When you post an update on Facebook, should you expect it to stay private? You intend that only your pre-approved group of friends will see your update, but what if others do? Have your rights to privacy been violated unfairly? What do you think?


I am not wandering the streets of Austin at the SXSW conference this weekend, but GigaOM is making it easy for me to keep up with the important things happening there. Liz Gannes covered an important keynote address discussing privacy on the web, and the ramifications of it have my mind buzzing. In researcher Danah Boyd’s keynote address, she took Google and Facebook to task over lapses where user’s private information was made public. In particular, Boyd was on Google’s case for making personal information public by default with the launch of Google Buzz. Google backpedaled to correct that after the damage was done.

She also took Facebook to school over changing user privacy settings without making it clear that was happening. Facebook users found their previously private updates were suddenly hitting the public airwaves as a result. The entire keynote was quite good according to Gannes, and I wish I had been there. I especially found one of Boyd’s points to be very thought-provoking — just because someone says something on the web, does that mean it’s public information by default?

Think about that for a moment. Those of us who have been using the web since the beginning will usually say that if you say it on the web it’s totally public information. If that is true, then the web is useless for confidential business purposes, in addition to social networking. That’s pretty harsh if that’s the way it must be. As Boyd said in her keynote, you have the right to expect that something you say to a real life group in private will remain private. Why shouldn’t that apply to the web, too?

Think about the Facebook example — you sign up, verify your identity and restrict access to any information you “publicly” post on the service to a pre-approved list of friends. Is that a public group then, or is it a private group? It’s not that clear, is it? That’s why some Facebook users got burned when it changed the privacy defaults. Suddenly the “private” information on the web was accessible to those not on the pre-approved list.

I know many will claim that if you put it on the web, then you must assume it is public by nature of the way the web works. I would have previously agreed with this view, but now I’m not so sure. Think about online collaboration tools used in business — you have a right to assume your team’s private information shared will remain private to the group. If the online collaboration service suddenly changes things to make outsiders privy to the confidential information, you can bet users would be squawking loud and clear. That would only be right.

But how are these online collaboration services any different from social networks like Facebook? Both require signup, followed by carefully defining who has access to information shared in the service. Yet we probably feel that a collaboration service has a different level of privacy than a pure social network. How can we define just how private a social network really is? What is a reasonable expectation when using these networks regarding how our private information will or will not be shared? It is a very interesting question and I’m not sure there is an easy answer. I’d love to hear your thoughts on this.

Related content from GigaOM Pro (sub req’d):

Google Buzz’s True Home Is in the Enterprise

Can Enterprise Privacy Survive Social Networking?

You’re subscribed! If you like, you can update your settings

  1. I think the problem in the case of Google and even more Facebook isn’t the existence or non-existence of privacy itself rather in how they handle and change things.

    If I publish something on some website of which I know that everything is made public, then I see no problem. It’s my decision and responsibility what information I share to the public or not. But if I publish something on a place like Facebook where I’m offered a choice (public, groups, friends) to share information with, then I expect my decision to be honored. This site can’t just go and suddenly decide that from now on things are different, information is public and even private stuff published before this change is now to be public with no way to object.

    In my opinion that’s misuse of power, even more so if it is a site like Facebook where millions of people are managing their friend network and it’s not that easy to just say goodbye to Fb and move on to another site that is more concerned about privacy.

    I have no problem with Facebook changing its privacy rules, preferably with a way to object but necessarily without forcing formerly private information to be public now.

  2. I can think of two issues that are important, although they barely scratch the surface of the privacy problems.

    First is the issue of control. Facebook is supposedly giving users control over who gets to see what information, but then they change the defaults, essentially ignoring the users serttings. So even though users were promised this control facebook ignored that promise. And because the information was in its servers it could do as it wished. So user control turned out to be an illusion. The only thing that can be done about this is to pressure facebook, with lawsuits or whatever, to stick to its own terms, and give adequate advance notice for any changes. This is true for any cloud based service storing our data, although facebook currently seems to be the worst offender.

    The second is that users may not see all the implications of their decisions. The privacy settings can get very complicated, and the results cannot always be foreseen. When you add a new friend can you be sure you have NO information that you would not want them to see? Or that someone else may see peeking over their shoulder as they access their account? Obviously not. This is not a problem with facebook, it is a problem with the complexity of the stored information. Just like programs have bugs so will social network settings have “bugs” producing unforeseen results. Not to menton that your photos, text or whatever can be easily copied and pasted elsewhere by your friends.

    These things, and many more like them make it likely that for information you put in social networks, you should expect very little privacy in practice. The medium is very prone to “leaks”. In most cases if some information has been uploaded in these sites anyone determined and skilled enough can get it. This does not mean that we should allow practices like facebook’s to happen without challenging them, but we should be prepared for the fact that such leaks may happen, and be very conservative with what we put online.

    Because in the end while I agree that we have a right of privacy in theory, as social networking becomes more and more flexible, privacy becomes harder and harder in practice, any anything you upload CAN end up as totally public information.

  3. Yes, unless the Terms of Use state something along the lines of ‘You hereby volunteer to forfeit all rights to privacy’.

  4. Danah’s draft of her talk is available on her site: http://www.danah.org/papers/talks/2010/SXSW2010.html

    It’s definitely a thought-provoking read. I think the primary reason she called out Google and Facebook is because each company took information that was previously considered reasonably private and exposed it in a manner that was neither clear to users nor directly beneficial for users.

    Facebook made status updates public because they see great value in making that information publicly accessible. They also did so in a manner that confused (or wasn’t clear) to their users.

    Google made Buzz public by default to drive initial user adoption without clearly considering the perceived privacy of one’s email contacts.

    The privacy of a network is defined by the owner of that network. But what happens when the owner changes the rules?

    The difference Danah calls out is the possibility of data posted online to become public. She notes: “Just because something can be accessed, doesn’t mean that it will be.” But, at the same time, when information is posted online, there are endless ways for that information to be disclosed – whether posted by somebody else that’s part of that network, the network changes it’s rules, or the network is compromised. Is it likely? Not necessarily. But it’s possible, and we never know when or how that possibility will strike. Assuming that information is public by default is a good, if paranoid, way to prevent that.

    Think about this for a moment – even if I sign up for Twitter and/or Facebook and protect my account to the gills…my information is only as private as the friends and connections I make. With over 70,000 apps built on top of Twitter and even more(?) on Facebook, the likelihood that one of my friends (that I’m distributing updates to) signs into an application that does not adequately protect it’s information is very likely.

  5. What digital media is really good at doing is distributing information, and so when a user publishes a piece of information on Facebook, Twitter or Buzz, they ought to be mindful of this nature. While systems can be put in place to delimit the distribution of those messages (conditional access and permissions-based systems, for instance), they are quite easy to duplicate in violation of your privacy wishes by those with access.

    I can’t read your email, but somebody who has access (the recipient of your message, say) can forward it to me. Your protected tweets don’t show up in my timeline, but an approved follower of yours may choose to retweet your message thereby releasing it into the wider ecosystem. I don’t have access to your collaborative work documents, but anybody who does can copy/paste the contents to a public forum.

    When it comes down to it, if a person is concerned about a message being made public, they should seriously consider whether they need to digitally encode it. Beyond that, different sites and services should give users an idea of the degree of privacy that they can expect. Once they’ve made such a statement, it is up to the users to hold them accountable, which we’ve done to varying levels of success.

  6. Honestly, I am going the “old-man,” “old-school” route and saying that by posting any info, no matter what privacy options are at your disposal, you know the risk. If its on the interweb, then somebody is bound to come across it sooner or later. In a nutshell, just because you are offered privacy doesn’t mean it’s guaranteed- use common sense and sound judgement. KEEP IT PG!

  7. I agree with Joe.
    When you post something on the internet, always assume it
    could become public.
    Either via robots, hackers, or a friend.

    Keep truly private stuff off the internet.

    I’ve received sensitive information by mistake,
    because someone down the line forwarded EVERYONE
    on their contacts list the email by mistake.

    Things happen by mistake, think of the stuff that
    happens on purpose?

  8. Stephen G. Barr Sunday, March 14, 2010

    Excellent post. Privacy is still the responsibility of the individual if you wish to maintain it. Google’s Buzz was too intrusive at launch, now corrected but if you don’t want something put out there then don’t put anything out there anywhere. I assume that whatever I write anywhere will be read by all but then again I’m an open book.

  9. This depends on a myriad of factors and there’s certainly a range of opinions here which are articulate and quite interesting. I’ve enjoyed the comments and the post so far.

    But Google, facebook et al should beware though – in some countries (Australia for example) a user has a limited statutory right to privacy which can’t be removed by entering into any contractual obligation.

    Likewise, in some countries where there is no enshrined legal right to privacy of information, defamation actions might be available as a defacto method of enforcing a right to privacy. In the UK, i’m pretty sure facebook users have successfully sued as a result of behaviour relating to a breach of privacy – i’m pretty sure people in the USA are pulling the same trick but no idea how it’s going yet.

    I think as Harry has mentioned, the core issues here are really transparency and the ability for the user to understand the control they have over how their information will be used, as well where possible some ability to see the effects of this.

    I also think (echoing the thoughts of most commenters here) that the biggest risk isn’t so much an inherent property of the network but something someone else does – be it run an application without sufficient security or copy paste/forward/whatever some information to another person.

  10. Interesting blog post. Privacy options were given on Facebook that is why many users have signed up. They could have not given any option and made everything public even then many people would sign up but then they would know that its all public anyway. However when an option is given and then without any notice just changing it as the company feels is a breach of trust in the least.

Comments have been disabled for this post