Do Social Network Users Have a Right to Privacy?


I am not wandering the streets of Austin at the SXSW conference this weekend, but GigaOM is making it easy for me to keep up with the important things happening there. Liz Gannes covered an important keynote address discussing privacy on the web, and the ramifications of it have my mind buzzing. In researcher Danah Boyd’s keynote address, she took Google (s goog) and Facebook to task over lapses where user’s private information was made public. In particular, Boyd was on Google’s case for making personal information public by default with the launch of Google Buzz. Google backpedaled to correct that after the damage was done.

She also took Facebook to school over changing user privacy settings without making it clear that was happening. Facebook users found their previously private updates were suddenly hitting the public airwaves as a result. The entire keynote was quite good according to Gannes, and I wish I had been there. I especially found one of Boyd’s points to be very thought-provoking — just because someone says something on the web, does that mean it’s public information by default?

Think about that for a moment. Those of us who have been using the web since the beginning will usually say that if you say it on the web it’s totally public information. If that is true, then the web is useless for confidential business purposes, in addition to social networking. That’s pretty harsh if that’s the way it must be. As Boyd said in her keynote, you have the right to expect that something you say to a real life group in private will remain private. Why shouldn’t that apply to the web, too?

Think about the Facebook example — you sign up, verify your identity and restrict access to any information you “publicly” post on the service to a pre-approved list of friends. Is that a public group then, or is it a private group? It’s not that clear, is it? That’s why some Facebook users got burned when it changed the privacy defaults. Suddenly the “private” information on the web was accessible to those not on the pre-approved list.

I know many will claim that if you put it on the web, then you must assume it is public by nature of the way the web works. I would have previously agreed with this view, but now I’m not so sure. Think about online collaboration tools used in business — you have a right to assume your team’s private information shared will remain private to the group. If the online collaboration service suddenly changes things to make outsiders privy to the confidential information, you can bet users would be squawking loud and clear. That would only be right.

But how are these online collaboration services any different from social networks like Facebook? Both require signup, followed by carefully defining who has access to information shared in the service. Yet we probably feel that a collaboration service has a different level of privacy than a pure social network. How can we define just how private a social network really is? What is a reasonable expectation when using these networks regarding how our private information will or will not be shared? It is a very interesting question and I’m not sure there is an easy answer. I’d love to hear your thoughts on this.

Related content from GigaOM Pro (sub req’d):

Google Buzz’s True Home Is in the Enterprise

Can Enterprise Privacy Survive Social Networking?



I think Goog and FB don’t get it. Allowing users to keep their information and communication private is their ONLY hope for future! Goog and FB defence that anything what’s put on the web becomes public is needless. Massive numbers of people understand this absolutely perfectly, much better than the Web2.0-ers wish. Which is precisely why they’ll never use these services. And as soon as Goog, FB etc. manage to educate the rest about the non-existence of privacy, they can close the shop. Goog, FB and their ilk’s only hope is to convince people that whatever they put on the web, and decide to keep private, will remain private. They haven’t even started yet.

Mickey Segal

The answer depends on the details. If GMail makes public the content of your emails, that is a violation of your privacy. If a recipient of one of your emails makes the contents public, that is a violation, but not GMail’s fault unless they mis-delivered your mail, were negligent in taking precautions in keeping your content safe, and so forth. But long before the internet it was a problem that anything that could be tapped or copied could be made public.


It’s clear that Google, Facebook and others should have clear policies and not change them without proper prior notification. And when a user removes information that was previously online (public or private) it should stay removed. But this discussion is further clouded by different types of communication and the relationship of the parties involved. For example, you state: “As Boyd said in her keynote, you have the right to expect that something you say to a real life group in private will remain private. Why shouldn’t that apply to the web, too?” If that “real life group” she’s describing is a bunch of friends in a bar, you “expect” privacy at your own peril. People will gossip and we all know it, and the Web just makes it easier to get that juicy bit of gossip out there.

However, in business settings the rules of privacy are actually clearer for everyone because all parties will have signed non-disclosure agreements as a condition of employment, or some other professional relationship. You shouldn’t be talking about sensitive information in your local Starbucks where it could be overheard, or on any public Internet service. If you do use online services of any kind, including e-mail, for sensitive business documents and communications you better use appropriate encryption tools.

Remember that most of the services being discussed (Facebook and Google Buzz in this case) are free consumer services. Those companies can and will do stupid things sometimes, but users probably have no recourse other than going somewhere else. Business users should use paid services and understand the fine print so they can take legal action in the case of disclosure.

Christian Reventlow

I think there will eventually be a big backlash from people against the full disclosure of their info on the internet and privacy/security are absolute essential for businesses to fully migrate to using internet base collaboration solutions.

The solution providers that are first to offer simple, attractive and high fidelity privacy controls for both private individuals and businesses will be the big winners.

I talk about cloud computing security issues in a blog post I did recently. You can see that post….here

“Cloud Computing Security: “Cloud 9” or “Lost in the Clouds”?



Many here know that I’m a system administrator by profession. It’s my job to care about these types of things with my user and company data. As such, my attitude has always been use individual discretion– if it’s meant to be 100% private, don’t put it in viewable form, online or offline. Violate that idea, and you’re just being stupid.

In the case of social networking, however, the water is muddied up quite a bit. What I do expect is that sufficient privacy settings should be available, and that those settings should be honored at all cost. You post a picture of me and don’t tag it, acknowledge the poster’s settings– but give me the ability to tag myself, and immediately respect MY settings. If I say “Friends Only” then by God, I mean MY FRIENDS only! Also, give me the option to “report” the image as abusive for the violations. (And obviously apply this to all information, not just pictures.)

My biggest problem is with the whole “News Feed” mentality. If I remove it from my profile’s feed, it should ALWAYS remove it from the site news feed as well, and I should ALWAYS have the ability to control what is added to the feed by default. In the case of Facebook, I USED to have these settings, but with the latest update those options are gone. I find that offensive and disturbing, and I’ve minimized my FB activity as a result.

So bottom line, provide the user with a comprehensive set of controls at all times, always respect those settings, and let them make the choice for themselves on how much or little privacy they want. It’s valid to give them the settings and claim, “well they didn’t bother to protect themselves.” It’s not valid to back-peddle after the fact.

Priyanka D

Interesting blog post. Privacy options were given on Facebook that is why many users have signed up. They could have not given any option and made everything public even then many people would sign up but then they would know that its all public anyway. However when an option is given and then without any notice just changing it as the company feels is a breach of trust in the least.


This depends on a myriad of factors and there’s certainly a range of opinions here which are articulate and quite interesting. I’ve enjoyed the comments and the post so far.

But Google, facebook et al should beware though – in some countries (Australia for example) a user has a limited statutory right to privacy which can’t be removed by entering into any contractual obligation.

Likewise, in some countries where there is no enshrined legal right to privacy of information, defamation actions might be available as a defacto method of enforcing a right to privacy. In the UK, i’m pretty sure facebook users have successfully sued as a result of behaviour relating to a breach of privacy – i’m pretty sure people in the USA are pulling the same trick but no idea how it’s going yet.

I think as Harry has mentioned, the core issues here are really transparency and the ability for the user to understand the control they have over how their information will be used, as well where possible some ability to see the effects of this.

I also think (echoing the thoughts of most commenters here) that the biggest risk isn’t so much an inherent property of the network but something someone else does – be it run an application without sufficient security or copy paste/forward/whatever some information to another person.

Stephen G. Barr

Excellent post. Privacy is still the responsibility of the individual if you wish to maintain it. Google’s Buzz was too intrusive at launch, now corrected but if you don’t want something put out there then don’t put anything out there anywhere. I assume that whatever I write anywhere will be read by all but then again I’m an open book.


I agree with Joe.
When you post something on the internet, always assume it
could become public.
Either via robots, hackers, or a friend.

Keep truly private stuff off the internet.

I’ve received sensitive information by mistake,
because someone down the line forwarded EVERYONE
on their contacts list the email by mistake.

Things happen by mistake, think of the stuff that
happens on purpose?


Honestly, I am going the “old-man,” “old-school” route and saying that by posting any info, no matter what privacy options are at your disposal, you know the risk. If its on the interweb, then somebody is bound to come across it sooner or later. In a nutshell, just because you are offered privacy doesn’t mean it’s guaranteed- use common sense and sound judgement. KEEP IT PG!


What digital media is really good at doing is distributing information, and so when a user publishes a piece of information on Facebook, Twitter or Buzz, they ought to be mindful of this nature. While systems can be put in place to delimit the distribution of those messages (conditional access and permissions-based systems, for instance), they are quite easy to duplicate in violation of your privacy wishes by those with access.

I can’t read your email, but somebody who has access (the recipient of your message, say) can forward it to me. Your protected tweets don’t show up in my timeline, but an approved follower of yours may choose to retweet your message thereby releasing it into the wider ecosystem. I don’t have access to your collaborative work documents, but anybody who does can copy/paste the contents to a public forum.

When it comes down to it, if a person is concerned about a message being made public, they should seriously consider whether they need to digitally encode it. Beyond that, different sites and services should give users an idea of the degree of privacy that they can expect. Once they’ve made such a statement, it is up to the users to hold them accountable, which we’ve done to varying levels of success.


Danah’s draft of her talk is available on her site:

It’s definitely a thought-provoking read. I think the primary reason she called out Google and Facebook is because each company took information that was previously considered reasonably private and exposed it in a manner that was neither clear to users nor directly beneficial for users.

Facebook made status updates public because they see great value in making that information publicly accessible. They also did so in a manner that confused (or wasn’t clear) to their users.

Google made Buzz public by default to drive initial user adoption without clearly considering the perceived privacy of one’s email contacts.

The privacy of a network is defined by the owner of that network. But what happens when the owner changes the rules?

The difference Danah calls out is the possibility of data posted online to become public. She notes: “Just because something can be accessed, doesn’t mean that it will be.” But, at the same time, when information is posted online, there are endless ways for that information to be disclosed – whether posted by somebody else that’s part of that network, the network changes it’s rules, or the network is compromised. Is it likely? Not necessarily. But it’s possible, and we never know when or how that possibility will strike. Assuming that information is public by default is a good, if paranoid, way to prevent that.

Think about this for a moment – even if I sign up for Twitter and/or Facebook and protect my account to the gills…my information is only as private as the friends and connections I make. With over 70,000 apps built on top of Twitter and even more(?) on Facebook, the likelihood that one of my friends (that I’m distributing updates to) signs into an application that does not adequately protect it’s information is very likely.

Al Jones

Yes, unless the Terms of Use state something along the lines of ‘You hereby volunteer to forfeit all rights to privacy’.


I can think of two issues that are important, although they barely scratch the surface of the privacy problems.

First is the issue of control. Facebook is supposedly giving users control over who gets to see what information, but then they change the defaults, essentially ignoring the users serttings. So even though users were promised this control facebook ignored that promise. And because the information was in its servers it could do as it wished. So user control turned out to be an illusion. The only thing that can be done about this is to pressure facebook, with lawsuits or whatever, to stick to its own terms, and give adequate advance notice for any changes. This is true for any cloud based service storing our data, although facebook currently seems to be the worst offender.

The second is that users may not see all the implications of their decisions. The privacy settings can get very complicated, and the results cannot always be foreseen. When you add a new friend can you be sure you have NO information that you would not want them to see? Or that someone else may see peeking over their shoulder as they access their account? Obviously not. This is not a problem with facebook, it is a problem with the complexity of the stored information. Just like programs have bugs so will social network settings have “bugs” producing unforeseen results. Not to menton that your photos, text or whatever can be easily copied and pasted elsewhere by your friends.

These things, and many more like them make it likely that for information you put in social networks, you should expect very little privacy in practice. The medium is very prone to “leaks”. In most cases if some information has been uploaded in these sites anyone determined and skilled enough can get it. This does not mean that we should allow practices like facebook’s to happen without challenging them, but we should be prepared for the fact that such leaks may happen, and be very conservative with what we put online.

Because in the end while I agree that we have a right of privacy in theory, as social networking becomes more and more flexible, privacy becomes harder and harder in practice, any anything you upload CAN end up as totally public information.


I think the problem in the case of Google and even more Facebook isn’t the existence or non-existence of privacy itself rather in how they handle and change things.

If I publish something on some website of which I know that everything is made public, then I see no problem. It’s my decision and responsibility what information I share to the public or not. But if I publish something on a place like Facebook where I’m offered a choice (public, groups, friends) to share information with, then I expect my decision to be honored. This site can’t just go and suddenly decide that from now on things are different, information is public and even private stuff published before this change is now to be public with no way to object.

In my opinion that’s misuse of power, even more so if it is a site like Facebook where millions of people are managing their friend network and it’s not that easy to just say goodbye to Fb and move on to another site that is more concerned about privacy.

I have no problem with Facebook changing its privacy rules, preferably with a way to object but necessarily without forcing formerly private information to be public now.

Comments are closed.