Facebook Privacy Controls Change & EPIC’s FTC Complaint

by on December 17, 2009 · 19 comments

In case you live under a digital rock (whaddyamean, you don’t check TechMeme hourly?), you have probably heard that EPIC filed a complaint with the Federal Trade Commission Thursday, alleging that Facebook’s revised privacy settings (and their implementation) constitute “unfair and deceptive trade practices” punishable under the FTC’s Section 5 statutory consumer protection authority.  Specifically, EPIC demands, in addition to “whatever other relief the Commission finds necessary and appropriate,” that the FTC “compel Facebook to restore its previous privacy settings allowing users to:”

  1. “choose whether to publicly disclose personal information, including name, current city, and friends” and
  2. “fully opt out of revealing information to third-party developers”

In addition, EPIC wants the FTC to “Compel Facebook to make its data collection practices clearer and more comprehensible and to give Facebook users meaningful control over personal information provided by Facebook to advertisers and developers.”

I’ll have more to say about this very complicated issue in the days to come, but I wanted to share, and elaborate on, two press hits I got on this issue today. First, in the PC World story, I noted that “we’re already seeing the marketplace pressures that Facebook faces move us toward a better balance between the benefits of sharing and granular control” and expressed my concern “about the idea that the government would be in the driver’s seat about these issues.”  In particular, Facebook has made it easier for users to turn off the setting that includes their friends among their “publicly available information” that can be accessed on their profile by non-friends (unless the user opts to make their profile inaccessible through Facebook search and outside search engines).

In other words, this is an evolving process and Facebook faces enormous pressure to strike the right balance between openness/sharing and closedness/privacy.  While Facebook’s critics assume that it is simply placing its owyou and I saw an article that is as oldyou you as it isn financial interests above the interests of its users, the reality is more complicated: Facebook’s greatest asset lies not in the sheer number of its users and not just in the information they share, but in the total degree of engagement in the site. The more time users spend on the site, the better, because Facebook is rewarded by advertisers for attracting and keeping the attention of users.

Reputational Incentives

The best part of EPIC’s complaint is the seven (of 29) pages spent providing examples to prove that “Facebook Users Oppose the Changes to the Privacy Settings.”  Thanks, EPIC, for proving my point: users are not helpless sheep; they are actually capable of packing their bags and walking if they don’t like the deal they’re being offered.  We can have a legitimate and fair conversation about whether that deal is being offered clearly enough; the FTC certainly does have a role to play there in avoiding truly unfair and deceptive offerings and changes.  But if you really don’t like Facebook that much, no one is forcing you to stay.   The complaint quotes approvingly from an editorial in the Boston Globe: “Over time, privacy changes can only alienate users.”  (Ah, now I see… EPIC simply wants the FTC to make Facebook to what’s really in its own best interests, because Facebook is no more capable of recognizing this subtle point of business strategy than most users can recognize just how dangerous it is to share more information than EPIC thinks they should.  If users really want to be “protected” so badly, perhaps EPIC should get out of the advocacy business and start a social network of their own. “PrivateBook” has a nice ring to it: the site where nobody can friend or message you and information is locked down tighter than the Green Zone.  That sure sounds like a fun and useful site!  I can’t imagine why no one has tried it.)

But Facebook has to fear not just driving away some users who will actually shut down their profiles and switch to the dozens of other social networking tools out there, but, more importantly, the possibility that many more users will simply be discouraged from using the site as actively as they might have. The very “chilling effects” that so concern Facebook’s critics are also a serious problem for Facebook in the aggregate: Every minute a user doesn’t spend on the site because of privacy worries, whether specific and articulated or vague and generalized, is simply lost revenue for Facebook.

the Globe argues, “Facebook should be helping its 350 million
members keep more of their information private.”

Worse, Facebook knows that time users spend on its site is only as valuable as Facebook’s advertising inventory.  The best way to drive down its ad prices is to make advertisers wary of associating their brand with Facebook’s.  So Facebook needs to make not just users users feel comfortable, but also advertisers.  Bad headlines mean bad ad prices mean bad stock prices.  Compende?

Moreover, Facebook must know that, just as it grew from a dorm room project into a rival for the likes of Google—another outgrowth of a dorm room project—the next Facebook-killer, like “The Truth…” in X-Files, is “…Out There.”  Perhaps it’s Twitter, perhaps it’s some array of Google products, or perhaps it’s some service we haven’t yet even conceived of.  But Facebook knows that if it doesn’t keep up with the growing trend towards information-sharing, it will eventually “jump the shark” and go the way of Friendster, the AOL walled garden, BBSs, etc.

Granularity of Privacy Controls

So, while “privacy advocacy” groups like EPIC have an important role to play in helping to focus and articulate the concerns of privacy-sensitive users, it’s not obvious that calling the government in to call the shots is the best way to produce privacy controls that empower privacy-sensitive users within the context of an increasingly open system.  In general, that means building more granular controls over privacy.  Facebook has done a great job of that with the publishing controls, which allow users to decide who can see every post a user makes or photo user shares.  But EPIC’s 9,000+ word complaint doesn’t even mention this radical increase in the granularity of control given to users over each new piece of information they publish.

Instead, EPIC—you know, the folks who’ve tried repeatedly to shut down Gmail and Google docs because they just can’t stand certain kinds of data sharing—focuses on three issues:

  1. The fact that some information (name, profile picture, gender, current city, networks, friend list, and Pages) is included in the “publicly available information” accessible by anyone—unless, again, the user chooses to make their profile and accessible through search engines or not to list their  friends.
  2. The sharing of user information through third party applications.
  3. The fact that, although Facebook presents each user with a truly “unmissable notice” about the new privacy policies and requires them to view their new settings, the “recommended” (defaults) settings are to share most information with “everyone.”

On the first point, I can understand that some users might legitimately worry about having their Pages made publicly available if there pages include potentially controversial subjects. So yes, I’d personally like to have the ability to opt out of having certain pages listed on my profile.  Why didn’t Facebook give me this granular control (instead of the cruder control of simply de- indexing my profile)?  Perhaps it’s because groups like EPIC usually criticize privacy interfaces that give users lots of granular controls as “too hard,” “too complex” and “unusable.”  As Adam Thierer recently noted in FCC comments on the subject of parental controls as a “less restrictive” alternatives to government regulation of content deemed inappropriate for children:

There is a trade‐off between complexity and convenience…: Some critics argue parental control tools need to be more sophisticated; others claim parents can’t understand the ones already at their disposal. But there is no magical “Goldilocks” formula for getting it “just right.” There will always be a trade‐off between sophistication and simplicity; between intricacy and ease‐of‐use.

“Damned if you do, damned if you don’t,” it seems.  My point here is not to excuse Facebook for falling short of the sort of radical user empowerment I would like to see, but to point out that “privacy advocates” have unintentionally created some disincentives to build more granular systems of control.  Or perhaps it’s not unintentional:  If you really think information sharing is dangerous and that it’s just too hard for “average” users to make decisions about this, increased granularity only worsens the problem of getting users to make the “right” choices according to the personal preferences of the folks at EPIC, which they want to impose on everyone else—at least by setting a restrictive default (“opt-in”).  As I noted in the eWeek story:

[Facebook is] trying to encourage users to share more information…  Unlike EPIC I don’t think that’s a bad thing, as long as they do it correctly.  If EPIC had their way, they would impose on everybody this mandate that ‘Thou shall not share unless … you’ve checked this box and you’ve gone through all these careful setting changes… I just think that’s unwarranted because most users aren’t that concerned about sharing this information, and [for] those that are, this solution is [a way] to empower them.

One critical clarification: What I actually said here (or meant to say) was not that “this solution” (the specific controls offered by Facebook in its latest iteration of its evolving privacy settings) is necessarily the best way to empower users, but that the general approach here should be to focus on user empowerment, rather than setting restrictive defaults—which is what EPIC really seems to want.  Note, in particular, the subtle but important difference in the two demands I listed quoted from their complaint at the top of this piece.  EPIC is demanding a comprehensive “opt-out” from the sharing of personal information with applications, but that users “choose whether to publicly disclose personal information, including name, current city, and friends”—in other words, although EPIC is politically savvy enough not to use the term, at opt-in.

While I would certainly like to see Facebook implement more granular controls for sharing of information with applications (a very thorny issue because  so many applications rely on the sharing of data to be useful to users—about which I’ll have more to say in the future), I just don’t see what the big deal is about sharing such generic information.  For certain categories of information that is unlikely to be sensitive to many users, it’s okay by me for Facebook to say:

Look, here is the basic bundle of information that we are going to make available about users in order to make basic profiles a useful and consistent feature across the site, such as for identifying new friends or being able to distinguish to people with similar names from each other before you message or friend them.  If you don’t like this, you can choose not to make your profile available through search.  And if that’s not good enough for you, maybe you shouldn’t use our service.

For certain information, like pages and friends, more granular control may well be merited. But Facebook is already moving in that direction for the reputational and other market reasons discussed above.  For other information, like name, current city and photo, what’s the big deal?  I’m all in favor of empowering users to choose for themselves, because privacy is a profoundly subjective thing, but… name?  Really?  And what’s the harm that requires government to start designing user interfaces?  EPIC may claim that they are asking for nothing more than that Facebook revert back to the old privacy policies, but of course that  just  means that Facebook will have to play “Mother, may I?” if they are sent back to the drawing board and have to figure out how to update their privacy settings in an ever-changing world.

That’s the best way to subtly convert Facebook into what is essentially a “public utility,” subject to ongoing regulatory review under formal consent decree or simply because EPIC and its allies are constantly hanging the regulatory “Sword of Damocles” over Facebook’s head. Sounds like a sure-fire remedy for innovation to me!  Maybe Facebook could dispense with this whole “anti-privacy” “advertising” business model and just start (along with PrivateBook, no doubt) filing tariffs for taxpayer subsidies or fixed subscription rates with whatever government agency is going to be responsible for funding all media under an expanded version of the “public option” concept being kicked around for traditional media by the radical Digital Left.

  • bradencox

    EPIC, CDD, CFA and their ilk deserve to lose credibility with this complaint. They are rapidly becoming the PETA's of the privacy world, pulling publicity stunts (though FTC complaints aren't as whacko as saying that forcing kids to eat meat is akin to child abuse!) but lacking real substance and evidence of harm. This complaint is just another vehicle for these groups to rehash tired lines of rhetoric.

    What Facebook did was the gold standard of consumer choice and control, yet they are still lambasted. Users were prompted to revisit their privacy settings. Facebook made some recommended changes based on where it sees its service going. Users (like me) could change these if they wanted.

    Forcing Facebook or any other online site to maintain original settings into perpetuity is information lock-in and an innovation killer. These sites will experiment with how users publish and share information. If they go too far, their customers will leave–which is the best check on privacy compared to any law or regulation.

  • Larry

    It all comes down to the roll of the dice of what the users ultimately decide what is in their best interest in this matter. Many experts seem out of touch with many user's true comprehension of all this. I know from seeing many friends and family members unable to fathom it might not be just their name public of any concern, its the ability to harvest other information and piece together more intelligence on a persons profile then what appears simply on the surface. There are future exposures like Google Goggle and facial recognition that could make it possible for any weirdo on the street with a cell phone camera to track you down via Facebook via the info public there. Technology people are proficient enough to know what to cover. Are the grandmothers on Facebook able to? One person's ignorance of the protections can bleed over to others exposures. I just think if Facebook had absolute certainty that users really wanted to share information publicly, they would simply give ALL control. The fact that they eliminated the total privacy control makes me believe they don't really think, most people want the exposure Facebook wants them to have. I don't think it is really an option for a high school kid to not be on Facebook at this point. Are their parents that are not on Facebook aware of the potential ramifications in college or job applications in the future due to a tagged photo someone else posted of a stupid night?

  • http://www.timothyblee.com/ Tim Lee


    When I signed up for Facebook, they made certain representations to me about what information would be shared, and what level of control I would have over that information. Then Facebook decided to unilaterally disclose some of the information it had previously indicated would be private, without my consent. So I'm not actually “capable of packing my bags and walking if I don’t like the deal I'm being offered.” My private information has been disclosed without my consent. It may have been spidered by third parties before I realized what had happened.

    Personally, I agree with you that the information being disclosed by default (friend networks, interests) is relatively innocuous. But the point is that it's not up to either you or Facebook to decide which information is sensitive–that decision belongs to individual users. And there are some users with very real concerns. People with relatives in Iran, say. Or women with abuses exes who might use the revealed friends' graph to track them down. Or gay people who haven't come out to their families or co-workers, but whose website selections might out them.

    This isn't an issue of government micro-managing Facebook. It's about government ensuring that Facebook tells the truth and keeps its promises to users. Seems pretty libertarian to me.

  • Ryan Radia

    Tim, if Facebook violated its privacy policy (btw, is it even clear that it did?) then you're absolutely right that government has a role to play. But surely you'd agree that EPIC et al go too far in calling for government to force Facebook to give users more granular privacy controls? Going forward, Facebook has made it clear that your name, location, friends lists, etc. are public, and I see nothing wrong with that (except of course to the extent that Facebook may have violated existing users' privacy settings).


    Okay Braden, if that is your name, before I get really angry with you and turn into the Hulk, I would ask you to join this group on Facebook “Facebook users unite for a user-friendly Fb” and see what EVERYBODY IS COMPLAINING ABOUT! You seem to have a REAL NARROW MIND about all these privacy concerns that everyone is talking about. And after you see what all the users beef is against the new changes and if you still think that EPIC and all the others are still wrong, then you my friend are even dumber then you look.

  • http://www.timothyblee.com/ Tim Lee

    I'm not sure where you see them demanding more granular privacy controls. EPIC is advocating:

    (1) Restoring the option for users to opt out of public sharing of data,

    (2) Making its data collection practices clearer and more comprehensible, and

    (3) Give users “meaningful control” over the sharing of personal information.

    These seem like pretty mild remedies for the harm Facebook has already done. And they don't say anything about how granular the controls are–the issue is whether users have control over how their information is shared.

    Now, if going forward Facebook wants to give users opt-in opportunities to make more information public, that's great. Likewise, it's fine if they want to require new users to make information public as a condition of using Facebook. But it's not acceptable for Facebook to disclose existing users' private information without permission.

  • Ryan Radia

    It's 2) and 3) that are problematic. EPIC is using this alleged transgression as an excuse to force Facebook to significantly overhaul its privacy capabilities. It seems that in EPIC's view, it is fundamentally wrong for online services to allow users to post sensitive info without also allowing them to decide precisely how and when that info gets disclosed or used. This level of granularity might be nice, and some users would certainly appreciate it, but it's not something that government should dictate, right? If you're not comfortable with the fact that Facebook uses your sensitive data to generate ads (without actually passing along your sensitive data to advertisers) then don't put up sensitive data in the first place. Facebook is a free service and putting sensitive data on it entails certain compromises. As long as users know (or can easily find out) what those compromises are, there's no problem.

    We're totally in agreement that if Facebook engaged in fraud or deceptive practices, it deserves to be punished. Perhaps it would be reasonable to require Facebook to revert to its prior privacy policy, or to compensate users whose friends' lists were made public without their permission. But I don't see any justification for the FTC to require Facebook to completely overhaul its privacy policies simply because some privacy-sensitive users want a free lunch, so to speak.

  • http://www.timothyblee.com/ Tim Lee

    But I don't see any justification for the FTC to require Facebook to completely overhaul its privacy policies.

    And I don't see anything in EPIC's request demanding that they do so. Making privacy policies “clearer and more comprehensible” may just mean re-drafting the privacy policy to make sure that it's written in plain English and is consistent with Facebook's existing practices. And “meaningful control” doesn't imply an increase in granularity. Right now Facebook doesn't give me any way, granular or otherwise, to suppress my picture or my friend graph.

    Am I going to endorse everything EPIC would like the FTC to do to Facebook? Probably not. But I think it's important for libertarians to acknowledge the rare case when the privacy zealots actually have a good point. To defend what Facebook has done here as (for example) “the gold standard of consumer choice and control” is ridiculous. It's fine to nitpick about the details of EPIC's proposals, but I would have like to see a TLF post acknowledging the obvious: that Facebook screwed up and needs to make amends, and that this is precisely the kind of case that government should get involved in: fraud and contract enforcement.

  • Jim Harper

    There used to be a guy named Tim Lee who wrote on this blog. He would have said exactly that. What happened to that guy?

  • smithjame

    I dont really see any security issues with the
    face book, because it depends on us whether
    we are disclosing our personal details.
    cheap pets for sale

  • http://techliberation.com/2009/12/17/facebook-privacy-controls-change-epics-ftc-c setan


  • http://www.facebook.com/people/Ratu-Ani/100000329611331 Ratu Ani


  • http://www.facebook.com/people/Ratu-Ani/100000329611331 Ratu Ani
  • http://techliberation.com/2009/12/17/facebook-privacy-controls-change-epics-ftc-c setan


  • http://www.facebook.com/people/Ratu-Ani/100000329611331 Ratu Ani


  • http://www.facebook.com/people/Ratu-Ani/100000329611331 Ratu Ani
  • rashmi23w

    It's stubbornness over its privacy policy might turn out to be Facebook's undoing

  • http://www.AdvancedRaidRecovery.co.uk Raid recovery

    It's stubbornness over its privacy policy might turn out to be Facebook's undoing

  • Pingback: Center for Financial Privacy and Human Rights » Facebook Privacy Debate()

Previous post:

Next post: