of privacy options, a “Places I check into” category, withe a little question mark. Hover over that icon, and you learn what this item is about.

Following the prompt, my wife clicked on “Customize settings”, which brought her to another familiar page of privacy settings, again with no obvious indication of what new settings were added for the Places feature. After hunting, she finally noticed the “Places I check in to” and “Include me in “People Here Now” after I check in” options, which she modified.

And then she figured she was done.

Until I pointed out there were more privacy settings that required adjustment to fully opt-out of Places. Further down this page is perhaps the most important privacy setting: “Friends can check me in to Places”. She disabled this, wondering why it was practically hidden on the page, requiring one to scroll and really look for it.

Finally, I showed her how she had to go back to the main privacy settings page, then click on “Edit your settings” under Applications and Websites, and then click on “Edit settings” under Info Accessible Through Your Friends. Here, she made sure that “Places I check into” was not selected.

It took all these steps to properly opt out of Places. Not only was it confusing, but there was no guidance on how to navigate the myriad of settings required to opt-out. (I recognize there is a video and some information in the “learn more” links, but she didn’t want to learn more, just to opt-out.) Facebook provides no message when she first went into her privacy settings that there were new options that she should take a look at.

Overall, the process of completely opting-out of Places remains unintuitive and cumbersome. That’s poor privacy design, and Facebook should know better by now.

Note, too, that disabling check-ins by others does not affect previous check-ins. My wife’s name still appears in my original check-in to the local liquor store, as well as on the “friend’s activity” on the liquor store’s page, and, presumably, in Facebook’s database of who has been checked into that location. She must manually “remove tag” from each and every Places check-in that has occurred prior to her disabling the service….and no where was she proactively told she should do that. Over the days between launch and her eventual logging into Facebook to try to disable the service, I could have been checking my wife into dozens of places, each which would need to be located within her feed and removed manually.

Again, I think Facebook has done a better job designing Places compared to many of their recent product launches. But there is much to be desired for how they designed the privacy settings & user interface, and, in the end, it remains that users can be checked into places without their permission.

[Readers might be interested in my follow-up post: Facebook Places Privacy Falls Short, Part 2: Opting-Out]

Facebook has finally launched its location-based service: Places. Places allows Facebook users to “check in” wherever they are (or pretend to be) using a mobile device, and let’s their friends know where they are at the moment.

Facebook has tried to do a better job addressing privacy with Places compared to previous launches of new “features”. Particularly, Facebook brags that “no location information is associated with a person unless he or she explicitly chooses to become part of location sharing. No one can be checked in to a location without their explicit permission.”

And while many applaud Facebook for the design of Places (the best design decision, perhaps, was to make check-ins visible to friends only by default, rather than everyone), there are some serious ways in which Facebook has fallen short in fully protecting user’s locational privacy.

The folks at EPIC, EFF, and DotRights have each done a good job outlining the primary concerns, and I don’t want to repeat them all here.

But as I’ve played around with the service, I’ve uncovered a problem with Facebook’s assertion that “no one can be checked in to a location without their explicit permission.”

While Places is largely an opt-in service — one needs to install and use it on a mobile device — anyone can be “checked-in” to any place by a friend. This can happen regardless of whether you use the service yourself. If you get checked into a place by someone, and you haven’t already authorized the service or these kinds of check-ins, you’ll receive an email asking if you want to allow check-ins by friends. Below is an email received by my wife when I tagged her as joining me at a local liquor store.

Given Facebook’s assertion that “No one can be checked in to a location without their explicit permission,” presumably my wife won’t be checked into this location until she clicks “Allow Check-ins” on this alert message.

She didn’t click, and hasn’t made any other changes to any of her Facebook settings. Yet, if any of my friends look at my Facebook feed, they’ll see the status update of my check-in at the liquor store, with my wife’s name there with me:

And her name also appears with my check-in on the location’s page automatically generated by the Places service:

So, where does this leave us?  My wife has not authorized me (or anyone) to check her into places. She doesn’t use the service. In fact, she wasn’t even at the liquor store at all.

Yet, I was able to tag her in my check-in, and all my friends now see her name linked with my check-in as if she was there. Granted, the check-in does not show up in her news feed, but it is there in mine, and I suspect if I had my privacy settings set to “Everyone”, then everyone would see my wife’s name as being checked into the liquor store.

UPDATE: I’ve tested having my settings on Everyone, and then looking at my feed from a dummy account I have (yeah, violating the TOS, I know). Here’s the screenshot confirming my wife’s name is visible alongside mine to the entire universe:

Recall Facebook’s claim that “no location information is associated with a person unless he or she explicitly chooses to become part of location sharing. No one can be checked in to a location without their explicit permission.” My wife did not explicitly choose to become part of location sharing. She did not give any explicit permission to be associated with this location. Yet, there her name is, and anyone viewing my feed can now associate her with being at this location. It is unknown whether this association between her name/account and this location is logged within Facebooks databanks, and thereby available to be shared with marketers, handed over to law enforcement, etc.

This is a serious problem. Names and linked user accounts should not be associated — in any way — with a particular location unless they explicitly consent to it. Facebook needs to listen to its own rhetoric and make the necessary changes to protect user’s locational privacy. I should not be allowed to tag someone in a check-in unless they’ve taken the positive step of authorizing check-ins from friends. Locational privacy needs to be fully opt-in, not opt-out.

[I haven't yet checked to see if my wife's name will disappear from this existing check-in if she takes the affirmative step to disallow friends from checking her into place. I'll post an update once that happens] See this post where I detail the steps it took for my wife to opt-out, and that her attachment to this particular check-in remained.

UPDATE: TechCrunch just posted a similar discovery, and they don’t seem all that worried about it, noting that “Facebook treats this as if you were tagged in a basic status update.” But there’s a meaningful difference between simply being tagged in a status update, and having your location unknowingly disclosed in a status update. And this is the critical issue that Facebook again has misunderstood: tagging someone’s geographic location is not something to be treated like every other Facebook activity.

UPDATE: There’s been assorted media coverage of my discovery and our subsequent discussion: MSNBC.com, MediaPost, SC Magazine, CBC News.

[Readers might be interested in my follow-up post: Facebook Places Privacy Falls Short, Part 2: Opting-Out]