Blog Post

For Facebook, the Privacy Snowball Just Keeps on Rolling

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Call it the “snowball effect,” or maybe the “witch-hunt” effect. At some point, when a company is under fire for something, even the smallest piece of evidence that it might be guilty of that thing can get blown out of proportion. Exhibit A is Facebook and the recent news — reported somewhat breathlessly by the Wall Street Journal, of all places — that the social network sent personally identifiable information to advertisers, after saying that it doesn’t. As Marshall Kirkpatrick at ReadWriteWeb has noted, this story is a tad exaggerated. The fact is that lots of websites transmit information via the URL of a page, because that’s the way modern web browsers work. In some cases, Facebook seems to have accidentally included user IDs in the URL string when someone clicked on an ad, and according to the Journal has now changed the way it handles those links as a result of the paper’s inquiries.

Despite the scare-mongering from some sites about Facebook “selling your identity to advertisers,” on a scale of 1-10 privacy-wise, this is probably around a 1 or 2 — and it’s not unique to Facebook, either (MySpace uses the same method, according to the Journal). As one commenter at the Hacker News site noted, it could easily be a simple case of programmers overlooking what info is being encoded in a page’s URL. Should the network have had controls in place to prevent this? Probably. But the reality is that Facebook has become a lightning rod for such issues, and therefore even the tiniest speck of incriminating behavior gets sucked into the maelstrom of attention.

In other words, privacy is clearly the new black. Whether it’s concern over Facebook’s transmission of data through URLs or Google’s accidental capturing of Wi-Fi data, consumers and advocacy groups and government agencies are increasingly concerned about what large web companies are doing with consumers’ data. Google has had complaints filed against it with the Federal Trade Commission and is being investigated by German authorities, while Facebook is the subject of letters of complaint and calls for federal inquiries stateside. High-profile users are canceling their Facebook accounts and others are pointing to CEO Mark Zuckerberg’s allegedly aggressive stance on the issue of personal privacy.

Could privacy be Facebook’s Waterloo? As I argued in a recent GigaOM Pro report (subscription required), the company has to start getting serious about privacy if it wants to continue the momentum that has gotten it to 500 million users and a private market value estimated at some $20 billion. One thing it needs to do, as Liz pointed out recently, is to speak clearly on the issue and make its policies and settings as understandable as possible. It’s easy to show that Facebook is still growing, and therefore come to the conclusion that users don’t care about privacy, but that would be a mistake. Once the snowball effect is underway, it can quickly become an avalanche, and by then it’s too late.

Related content from GigaOM Pro (sub req’d): Why New Net Companies Must Shoulder More Responsibility

Post and thumbnail photos courtesy of Flickr user Max-B

This article also appeared on

25 Responses to “For Facebook, the Privacy Snowball Just Keeps on Rolling”

  1. I think it all comes down to trust. Facebook has decided to openly take a “privacy doesn’t matter” stand. Whether this is a good or bad idea can be debated. But once they took that position, it’s hard for them to claim it’s an “accident” when they share personal data (even if it is an accident!).

    Trust is important. Whether you’re online or off. And I think Facebook has done serious damage on that front.

  2. Armin

    This is predominantly Mark Zuckerberg’s fault. You basically have an inexperienced CEO running a huge company now. He is in way over his head. It was fine when it was a small company, but he has to step down (from the CEO position) and bring in an experienced vet to do damage control and get Facebook back on the right track.

    You have a 26 year old now, running a multi billion dollar company. I’m not saying its not possible, its just unwise. Google brought in Erick, Facebook now needs to bring in someone. Mark is stubborn, they need a babysitter for him.

  3. Zoe Fitz

    Thanks for the excellent, succinct post on this. On the bright side, Facebook’s unwillingness to deal with user concerns about privacy, and maintain user privacy settings, has inspired innovation in the creation of privacy tools. My favorite so far is (namely because it included privacy for my photos and runs without my asking it to). I know there are others, and that all of these applications will struggle to keep up with the sometimes daily changes Facebook makes, but it’s great to see growth in this space.

  4. Sarane

    FB has been struggling with this issue for too long. For me,I seems clear that FB never cared about my privacy. When they pretend to do, it is because we threaten to leave them.

    They may not be the only ones. But they are pushing and lobbying the hardest to make our information public.

    Private alternatives, like Diaspora and Hibe, are coming along. Let’s just hope they will learn from the FB experience.

  5. Ken Jackson

    I agree that this journalism seems like Facebook propaganda. This isn’t an isolated incident and its not a small mistake (certainly no 1 or 2). A one or a two is destroying their web logs after 9 months when they said 6 months. But what they did, even after being told they were doing it, is to send data that they claim they wouldn’t send.

    This is something that should have been caught during code review. And if Facebook is anything like other places I’ve worked, we scrutinize what data we put on the wire to externals. Literally every bit is looked at to determine if we’re leaking info or if data is sensitive and needs to be encrypted.

    All in all this just seems to consistent with the practices we’ve heard from Facebook and the general attitude of their leader. It’s a very useful site, but they need to get their act together.

  6. Nice post.

    The worm has definitely turned IMO. What were previously regarded as the overreaches of a company pushing the boundaries are now regarded as something much more serious, a wanton disregard for privacy as a deliberate strategy that results not in benefit for users but enrichment of the company.

    Facebook (and Google) has a serious problem on their hands, the outcome of which could well define the future direction of the company much in the same way that the DoJ scrutiny of Microsoft resulted in a declawed Microsoft.

  7. As updated and expanded upon on various sites, the WSJ reported that it was not just the URL that was being passed. User ID’s were being passed and in some cases both the username of someone clicking on an ad as well as the username of the person who’s profile the ad was on. That is far beyond just passing a URL.

    And, to whatever extent it happened, usernames or user ID’s should never be sent.

  8. I feel like I read more blogs that apologize for Facebook than report objectively on the issue. The fact of the matter is that Facebook’s user acquisition model is the same as that of a Trojan horse. All its messaging is designed to make you feel safe and comfortable sharing and adding your personal data, and all the while it’s doing everything it can to leverage it for profit. Fine, but we can at least criticize them for being dishonest. And to dismiss it as a simple engineering bug misses the point. For one thing, the WSJ says Facebook was aware of this since August and didnt do anything until a major paper exposed it. Secondly, they jave a huge and talented engineering team and they keep making asinine mistakes when it comes to user info. It shows that they just dont care–no matter how much their PR team says otherwise.

    • Whether they knew about it and didn’t care is hard to say, but I think you are right that the company doesn’t seem to be paying as much attention to these kinds of things as it should, and that could be a real risk. Thanks for the comment.