While the ACLU of Northern California and Facebook both agree that location information is very sensitive, we disagree that Places gives users adequate control of how and when to share this information. (Next time I visit my hometown, I’d like to be able to hang out with some of the Facebook crew at the Nut House without being asked again and again and again if I want that shared with everyone nearby!).
We understand and appreciate the various privacy protections and options that are currently available to Places users. But there were some straightforward steps that we highlighted to Facebook that they could have taken to improve the privacy features before launch. Not having these common sense privacy protections has unfortunately overshadowed some of the safeguards that the Places team worked so hard to build into the product.
The ACLU of Northern California’s original blog post and our resource page note several good privacy protections in Places:
- Limiting the default visibility of check-ins on your feed to “Friends Only.”
- Allowing you to customize your check-in privacy.
- Providing notice to you each time you are checked in by a friend.
We even said that we were “happy to see Facebook take steps to protect this information and keep it under your control.” However, we have a responsibility to thoroughly analyze the privacy implications of new products and these were our initial concerns:
- “No” is not an easy option when asked whether your friends can check you in.
If your friend tries to check-in for you, you have two choices: “Allow Check-Ins” and “Not Now.” Until you hit “Allow Check-Ins,” you cannot be checked into a Place by a friend. But you are not given an option, like “No” or “Don’t Allow,” that would opt you out of Places. Instead, all you can do immediately is hit “Not Now,” which just means “ask me again later.”
In addition, if you use Places yourself, you are simply told that you are allowing friends to check-in for you by using the service; you are not informed that you have the option of using Places yourself without allowing friends to check-in for you.
Yes, you can disallow check-ins permanently using your privacy settings — but Facebook doesn’t make that clear to new Places users.
We hope that Facebook will take the steps to easily remedy this by (a) providing a clear “Don’t Allow Check-Ins” option when your friend first checks-in for you and (b) providing this same notice even if you already use Places yourself.
- If you want to use “Here Now” you can’t limit your visibility to only friends (unless you are a minor) and “Here Now” is turned on by default if you have previously selected that “Everyone” can see some of your Facebook information.
Facebook says to protect your privacy, just turn off “Here Now” off and set your Check-In privacy setting so the right people can find you. However, this defeats the purpose of Here Now: to make it easy for your friends to know if you’re around just by looking at the Here Now list. You should be able to use Here Now and decide exactly who can easily find you. (Facebook does something like this for minors: they can turn on Here Now but only their friends can see them. So Facebook also seems to think that Here Now is valuable even if you’re not sharing it with everyone!)
Facebook already has a setting to turn Here Now on and off. It should go a step further and turn this into a fully-configurable option so users can choose who can see that they are Here Now, and by making sure that users who share very limited information with “Everyone” are not defaulted into sharing their real location more broadly than they would like.
- Apps that you or your friends run can view your Places information by default — you need to go into your privacy settings and opt out if you don't want to share location data with apps.
Facebook does offer a setting to disable Places data sharing with your friends’ apps. However, you are not clearly informed of the fact that your check-ins may be shared with your friends apps. In addition, as we understand it, this setting will be turned on by default if you have kept any of those settings checked to allow sharing on that page. So, if you changed your settings to allow your friends’ apps to see your birthday but absolutely no other voluntary data, you will now share your most recent Places check-in with these apps until you go in and change these settings again.
Users should be clearly informed that, by joining Places, they most likely are also giving their friends’ apps access to their Places information. Users should also be given direct access to the control that allows them to choose whether or not to do so when they first join.
Having “no” as an easy option for friend check-ins, having visibility options for Here Now and not setting these to “Everyone” by default, and not silently giving apps default access to Places location information would have made this product a lot more privacy-friendly and help live up to Facebook’s principle of putting users in control of their information. We hope Facebook will take the simple steps outlined above to make sure that Places protect privacy. (And Facebook crew, if you want to chat more about it at the Nut House, the first round is on me.)
NOTE: With all of the news about location-based services this week, we will be analyzing the privacy safeguards for multiple companies very soon. We will also publish a white paper on location-based services in the weeks ahead to help users understand how to best safeguard their privacy. Stay tuned!