(Originally posted on the ACLU of Northern California's Bytes and Pieces blog.)
Today, Facebook released proposed changes to its privacy policy and its Statement of Rights and Responsibilities. Facebook's newest changes seem to be designed to encourage users to share more information with applications and sites that they visit and use, which fits in with the string of other changes that have been happening on Facebook and with Mark Zuckerberg’s world view on changing social norms.
There are some definite positives in these changes, including one we have called for before: greater control over the user's profile page, allowing the user to decide whether her friends list, fan pages, and everything but her name and profile picture are available on her own profile. The new privacy policy also provides clearer descriptions of some of the ways information is shared on the service, including a much better description of the information that applications and pages can see about you (including what happens when one of your friends runs the app or visits the page).
Unfortunately, this last change also highlights the “app gap” issue that we have written about many times, and the proposed changes would actually make that worse by allowing third party pages and applications to use and store more information without increasing users' ability to control or opt out of such access. Facebook needs to hear your voice demanding that it keep user privacy and control at the core of its service. Please visit Facebook's site governance page or sign our petition and tell Facebook to give you full control over your personal information! And don't forget to join our new privacy campaign, Demand Your dotRights!
Today's Changes Highlight the "App Gap"
Under Facebook’s current policies, your data, including sensitive information such as your relationship status and photos you post, can be accessed not only by any application you run but also by any application or quiz that one of your friends runs. You can limit the information that applications and pages visited by your friends can see about you (for instructions, see our resource page), but you cannot prevent these applications from seeing “publicly available information” including your name, gender, and your friends list. That means that a lot of personal information about you can flow to third parties even if you never run an application.
Facebook’s current privacy policy does place some limits on how applications and websites could use the personal information they collected from you, however. It only allowed applications and partner web sites to “use the data you receive for your application, and . . . only use it in connection with Facebook.” Further, they were required to “delete all data [they] received from [Facebook] relating to any user who deauthorizes, disconnects, or otherwise disassociates from [their] application unless otherwise permitted in our Developer Principles and Policies.”
Unfortunately, both of these requirements have been eliminated in the proposed new Statement of Rights and Responsibilities. Instead, Facebook Platform applications and Facebook Connect web sites are now allowed to store data they gather from the Facebook users they interact with and use that data for their own purposes (though when they access information about that user's friends, they are only allowed to use this "friend data" in connection with the current user). The new policy does bar developers from transferring data to ad networks or data brokers and requires them to delete user data if specifically asked to do so by a user. However, it places the burden on the user to track or determine which sites and applications might store information about them rather than being certain that any application they stop using must delete their information.
Furthermore, Facebook appears to be defining a new category of personal information called “Connections.” This includes your connections to your friends (ie: your friends list) but also your links to “family members, the city you live in, and restaurants and bands you like.” It is not clear whether this new category includes things like events, groups, and other ways that Facebook users interact with each other, but it potentially could encompass almost anything that involves linking with another Facebook user, page, or application. And while the new privacy policy allows you to “hide” connections on your own profile page, it explicitly states that these connections will always be available to any application or page that you OR YOUR FRIENDS use (with the single exception that your friends' applications cannot access your friends list).
Finally, Facebook has added a new category of partner sites, called "Facebook-Enhanced" sites, that can access your connections and other general information even before you allow them to do so. Facebook has yet to unveil its full plan for these sites, but they could present another threat to privacy.
This means that, if these changes go into effect, you will be able to hide your connections from your friends but not from applications that your friends run or Facebook-enabled sites they visit! Your gender, your fan pages, and maybe even your groups and events will be available to any application your friends choose to use, and you will have no ability to control that (unless you want to have no friends at all, we suppose). Does that make sense to you?
Tell Facebook: More Sharing? Then More Control!
It doesn't to us. If Facebook wants to give Connect sites and Platform applications more freedom to collect and use information, it needs to ensure that user privacy is not left behind. In particular, Facebook needs to make sure that users have the ability to fully opt out of sharing information with applications and sites. This includes providing stronger default privacy settings and giving users the ability to prevent applications from accessing their own information instead of being forced to rely on their friends to make choices for them.
So please speak up and tell Facebook what you want! Visit Faceook's site governance page and tell them to allow you to control your own personal information, including preventing applications from seeing your “connections” and other data. And please sign our petition and push Facebook to protect your privacy as it continues to evolve!
Demand a privacy upgrade! Demand Your dotRights!