the war on facebook: privacy on social networks

Int. J. Liability and Scientific Enquiry, Vol. 4, No. 4, 2011 281

Copyright © 2011 Inderscience Enterprises Ltd.

The war on Facebook: privacy on social networks

Jan André Blackburn-Cabrera Fauteux Hall, 57 Louis Pasteur St., Ottawa, Ontario K1N 6N5, Canada E-mail: [email protected]

Abstract: In the past seven years, Facebook has been constantly reviewing its privacy policy, with regards to the information it shares about its users and the information users share online. Like in any social network, Facebook users are at great risk when using the platform. This paper will analyse Facebook’s ‘Privacy’ settings and the implications to its users. It will depict problems with the platform, specifically privacy options that were eliminated. The paper will also analyse the legal implications of deficient privacy policies in the social network business model (which thrives on ‘connections’). It will also provide recommendations for CEO Mark Zuckerberg regarding changes to the privacy settings and the visibility of these settings on his site. There have been various attempts to regulate internet privacy through complaints against Facebook, both in Canada and the USA. The current regulatory framework for the social network is inadequate and the recommendations put forth in this paper are needed to address an important lacuna in this regulatory area of privacy online.

Keywords: Facebook; social networks; privacy; privacy settings; privacy policy; Mark Zuckerberg.

Reference to this paper should be made as follows: Blackburn-Cabrera, J.A. (2011) ‘The war on Facebook: privacy on social networks’, Int. J. Liability and Scientific Enquiry, Vol. 4, No. 4, pp.281–304.

Biographical notes: Jan André Blackburn-Cabrera is an L.L.M. Candidate at the University of Ottawa’s Law and Technology Center. He has written extensively on domestic and international issues associated with social media and wireless technologies. Previously, he acted as Student Legal Counsel for the Legal Aid Clinic at University of Puerto Rico, where he provided representation for indigent clients. Currently, he volunteers at the Canadian Internet Policy and Public Interest Clinic which specialises in copyright and cyber law.

“The price of freedom is eternal vigilance.”

– Thomas Jefferson

“We do not guarantee that facebook will be safe or secure.”1

Facebook’s Statement of Rights and Responsibilities

282 J.A. Blackburn-Cabrera

1 Introduction

Facebook.com,2 the social networking website that “helps you connect and share with the people in your life” was founded in January of 2004. Since then, it is estimated to have grown to over 600 million active users and shows no signs of slowing down.3 If it were a country, it would be the third most populated; 1 in 13 people on Earth use it.

As the most popular social network in the world, Facebook has reviewed its ‘Privacy’ Policy and its ‘Privacy’ Settings many times over the past seven years. Today, users are at great risk when using the platform because certain private information Facebook shares about its users and the private information users themselves share on Facebook is more exposed. Like any other social network, Facebook needs to take responsibility for their users’ privacy and a more pro-active role in favour of internet privacy, just like users need to take more responsibility for privacy online and offline.

There have been various attempts to regulate internet privacy through complaints against Facebook in Canada, the USA and elsewhere. Not all the attempts to address the privacy issue so far have been successful. Legislation is not the answer and is usually not the most adequate solution for technology due to the exponential growth of the field. Regulatory tools could provide solutions, but there is no substitute to public pressure. This shows a normative and code architecture-based approach, driven by the advertising market, not the social or privacy market. The current regulatory framework for the social network is inadequate and the recommendations put forth in this paper are needed to address an important lacuna in this regulatory area of privacy online.

This paper will examine Facebook’s ‘Privacy’ Settings and the implications to its users. It will also depict problems with the platform, specifically privacy options that were eliminated. The paper also analyses the legal implications of deficient online privacy policies in the social network business model (because it thrives on ‘connections’) and provides recommendations for Mark Zuckerberg regarding changes to the settings and their visibility on his site.

2 The Rise of Facebook

Social networking and internet privacy are not mutually exclusive concepts. Wikipedia defines internet privacy as the desire or mandate of personal privacy concerning transactions or transmission of data via the internet by users. It “involves the exercise of control over the type and amount of information a person reveals on the internet and who may access such information. The term is often understood to mean universal internet privacy, i.e., every user of the internet possessing internet privacy.”4

“A ‘social network service’ (SNS) is an online service, platform, or site that focuses on building and reflecting of social networks or social relations among people, e.g., who share interests and/or activities. An SNS essentially consists of a representation of each user (often a profile), his/her social links, and a variety of additional services to interact over the internet, such as e-mail and instant messaging. To protect user privacy, social networks usually have controls that allow users to choose who can view their profile, contact them, add them to their list of contacts, and so on.”5

According to an FAQ on Social Networking6 on the Canadian Internet Policy and Public Interest Clinic (CIPPIC) website,

The war on Facebook 283

“[S] ocial networking sites’ marketing schemes can give users a false sense of security. Facebook describes itself as “a social utility that connects you with the people around you.” […] However, privacy settings are necessarily limited and profile information is often shared with invisible audiences.”

Some users, however, buy into their social networking site’s promises of privacy and security and share excessive amounts of personal information without appreciating the risks involved. Further, research has demonstrated that Facebook users will share more information on Facebook because they trust the site.

Facebook is arguably7 the second most visited website in the world. It gets 100 billion hits per day. It has 50 billion photos, 2 trillion objects cached, with hundreds of millions of requests per second and 130 TB (terabytes) of logs every day. There are also over 70 translations of the website, and over 70% of users are outside the USA. Canadians are high users of Facebook.com, with over 17,381,700 registered users; Canada ranks tenth on the list of countries with most users on the website.8

Users spend over 700 billion minutes per month on Facebook. The average user has 130 friends and spends 55 minutes a day on the website. Everyday, 50% of active Facebook users log in. That is over a quarter million people. Also, more than 35 million users update their status everyday; Facebook has more than 60 million status updates posted everyday. There are more than 30 billion pieces of content (including web links, news stories, blog posts, notes, photo albums, etc.) shared each month. These numbers are huge considering the website was launched from a dorm room.

Facebook statistics on Applications are even more surprising. According to Facebook, people on the site install 20 million applications everyday, and every month more than 250 million people engage with Facebook on external websites. Since social plug-ins launched in April 2010, an average of 10,000 new websites integrate with Facebook everyday, and more than 2.5 million websites have integrated with Facebook, including over 80 of comScore’s US Top 100 websites and over half of comScore’s Global Top 100 websites.9

With more people joining the social network every single second, it is imperative to question the privacy settings put into effect by Facebook. Public pressure to arrange solutions to the various privacy problems the platform continues to have due is imperative as there are many implications to users being willing to share more and be more connected ‘without meaningful consent’. Many users do not know the truth behind Facebook, the amount of data being collected, how it is collected or where it ends up. Most users are also unaware that Facebook is over-sharing through the News Feed, and violating privacy by even showing users content from non-friends. Users are being told the site is safe, yet the site is not as trustworthy as users think.

3 Facebook’s policy: online ‘privacy’

Since January 2004, the social network has constantly been reviewing its privacy policy regarding the information and content users share online through their platform. The Electronic Frontier Foundation has kept up with Facebook’s privacy policy throughout the years and posted that


“[w]hen it started, it was a private space for communication with a group of your choice. Soon, it transformed into a platform where much of your information is public by default. Today, it has become a platform where you have no choice but to make certain information public, and this public information may be shared by Facebook with its partner websites and used to target advertisement.”10

3.1 “I’m CEO, bitch.”

Facebook has not faced enough public or regulatory pressure to change their modus operandi. In an op-ed for The Washington Post, Mark Zuckerberg faced the public after a privacy settings blunder on the website in 2009. His article shows his lack of sensibility to the privacy of his users and ignorance of good business practices. He wrote:

“People want to share and stay connected with their friends and the people around them. If [Facebook] give[s] people control over what they share, they will want to share more. If people share more, the world will become more open and connected. And a world that’s more open and connected is a better world.”11

Zuckerberg’s op-ed makes a ‘bold’ statement by saying a world that is more open and connected is a better world; his logic is flawed. An online world with notice, choice, access, security, and meaningful consent is a better world.

After getting media heat for changing users privacy settings, he said something that is even worse than admitting fault. In an interview with TechCrunch, Zuckerberg said

“[p]eople have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that's evolved over time.”

Zuckerberg also told the online publication, “[w]e view it as our role in the system to constantly be innovating and be updating what our system is to reflect what the current social norms are.”12

To help illustrate Facebook’s shift away from privacy, the Electronic Frontier Foundation published a blog post where they highlighted some excerpts from Facebook’s privacy policies over the years in a timeline.13 As they so accurately write,

“[w]atch closely as your privacy disappears, one small change at a time!”

Facebook wants to encourage and promote as many connections as possible amongst its users, the obvious goal of a social network.

The privacy settings should be clear as to what happens when you share, not only in your page but also on friends’ walls or on Pages. Facebook made big mistakes in 2009 and is still making mistakes. The ‘sharing more social norm’ works at cost to users who want privacy options; users should get to choose between private and public like it was done when Facebook started. Facebook is trying to hide their ‘connections’ and business practices instead of being transparent with their social network as they claim to be.

Privacy settings are ‘not’ confusing, but they are hidden, misleading and incomplete. Just like the site asks, “Are you sure?” when deleting messages and posts, it is just as unattractive to deactivate an account. A user of Facebook cannot deactivate without having provided a reason for doing so and seeing pictures of friends under a heading that reads, “Pedro will miss you.”


3.2 Everyone: What users do not know they share

In 2005, Facebook’s privacy policy stated “[n]o personal information that you submit to Thefacebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.”

The online community harshly criticised the change of the privacy policy in 2009 because Facebook used default settings for certain user information. According to EFF, in 2009, Facebook’s policy stated that the default privacy setting for certain types of information you post on Facebook is set to everyone.

Information set to ‘Everyone’ is publicly available information, ‘may be accessed by everyone on the internet (including people not logged into Facebook)’, is subject to indexing by third party search engines, may be associated with you outside of Facebook (such as when you visit other sites on the internet), and may be imported and exported by us and others without privacy limitations. The ‘default privacy setting’ for certain types of information you post on Facebook is set to ‘Everyone’.

A user’s publicly available information includes name, profile picture, gender, and networks and is available to everyone on the internet through a ‘Profile link’. This is a significant change as far as privacy; in the past a user could be invisible to everyone.

In 2009, Facebook went public with all their user’s private information. The website changed its privacy settings and made it a default setting to share almost everything on a user’s profile with everyone. These default settings can easily be changed to defaulting Friends Only or allowing a user to hide his profile as could be done before. Yet a few pieces of your profile, announced Facebook, will always be public. The EFF also posted A Handy Facebook-to-English Translator, on their website explaining how Facebook defines ‘public information’ on a user’s profile.14

In an e-mail to friend Robert Scoble and as published in a blog post titled When do you throw a CEO’s privacy under the bus?15 Mark Zuckerberg exchanges e-mails with the author regarding the privacy settings on the site:

“I want to make sure we get this stuff right this time. I know we’ve made a bunch of mistakes, but my hope at the end of this is that the service ends up in a better place and that people understand that our intentions are in the right place and we respond to the feedback from the people we serve.” – Mark

Here is some feedback Mark: This was a good step, but it is certainly not enough. As PC World’s Tom Bradley wrote on his article Open Letter to Facebook on Privacy,

“[t]he problem isn’t that my personal information is shared too freely across the Internet to total strangers that have no connection whatsoever with my social network. Well… it is, but the real problem is that you are the one sharing it.”16

4 What should Facebook do?

The following recommendations are based on research and observations of Facebook’s current privacy settings, the practical limitations of such privacy settings and the risk-related factors that make these concerns relevant to the active user-base. All default settings should be set to Friends Only, on each and every product, new and old, regardless of the product, service, type of information or business interest in providing a


product in their platform. Also, the fact that a user’s name, profile picture, gender, and networks are publicly available information through a link to the Profile is a significant change as far as privacy. In Facebook’s early days, a user could be invisible to everyone but friends on the site, by clicking on a simple box.

4.1 Profile link: fb://profile/your id

In 2004, Facebook seemed like a safe and secure place to share information because the Profile was visible only to the people in a closed university network; users outside a network had to ‘request your friendship’ and the other user confirmed. It was not until a user became another user’s friend that they could interact. Today, the existence of the profile link (www.facebook.com/username) and the fact it is available to ‘Everyone’ means that unless a user deactivates a Facebook account, his profile link will be seen everywhere that user comments, and only in relation to the privacy settings of where the user comments, not his own.

The profile link contains, as mentioned before, all the information about you that Facebook has made public about every user. Your link is now impossible to hide, and no privacy settings provide users to hide their profile from people that are not their friends. In the past, a user could eliminate a profile’s visibility and there was no ‘profile link’ online that could lead to a name/photo/information of that user, if private.

An importance difference between Facebook then and Facebook now is that the user always had the option to disappear from the network and be visible to Friends Only, (i.e., a user could choose to have the posts made to other friends’ wall be visible to only that friend). This is an option Facebook eliminated in 2009, to allow more ‘connections’ amongst users. This means that users are not allowed to hide their profile link anymore. In the past, users had the ‘choice’ to more ‘security’.

4.2 News Feed: the algorithm for non-friends

There are two main issues with the code language in both of the following two posts on the Help Page of the website. The first can be found in an FAQ.

Figure 1 Help page, FAQ #16267 (see online version for colours)

The FAQ reads, Why am I seeing stories about people I am not friends with in my News Feed? The answer to this question: “We might show you a post by another user if your friends have liked or interacted with it, and we believe you might find it interesting as well. We only show you posts if the user has indicated in their Privacy Settings that Everyone or Friends of Friends are allowed to view it.”


Facebook’s News Feed works with an algorithm where Facebook “might show you a post by another user even if they’re not your friends.” Why are users seeing stories about people outside a Friend list? Facebook’s privacy settings should be clear as to what happens when you share, not only in your page but also on other people’s walls or pages, whether through wall posts, comments, or likes. In other words, if a user posts on a friends’ wall or photo, and that friend has their privacy settings and information available to everyone), Facebook might show someone who is not a friend of that user the status or photo, because it is a friend with whom the user’s friend interacted. This is outrageous and this should be fixed immediately to exclude non-friends from the News Feed.

The second is a Help Page posting titled Controlling your privacy in News Feed:

Figure 2 Help page, news feed (see online version for colours)

There is little to no privacy in the News Feed and the image above proves this precise point. A Frequently Asked Question, How can I control what my friends see in their News Feeds? on Facebook’s Help Center states the following answer: Whether the things you share appear in your friends’ News Feeds hinges on two factors: “(1) The setting for each post that you share, and (2) Your friends’ News Feed preferences.”17 If a user’s friends’ privacy settings allow to share more content, third-party non-friends of user may see a comment, post or like on their Top News.

The first issue here is that content users share appear on another friend’s News Feed under Top News, and demonstrates users rely on their friend’s News Feed preferences and privacy settings (how friends decide to share information) to protect their own privacy. In simpler terms, whether a friend’s wall is public or private is something a user never knows; a user only knows another user’s privacy settings before becoming friends. If a user comments on the photo of a friend, and that friend share his content with everyone, the comment might appear in the Top News of friends of the user that commented, even if they are not friends with the user who shared the photo.

For example, if user A posts on user B’s status thinking only his friends will see it, he is wrong. As user A cannot be aware that user B has his default settings to share with everyone, any comments or likes to his wall posts, photos, etc., can be actually seen by everyone and algorithmically shown under Top News to non-friends of user A.

Since user A has no way to know what is Everyone territory in user B’s wall (unless user A unfriends user B to find out his privacy preferences), he might fall into the


algorithm discussed before. In this case, non-friend of user B (user C) may get a post by user A on his Top News in the News Feed if user A has liked or interacted with user B. In other words, user C is receiving News Feed updates where user A commented because user A interacted with B’s piece of content, even when there is ‘absolutely no connection between’ A and C.

Facebook estimates that 20% to 30% of users change their privacy settings. They ‘know’ most users are not really using their privacy options and sign up regardless.18 Users even give excuses about how they do not have time for privacy settings. This is why Facebook should implement a system, in a manner consistent with their policies, to alert a user (and visibly display), a friend’s privacy settings next to every wall. A simple system that can alert users when entering a comment or like on a particular wall or status update can be implemented by the website.

Every post shared and every wall should have this, at least to alert users of a profile that shares with everyone. Alerting the users with a colour-coded box, similar to a streetlight using green, yellow and red, is another alternative for users to know how friends have set up their privacy settings; call them Privacy Lights. A similar system is in place in the wall (an image of a lock) and users choose whom to share with. When posting in places like walls or status updates, users are vulnerable to the algorithms.

Whether directly on a friends’ wall or on the post/content itself, every user should know if a comment is being seen by everyone, or at least have the informed and meaningful choice not to post if they think their friends’ settings are too public. It is not costly, it does not have to be a big giant streetlight-looking, colour-coded box to warn you. A simple bubble or image on every post or besides every wall can guide users to better manage their comments, wall posts to friends and other types of connection activity.

4.3 Tagged photos: a nervous breakdown

Tagging photos and statuses is yet another Facebook feature that has resulted in long-time criticism because tagging depends on a user’s ability to tag friends, making any friend susceptible to a tag. Active users of Facebook are obviously not exempted from their actions offline, but non-users might be at risk when it comes to picture tagging.

A 25th February 2011 decision by the Kentucky Court of Appeals19 illustrates that tagged pictures are being used against non-users of Facebook in courts and admitted into evidence even when unauthorised by a non-user of Facebook. In a child custody case, appellant argued the decision was partially based on improperly admitted evidence. Her ex-husband ‘introduced pictures of her taken from the social network site Facebook’.

These pictures in general display Jessica enjoying parties and apparently consuming alcoholic beverages against the advice of her mental health treatment providers. Her ex-husband argued she had obviously not been truthful with her treatment providers when she indicated she had suspended or significantly diminished her consumption of alcohol.

On her part, appellant additionally argues that because Facebook allows anyone to post pictures and then tag or identify the people in the pictures [by name] she never gave permission for the photographs to be published in this manner.20 The Court found nothing within the law that requires her permission when someone takes a picture and posts it on a Facebook page […] nothing that requires her permission when she was tagged or identified as a person in those pictures.


Law Professor Omar Tene blogged about this case raising various issues regarding photo tagging and privacy on Facebook. First, “the decision comes at the other end of the spectrum from the recent talk by European policymakers about a ‘right to oblivion’.21 It is difficult to ask for oblivion when third parties post damning information about you and tag your name to it. Ask them to take it off and you’re encroaching on the most powerful human right of all – the freedom of speech.”

The second issue he raises is related to the FTC’s Do Not Track (DNT) proposal:

“(essentially a one-stop, universal opt-out from online behavioural ads), as well as the imminent entry into force of Article 5(3) of the European e-Privacy Directive, requiring opt-in consent for third-party tracking cookies, reinvigorated the debate of opt-in vs. opt-out in the online sphere.”22

Information on Facebook is also “increasingly used as evidence in court cases involving domestic relations, employment, and more. Personally, I find judicial, employment, insurance and credit decisions, which are based on online or SNS data, far more troubling than use of online data for ad targeting.”23

A third issue is location tracking, as photo tagging and, even more so, face recognition, pose an increasing threat to anonymity in public spaces. The fourth issue is the collection and use of personal data by third parties.

The universe of privacy regulation has so far revolved around a central axis of individual consent. Consent is somewhat of a wild card in privacy regulation. It often seems artificial construct based on legal fiction (does anyone meaningfully consent to Google’s Terms of Use?); yet you cannot really do without it since lack of consent is inherent in privacy infringements.

An important point he makes is that “with increasing collection and use of personal data by third parties, consent is losing its force as even a fig leaf for data use practices.” We must utilise some other theory that replaces consent – he suggests legitimate business interest, or free flow of information. “If not, regulators should come down hard on the market for collection and use of third party data, particularly data brokers.”

In its early years, every user had the ability to choose which tags they accepted in their Tagged Photos section on Facebook. Not having this ability has pushed more and more users to restrict visibility of their tagged pictures, a practice well against Facebook’s best interests. The inability for users to control which photos are tagged and confirm those tags is a reason enough for users to eliminate the feature from the profile. It makes users anxious to be forced to always check their profiles to see if they were tagged. This is a good thing for Facebook and its business model, which is why Tag Confirmation has not been around for a while.

Users are now more aware than ever of the content to which they are tagged so the inability to confirm tags is pushing users to restrict friends from seeing tagged pictures. The alternative is the ‘Only Me’ option, not what Facebook should be indirectly promoting. Facebook should re-allow users to confirm tagged pictures, and should separate the privacy settings for tagged photos and tagged statuses in their visibility options. A user may want to be able to be tagged in pictures but not in status updates, or vice-versa. This should also apply to comment tagging, a new feature in Facebook.


5 Public defaults

5.1 Everyone, friends of friends, networks and friends

Sharing with everyone on Facebook means sharing with everyone on the internet. The most secure privacy setting for sharing on Facebook is Friends Only and yet it is fourth on the list, behind three other settings that promote a profile’s publicity to everyone, friends of friends or networks, all with an unknown number of users.

Facebook promotes users to set their settings public.24 “Your name, profile picture, gender and networks are visible to everyone. We also recommend setting the other basic settings below open to everyone so friends can find and connect with you.” Facebook’s Help Pages even directs you to a tour where Facebook itself ‘promotes’ you to share with everyone.25 Sure, it is their job. Yet, users want the option of a more private experience and consent to changes in the settings. Users are aware of the implications of sharing with everyone. Being safe online is just as important as offline.

5.1.1 Facebook always has a Suggestion

When teaching their users about privacy the site promotes to be less private by using defaults settings that share a user’s wall, statuses, photos, posts with everyone and offering users to share more. Facebook is a profile of your entire life, depending on what you share, so people form your past and current networks or employments can find you as well as your family and relationships; the goal being to connect you with more people.

In the Privacy Settings, under Connecting on Facebook, the site recommends users to set their information to Everyone. For example, under Send you friend requests, a user should set to everyone ‘to avoid missing out on chances to connect with people you know’. Under Search for you on Facebook, a user should set to everyone ‘to avoid missing out on chances to connect with people you know’.

And that is not all, because every once in a while, while a user is browsing the website, under People you make know, Facebook suggests users to add new friends they might like to connect to. If a user clicks on See All he will see an ongoing, almost unlimited list of other Facebook users they can easily connect to based on algorithms that create these connections. It does not stop here, since when a user is browsing any friends photo album, Facebook pops up a notification on the right that shows People in this Album, additional to People You May Know, another feature that pops up frequently.

Figure 3 Facebook suggestions (see online version for colours)


Facebook has many ways to import a user’s address books to mail join invites to non-users. The scary part is Facebook might not use or sell the addresses, but they save every address. A non-user has to e-mail Facebook for their e-mail to be deleted from the website’s database. Yet, non-users (whose address was imported from a user’s address book via Hotmail, Yahoo, Skype, etc.) have no way to know if someone is importing their e-mail address. A person can be on an e-mail list never having signed up for it?

Facebook wants you to connect to others and use its users content to expand their user registration growth/ad revenue. A clear example of this is when they will post other friend’s photos by calling them Photo Memories when a user is viewing a photo album, and a second later they will post a series of advertisements. It might be normal social networking behaviour, except it when you do not want to connect with your friends’ friends, or when you don’t want advertisements in your own profile.26

In a blog post titled Facebook’s Privacy Upgrade recommends I be less private, Daggle’s Danny Sullivan writes about Facebook’s change of privacy settings in 2009 and how he used his account as a case study and took a tour of the new recommended settings at the time.27 On the face of it (no pun intended), it looks like Facebook’s trying to get me to open up three categories to the world that previously appeared closed. These were all tagged as recommended from changing from my old settings to ‘Everyone’: Family & Relationships, Work & Education, and Posts I Create’.28 Previously, I had that locked down to sharing with only those in my networks and friends. For some reason, Facebook has determined that I should share the information with everyone. The default settings for sharing need to change and the suggestions to connect are overwhelming.

5.2 The Poke: what is it?

Pokes are described as Mark Zuckerberg’s desire to have ‘something on the site that did absolutely nothing’. So in 2004, along with messaging, a simple profile and networks, he developed the famous Facebook poke. Nobody really knows what it does and some interpret the poke as a sign of affection or interest coming from the other user. It is a feature some consider useless, and others consider very useful. It allows a user to virtually poke a friend or a ‘friend of a friend’; the user on the other side can ‘Poke Back’ and all is carried out by an image and a small banner with the users name.

Users cannot eliminate the poke feature from their page; why force users to have it? Facebook used to allow users to opt-out of the poke from the features a user made available to non-friends viewing that user’s profile, just like users can opt-out of being messaged or being ‘added as a friend’. Facebook did not leave the ‘option’ for users to decide and have meaningful consent to every feature. Facebook allows the poke to be used by default amongst ‘Friends’ and ‘Friends of Friends’, another default inadequately put into practice considering the amount of connections the average user may have.

If the average user indeed has 130 friends (a surprisingly low number), and each of those friends has 130 friends (very doubtful), the average user can be poked by 2,197,000 users at ay any given time.29 Imagine if the user has 500+ friends and each one of those friends has 300, or 800 friends. Imagine if the user has well over 1,000 friends.


6 Regulation of the social networks

6.1 CIPPIC

The Canadian Public Interest and Internet Policy cyber clinic at the University of Ottawa’s Law and Technology Center has long been a strong advocate of privacy on social networks. In 2009, it filed a multi-faceted complaint against Facebook Inc., under the under the Personal Information Protection and Electronic Documents Act (PIPEDA), on topics ranging from the collection of date of birth at registration to the sharing of users’ personal information with third party application developers. The Report of Findings into the Complaint Filed by CIPPIC against Facebook said social networking sites are a ‘cultural phenomenon’.

They represent a dramatic shift in the way people communicate, and their use raises interesting questions about long-held views on what it means to have a private life or a sense of ‘privacy’. In the last five years, the popularity of these sites has exploded, with millions of people around the world joining them to keep in touch with their friends and family and to meet new people.30

CIPPIC alleged that by “preselecting default privacy settings Facebook was in effect using opt-out consent for the use and disclosure of personal information without meeting the requirements for opt-out consent as articulated in previous findings of our Office.” Specifically, CIPPIC contended that much of the personal information being shared by users, “including photographs, marital status, age, and hobbies, is sensitive and therefore requires express consent.”31

PIPEDA states in Principle 4.8 that an organisation shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. According to CIPPIC, users need some help “navigating this world in a way that balances the social benefits many receive from social networking with the knowledge that what is posted online is never completely private.” One of the key concepts of the PIPEDA Act is that of control of one’s personal information. And “[t] he cornerstone of the legislation is ‘knowledge’ and ‘consent’. Many of the complaints made to the Privacy Commissioner’s Office in Canada are essentially matters of consent, and the focus on this case was on whether consent is meaningful.”32

In CIPPIC v. Facebook, the Privacy Commissioner found that Facebook is to be commended for offering granular privacy control settings to its users. It frequently contains the kinds of information users need to make reasonable decisions, though the information is scattered about the site. As CIPPIC’s Frequently Asked Questions states,

“[a]lthough social networking sites promise privacy and security, they do not give users as much control over their information as individuals have in the offline world. The privacy settings offered by social networking sites are crude in comparison to the ways in which people control their privacy offline.”33

Facebook has never and will follow PIPEDA’s eight principle. The site only informs users their private information will be shared but does not inform them entities collecting data, specific uses for the data, potential recipients of the data, the


nature of the data, how it is collected, or even the steps to ensure its confidentiality. Facebook does not make specific information about their policies and practices readily available to users.

6.2 The FTC on internet privacy

On 5th May 2009, the Electronic Privacy Information Center (EPIC) announced that it had filed a complaint34 with the Federal Trade Commission charging that Facebook has engaged in unfair and deceptive trade practices in violation of consumer protection law. The complaint states that changes to user profile information and the disclosure of user data to third parties without consent “violate user expectations, diminish user privacy, and contradict Facebook’s own representations.”35

The first Fair Information Practice Principle of the FTC, ‘Notice and Awareness’ states:

“[c]onsumers should be given notice of an entity's information practices before any personal information is collected from them. This requires that companies explicitly notify of some or all of the following:

• identification of the entity collecting the data

• identification of the uses to which the data will be put

• identification of any potential recipients of the data

• the nature of the data collected and the means by which it is collected

• whether the provision of the requested data is voluntary or required

• the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.

Privacy Online36 is a report to Congress by the Federal Trade Commission published in 1998 assessing the state of privacy on the internet. This report identified the five widely accepted fair information practices: Notice, Choice, Access, Security, and Redress. These areas cover the basic principles of online privacy and outline principles Facebook should follow to protect the privacy of users. Notice is the first requirement of fair information practices. Customers must be aware of information collection and their rights regarding that collection before they can exercise them. The Facebook Privacy Policy aims to fulfil this requirement. It species Facebook as the entity collecting the data, and does a good job of identifying which data will be collected in most cases, including non-obvious data such as session data and IP addresses.

Giving consumers options as to how any personal information collected from them may be used is choice. Specifically, choice relates to secondary uses of information or uses beyond those necessary to complete the contemplated transaction. The two types of disclosure are disclosure to other users of the site, and disclosure to third parties, primarily advertisers. The privacy features provided by Facebook allow the user to control what other users of the site can see about their profile data. The issue here is that there are virtually no controls on what Facebook can expose to advertisers.


Figure 4 Facebook ads (see online version for colours)

Opt-out privacy settings in ‘Social Ads’, or ‘Ads show by third-party applications’ put users are at greater risk to share what they didn’t affirmatively choose to share.


Access refers to an individual’s ability both to access his data and to contest that data's accuracy and completeness. Accessing and contesting the accuracy are both essential to ensure that data is accurate and complete. Because Facebook is based on the sharing of information, and because Facebook provides users with the ability to control this information, Facebook follows this principle fairly well.

The process that restricts access to those who have been granted it legitimately and that ensure data integrity is called security. The report states in part “[t]o assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form.”37 Although Facebook is certainly vague about the uses to which the data will be put, it gives users control over the existence of information about themselves in the database. Their terms of service clearly state “[y]ou may remove your Member Content from the site at any time. If you choose to remove your Member Content, the license granted above, which permits Facebook to use the data, will automatically expire.”38

For effective redress “self-regulatory regimes should include both mechanisms to ensure compliance (enforcement) and appropriate means of recourse by injured parties (redress).” Similar to the other privacy principles, Redress requires that customers be aware of ways in which they may be harmed. In the case of security breaches, there is no policy for notification of customers by Facebook.com.

Facebook is vague about the uses to which the data will be put to use, primarily advertisers. There are no controls on what Facebook can expose to advertisers, one of the two types of disclosure of private information that is implicated in choice. In the end, for meaningful consent, customers must be aware of information collection and their rights regarding that collection before they can exercise them in order for Facebook to comply with the Principles discussed. Until then, regulatory measures will remain unenforceable.

7 Dangers with privacy violations: is self-regulation possible?

The privacy settings on Facebook have been a controversial topic throughout the years. The site is dawning the age of rejection. The more users realise their privacy protections are inadequate, the more they will be concerned about their content, restrict their sharing and limit themselves with their likes and comments. Unless Facebook tweaks their platform to allow users to implement certain important and practical privacy practices, the users will inevitably suffer the consequences.

An example of such behaviour can be seen in a blog post titled Risk Reduction Strategies on Facebook, where a blogger documents certain practices of Facebook users with respect to protecting their privacy, as a result of Facebook’s inadequate response to users privacy concerns.

Mikalah uses Facebook but when she goes to log out, she deactivates her Facebook account. She knows that this does not delete the account – that is the point. She knows that when she logs back in, she will be able to reactivate the account and have all of her friend connections back. But when she’s not logged in, no one can post messages on her wall or send her messages privately or browse her content. But when she is logged in, they can do all of that. And she can delete anything that she does not like. Michael


Ducker calls this practice ‘super-logoff’ when he noticed a group of gay male adults doing the exact same thing.39

Treatises, guidelines, fair practices acts, privacy laws and commercial and criminal laws have been enacted for those who violate the ways of the cyber world. But legislation cannot be the answer and is usually not the most adequate solution for technology regulation due to the ever-growing, exponential growth of the field where changes to the technology occur faster than anyone anticipates.

Social networks, online businesses, broadcasters, advertisers, marketers, bloggers alike, need to respect internet common sense. It is not easy to regulate the internet, but it is not hard to put in place media and public pressure that actually works. It seems the only way a company is willing to change their policies regarding important or essential issues is after receiving tons of negative feedback and criticism from their users. Online websites need to think before they enact policies that might substantially affect their user and consumer base.

It is inappropriate to think regulation of social networking has to happen at a citizens’ level because this is precisely what social networks rely on, people and their social connections to others. Facebook cannot regulate itself and unless it becomes more transparent, it will be violating the core of privacy policy principles. They have just been changing features hoping users do not notice.

Living in the present does not mean we have to be satisfied with the way things are. It is clear that women, for example, are the most targeted demographic in terms of sexual harassment and possible sexual assaults. We thus need to be aware and foresee the implications of a social network structure where poking is a free for all and users are default posting to ‘everyone’.

Some websites put the women population on Facebook to over two-thirds.40 Others say the growth has been recent and goes well beyond half, where the female population on the site surpassed the male and continues to grow. The argument is not that Facebook engineers are creepers and want all information to be public, but it is a company based on ‘connecting people’, and the more they can connect the more profit they make and the bigger they grow. This, is simply dangerous without proper regulation and privacy settings’ defaults set to everyone.

It seems clear social networks are not exempt from internet regulation and should be scrutinised by privacy commissioners and ministers around the globe. US President Barack Obama met with Mark Zuckerberg, Steve Jobs, and others in Silicon Valley not too long ago to talk bout his concerns on a variety of issues.41 People are no longer a long way’s away, but a short message away. Privacy is a serious concern and violations are causing social problems like cyber crime and identity fraud, cyber bullying and suicides, marital problems and divorces. Privacy depends on the user, except when the user is not protected adequately by the platform.

The more users interact in social networking sites, the less privacy they can claim to have. Nowadays, people need to be excessively careful with what they post online – a user can become victim of identity theft, ruin his or her reputation or even attract the attention of people who have more than chatting on their minds. The answer, though, cannot lie in not posting, not using the website or deleting or deactivating Facebook.

Facebook should step up to the plate, and as a pioneer on social networking ‘promise’ a safe and secure world for their users. They ‘know’ they dominate the market, they know they can have a more secure website, and they know their users could benefit greatly from a platform ‘with more options’.


8 Conclusions: social protections for social networks

Users should be careful what they post and should use common sense. Everything you post on www.facebook.com (status updates, photos, videos, etc.) is covered in their Statement of Rights and Responsibilities, where “(subject to your privacy and application settings): you grant [Facebook, Inc.] a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook.”

Some argue that privacy on social networks is an illusion. They argue if you do not want people to know your address or the fact that you secretly love Justin Beiber, do not post it online. That being said, Facebook needs to take on more responsibility for the privacy of their users, just like users of these services need to take on more responsibility to protect their own privacy and security.

Scott McNealy, the chairman of Sun MicroSystems once remarked, “Privacy is dead” and suggested the audience “get over it.” This seems a little harsh, considering the amount of information available, the profit-driven business models behind technology and privacy intrusions and the ratio of consent-to-laziness when it comes to users actually reading privacy policies, user agreements, user licenses, etc. The scary thing is, Mr. McNealy may be right. In an era when you can zoom in on a satellite picture of your home from the internet or look at the vacation pictures of total strangers, does privacy really exist anymore? Or should privacy be a ‘private concern’ of each and every internet user who decides to go on social networking sites?

It is uncontested social networking sites are set up specifically to allow people to interact with one another – they are ‘social’ networks after all – and the idea of locking everything down runs counter intuitive to their whole purpose. That being said, and even if Facebook has taken some steps in the right direction, it could do much more.

Notes 1 Facebook’s Statement of Rights and Responsibilities, Section 15.3, Date of Last Revision

4th October 2010, available at http://www.facebook.com/terms.php. 2 Facebook, Inc., is an online social networking website founded by Mark Zuckerberg in

January 2004. It is a social utility that connects people with friends and others who work, study and live around them. People use Facebook to keep up with friends, upload an unlimited number of photos, share links and videos, and learn more about the people they meet. Anyone can join Facebook. All that is needed to join Facebook is a valid e-mail address. Available at www.facebook.com.

3 According to the website CheckFacebook.com, and with daily updated data, they report the ‘Global Audience’ of users at 629,622,400 as of 8th April 2011.

4 Internet Privacy, Wikipedia, available at http://en.wikipedia.org/wiki/Internet_privacy. 5 Social Network Service, Wikipedia, available at

http://en.wikipedia.org/wiki/Social_network_service. 6 Canadian Internet Policy and Public Interest Clinic (CIPPIC), FAQ, Social Networking, June

2008, available at http://www.cippic.ca/social-networking/#FAQ.sn. 7 Some websites show Facebook to be the second most visited site in the world and others say it

to be the number one most visited website. It is always shown in competition with Google. 8 Facebook Statistics for Canada, available at http://www.socialbakers.com/facebook-

statistics/canada.


9 80% of the Top 100 US websites have integrated a social plug-in for Facebook. Facebook Statistics, Press Room, available at http://www.facebook.com/press/info.php?statistics.

10 Kurt Opsahl, Facebook’s Eroding Privacy Policy: A Timeline: Electronic Frontier Foundation, 28th April 2010, available at http://www.eff.org/deeplinks/2010/04/facebook-timeline.

11 Mark Zuckerberg, From Facebook, answering privacy concerns with new settings, The Washington Post, 24th May 2010, WashingtonPost.com, available at http://www.washingtonpost.com/wp-dyn/content/article/2010/05/23/AR2010052303828.html.

12 Comments by Mark Zuckerberg to TechCrunch’s Michael Arrington, available at http://www.ustream.tv/recorded/3848950.

13 Facebook Privacy Policy circa 2005: No personal information that you submit to Thefacebook will be available to any user of the website who does not belong to at least one of the groups specified by you in your privacy settings.

Facebook Privacy Policy circa 2006: We understand you may not want everyone in the world to have the information you share on Facebook; that is why we give you control of your information. Our default privacy settings limit the information displayed in your profile to your school, your specified local area, and other reasonable community limitations that we tell you about.

Facebook Privacy Policy circa 2007: Profile information you submit to Facebook will be available to users of Facebook who belong to at least one of the networks you allow to access the information through your privacy settings (e.g., school, geography, friends of friends). Your name, school name, and profile picture thumbnail will be available in search results across the Facebook network unless you alter your privacy settings.

Facebook Privacy Policy circa November 2009: Facebook is designed to make it easy for you to share your information with anyone you want. You decide how much information you feel comfortable sharing on Facebook and you control how it is distributed through your privacy settings. You should review the default privacy settings and change them if necessary to reflect your preferences. You should also consider your settings whenever you share information. ...

Information set to ‘everyone’ is publicly available information, may be accessed by everyone on the internet (including people not logged into Facebook), is subject to indexing by third party search engines, may be associated with you outside of Facebook (such as when you visit other sites on the internet), and may be imported and exported by us and others without privacy limitations. The default privacy setting for certain types of information you post on Facebook is set to ‘everyone’. You can review and change the default settings in your privacy settings.

Facebook Privacy Policy circa December 2009: Certain categories of information such as your name, profile photo, list of friends and pages you are a fan of, gender, geographic region, and networks you belong to are considered publicly available to everyone, including Facebook-enhanced applications, and therefore do not have privacy settings. You can, however, limit the ability of others to find this information through search using your search privacy settings.

Current Facebook Privacy Policy, as of April 2010: When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. ... The default privacy setting for certain types of information you post on Facebook is set to “everyone.” ... Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.

Facebook’s Eroding Privacy Policy: A Timeline, Electronic Frontier Foundation, 28th April 2010, available at https://www.eff.org/deeplinks/2010/04/facebook-timeline.


14 ‘Public information’ is information Facebook shares with everyone online. Understanding what information is considered ‘public’ can be confusing, but this knowledge is key to understanding what information Facebook may share with its business partners without seeking further permission from a user.

The following information of every user is public information: “name, profile picture, current city, gender, networks, complete list of your friends, and your complete list of connections (formerly the list of pages that you were a ‘fan’ of, but now including profile information like your hometown, education, work, activities, likes and interests, and, in some cases, your likes and recommendations from non-Facebook pages around the web).” Richard Esguerra, A Handy English to Facebook Translator, 28th April 2010, available at https://www.eff.org/deeplinks/2010/04/handy-facebook-english-translator.

15 Robert Scoble, ‘When do you throw a CEO’s privacy under the bus?’, 23rd May 2010, available at http://scobleizer.com/2010/05/23/when-do-you-throw-a-ceos-privacy-under-the-bus/.

16 Tom Bradley, Open Letter to Facebook on Privacy, PC World, 3rd May 2010, available at http://www.pcworld.com/businesscenter/article/195450/open_letter_to_facebook_on_privacy.html.

17 News Feed Privacy, Help Page, available at http://www.facebook.com/help/?faq=15358. 18 The six excuses users have for not changing their privacy settings are: “Nah”, “I don’t have

time”, “I’m too busy”, “That’s too much work” It sounds so complicated, and I’m going on Facebook less anyway”. Jackie Cohen, 6 Excuses for not using Facebook’s Privacy Settings, 1st March 2011, available at http://www.allfacebook.com/top-5-excuses-for-not-using-facebooks-privacy-settings-2011-03-2011-03.

19 Lalonde v. Lalonde, Kentucky Court of Appeals, No. 2009-CA-002279-MR. 20 “She also argues that with the advent of modern digital techniques, photographs may easily be

altered and the time and date stamps associated with the photographs left doubt as to when they were taken. She does not however provide anything but argument to support these propositions.”

The court also said, “although we acknowledge that modern digital photography techniques may allow for the alteration of a photograph, Jessica did not suggest such techniques were employed. She instead acknowledged the photographs were accurate which leads to the conclusion they were not altered. We find nothing to cause us to disagree with the admission of the photographs as evidence.”

21 The right to oblivion, or droit a l’oublie promotes the idea of a right to disappear from the internet.

22 I.1: Omer Tene, You’ve Been Tagged, 21 March 2011, available at http://cyberlaw.stanford.edu/node/6642.

23 I.2: You’ve Been Tagged, supra. 24 See Appendix 2. 25 See Appendix 3. 26 It should be noted that for almost six years, Facebook ‘never loaded a single’ advertisement on

any user profile. The company started this ad practice in 2010 with the introduction of the ‘New Profile’. Props.

27 See Appendix 4. 28 Danny Sullivan, Facebook’s Privacy Upgrade recommends I be less private, Daggle, 9

December 2009, available at http://daggle.com/facebooks-privacy-upgrade-recommends-private-1550.

29 130 to the power of 3 = 2,197,000.


30 Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc., under the Personal Information Protection and Electronic Documents Act, Office of the Privacy Commissioner of Canada, available at http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm.

31 Report of Findings into the Complaint Filed by CIPPIC against Facebook, supra. 32 The Office of the Privacy Commissioner has previously considered consent to be meaningful

if the individual in question is informed in a clear and understandable manner of the purposes for collecting, using and disclosing personal information, prior to any such collection, use or disclosure of personal information.

33 CIPPIC, FAQ, Social Networking, supra. 34 EPIC filed the complaint alongside 14 other privacy and consumer protection organisations. 35 New Facebook Privacy Complaint Filed with Trade Commission, Electronic Privacy

Information Center, 5th May 2010, available at http://epic.org/2010/05/new-facebook-privacy-complaint.html.

36 Federal Trade Commission, Privacy Online: Report to Congress, 1999. 37 Privacy Online: Report to Congress, supra. 38 Facebook Terms of Service, supra. 39 Danah Boyd, Risk Reduction Strategies on Facebook, available at

http://www.zephoria.org/thoughts/archives/2010/11/08/risk-reduction-strategies-on-facebook.html.

40 Michael Arrington, TechCrunch.com, 21 November 2007, available at http://techcrunch.com/2007/11/21/facebook-is-almost-23-women-and-other-stats.

41 Michelle and Barack Obama do not let their children have Facebook accounts.

Appendix 1

Figure A1 Privacy Lights (see online version for colours)


Appendix 2

Figure A2 Facebook’s recommendations for your privacy settings www.facebook.com (see online version for colours)

Appendix 3

Figure A3 Controlling how to share (see online version for colours)

Source: Facebook, http://www.facebook.com/privacy/explanation.php


Appendix 4

Figure A4 Danny Sullivan, Facebook’s Privacy Upgrade recommends I be less private (see online version for colours)


Figure A5 Facebook’s Privacy Settings (a) before (b) after (see online version for colours)

(a)


Figure A5 Facebook’s Privacy Settings (a) before (b) after (continued) (see online version for colours)

`

(b)

the war on facebook: privacy on social networks

Documents

electronic

electronic

current regulatory

party search

public interest

canadian internet

personal information

social networking