How Privacy Limits Utility: Using Facebook as a Case Study

By Morris A. Singer

Over the past month, it has become popular for just about everyone to criticize Facebook for recent changes to its privacy policy and a series of new tools it released that allow content providers to use its user data on their own websites.

In April, Facebook took its well-known “like” feature across the entire Internet, allowing content providers from the most obscure blogs to news giants like CNN to correlate Facebook activity with the activities of their own readers.

Sample Facebook Social Plugin, The Fan Box Courtesy Ars Technica

It is understandable why many have reacted with fear. The system, which enrolled all Facebook users as a default, is responsible for the now-ubiquitous displays of Facebook fandom on sites all over the Internet. You have probably seen something similar to the example on the right.

Boxes like these are a product Facebook provides third-party content providers to help them accumulate fans. They are dressed in the look-and-feel of Facebook, and in some instances, present a chart showing which of your Facebook friends like particular content. What the fan product and a host of other related new products do, is bring information about Facebook users into the public web.

The Electronic Frontier Foundation has described it by saying: “The new connections features benefit Facebook and its business partners, with little benefit to you.”

On the other hand, the value to content providers is that the connection between proprietary content and Facebook’s social network allow for a variety of avenues for a richer user experience.

Martin Nisenholtz, the senior vice president for digital operations at the New York Times, put it this way: “When [Facebook CEO Mark] Zuckerberg says that ‘web experiences want to be social,’ he’s not just referring to social sites. He’s talking about the need for engagement across the web, including on publishing sites . … [I]t raises the question of whether Facebook’s incredible engagement metrics can now be applied to sites that, today, have implemented only a thin layer of interactivity into their products.” For the full speech, see PaidContent.org.

These viewpoints expose an increasing divide over privacy and utility in the information age. That is, the more useful an information product the more it impedes on one’s sense of privacy. This is especially so in the realm of social networking, where the information produced, correlated, or modified, is most often personally identifying information.

It is easy for the privacy advocates to forget about the utility of Facebook’s new products for everyone. Also easy is for the businesses that stand to gain from their use to forget that they are dealing with — and publicizing — sensitive details of their users’ identities.

To go a step further, as Facebook seeks to exploit the personally identifying information they have spent years gathering, the benefits of its products come at a price. And, conversely, efforts to enforce privacy rights do limit the ability of Facebook to provide useful information products. This article seeks to use Facebook as a case study to demonstrate this thesis. It will outline how privacy and utility are antithetical in the context of social networking products. It will also look at critiques of Facebook’s privacy practices from private parties, public interest groups, and governmental actors in the United States, Canada, and the European Union. Finally, it will examine Facebook’s new information products — the Social Plugins and the Open Graph — as well as the privacy policy amendments that were necessary to facilitate them.

The Antithesis

It seems a great portion of the entire world is upset with Facebook right now. Nevertheless, it is impossible to discount the facts that both a great portion of the world uses Facebook, and the businesses that clearly stand to gain from the lowering of privacy protections do so because they can use diminished privacy to better engage Facebook users.

If the products Facebook provides were not useful to the consumers who use Facebook’s services, the number of Facebook users would drop in proportion to the violative nature of a Facebook privacy protection rollback. Still, one must wonder why Facebook feels the need to roll-back its privacy protections through opt-out changes, rather than opt-in changes, and why Facebook feels the need to deceptively describe its privacy changes to trick users into accepting them.

It is clear to this author that the Social Plugins and the Open Graph are useful products for both content providers and Facebook users. Furthermore, it is understandable why privacy policies may require modification to comport with products Facebook never imagined writing when it implemented those policies.

Should Facebook be lying to consumers and tricking them into accepting attenuation of their privacy protections, however, it would also be clear that the social network no longer feels the utility of its products to Facebook users is apparent. Worse still, it is possible that Facebook believes that the drop in privacy protection outweighs the utility of its products to consumers, but not to the content providers who comprise a potentially significant revenue stream for the company. If that is the case, Facebook has become a pay service, and the currency is a user’s privacy.

The Fight for Privacy

Many are fighting against Facebook’s new information products and the rollback in its privacy policy corresponding with their release. In the fray are a class of litigants, a complainant before the Federal Trade Commission, U.S. Senators, U.S. Rep. Rick Boucher (D-Va.), private businesses, Canada, and the European Union. This is, by no means, a complete list of activity in the fight for privacy against Facebook. The list does, however, chronicle some of the most significant developments.

Class Action Lawsuits

On August 12, 2008, 20 plaintiffs filed a class action lawsuit against Facebook over its advertising service, Beacon. Beacon was part of a larger program called Facebook Ads. The Facebook Ads product had three components: branded pages, Beacon, and targeted advertising. They worked like this: With branded pages, advertisers could design pages with information, content, and custom applications. Facebook users could sign up as “fans” of that brand, install branded applications, and engage in other activity. All of this showed up in their profiles. A “Beacon” application connected to advertisers’ external homepage. When a user buys or sells something on the advertiser’s homepage, Facebook would provide this information as if the user wanted to share news of the sale on his Facebook profile. The targeted advertisements system allowed marketers to target their ads based on information inside Facebook profiles, such as relationship status. For a full article, see CNET. For the case, see Lane v. Facebook, Inc., No. 5:08-CV-03845 (N.D. Cal. Aug. 12, 2008). See also, Harris v. Blockbuster Inc., 622 F. Supp. 2d 396 (N.D. Tex. 2009).

Because users were not adequately educated about the changes in their privacy settings, some ended up in embarrassing situations. For example, one man bought his wife a diamond ring on Overstock.com, only to have her discover it via Facebook before he could share the surprise in a romantic way. In September 2009, Facebook settled the suit. This was not the end of legal trouble for Facebook, however, which now faces a second class action lawsuit. The second suit was filed in February 2010, with five plaintiffs alleging that Facebook misrepresented its then-recent privacy policy changes as further protecting user privacy, when, in fact, the changes had the opposite effect. For a full critique on the changes in the privacy settings, see the Electronic Frontier Foundation. The suit was filed in the U.S. District Court for the Northern District of California.

Complaint Before the Federal Trade Commission

On December 17, 2009, the Electronic Privacy Information Center filed a complaint before the United States Federal Trade Commission alleging unfair and deceptive practices that mislead consumers into lowering protections on the privacy of information they shared on Facebook. The complaint was joined by the American Library Association, the Center for Digital Democracy, the Consumer Federation of America, Patient Privacy Rights, Privacy Activism, the Privacy Rights Now Coalition, the Privacy Rights Clearinghouse, and the U.S. Bill of Rights Foundation. The complaint is replete with information damning to Facebook, including screenshots of older versions of Facebook’s privacy settings interface that show how it was more protective of privacy in the past.

Additional gems from the complaint include:

• Reports that Facebook’s Zuckerberg reverted his own personal Facebook profile to older privacy settings after he discovered that his company’s new privacy policy exposed his personal photographs to the public.
• Barry Schnitt, Facebook’s director of corporate communications and public policy, urging users to “lie about their hometown” to protect their privacy, even though it is a violation of Facebook’s Terms of Service to do so.
• Persian-Americans who were critical of Iran on Facebook found themselves or their relatives remaining in Iran at risk.
• An MIT study showing accuracy in predicting the sexual orientation of Facebook users based on now-public friend lists.

For the complete complaint, see Scribd.com.

Discontent of Sens. Al Franken, Charles Schumer, Michael Bennet and Mark Begich

On April 27, 2010, U.S. Sens. Al Franken, Charles Schumer, Michael Bennet, and Mark Begich wrote a letter to Facebook, urging the social networking company to change their privacy settings modifications from opt-out to opt-in. In a statement accompanying the letter, Sen. Schumer said:

Millions of New Yorkers use social networking sites like Facebook, Myspace, and Twitter every day with an expectation that their private information is shared only with those they choose to connect with . . . . [I]t’s vitally important that safeguards are in place that provide users with control over their personal information to ensure they don’t receive unwanted solicitations and other nuisances, and that they are not automatically gathered into online groups without their consent.

Schumer said that the default policy should be one of privacy. For full information, and the full text of the letter, see Senator Schumer’s website.  For news coverage, see Ars Technica.

Rep. Boucher’s Privacy Legislation

Rep. Rick Boucher responded to a very specific modification of Facebook’s privacy policy with proposed legislation. As part of the rollout of the Social Plugins, Facebook eliminated a prior privacy protection requiring third-party sites to delete personally identifying information after 24 hours. Boucher proposed legislation that would require a finite length of time for retention of the data.

Groups on both sides of the privacy debate were less than thrilled with the proposals, however. Conservative groups thought the measures went too far. Privacy groups thought there were too many loopholes. For news coverage, see Wired.com  For a press release, and a link to a copy of the draft bill, see Boucher’s website.

Private Business Rationale

Some private businesses see a downside to letting Facebook be the one to control data about their consumer base. Ty Ahmad-Taylor, founder and CEO of FanFeedr, a real-time personalized sports feed, found three downsides:

1. Because only a subset of Facebook users allow third-party sites to contact them directly, allowing Facebook to be in control means only being able to have a direct relationship with a subset of subscribed consumers.
2. Integration between Facebook and an existing proprietary system can cause confusion for users.
3. Leaving control to Facebook means that the third-party site will subject its service to the code changes and server failures of Facebook.

For the complete story, see PaidContent.org.

Canada

On July 16, 2009, Elizabeth Denham, the assistant privacy commissioner of Canada, issued a 113-page report of her findings into the complaint filed by the Canadian Internet Policy and Public Interest Clinic. The complaint alleged violations of Canada’s Personal Information Protection and Electronic Documents Act.

The complaint consisted of 24 allegations on the issues of default privacy settings, collection and use of users’ personal information for advertising purposes, disclosure of users’ personal information to third-party application developers, and collection and use of non-users’ personal information. Although the report found many of these allegations to be either not well founded or resolved, there were four allegations the Assistant Commissioner found to be well-founded and unresolved: In these four cases, there remain unresolved issues where Facebook has not yet agreed to adopt her recommendations. Most notably, regarding third-party applications, the assistant commissioner determined that Facebook did not have adequate safeguards in place to prevent unauthorized access by application developers to users’ personal information, and furthermore was not doing enough to ensure that meaningful consent was obtained from individuals for the disclosure of their personal information to application developers. For the complete report, including an executive summary, see the report itself (.pdf).

European Union Letter

On May, 12, 2010, the European Union wrote a letter to Facebook regarding its disdain for the social network’s new privacy policy.  The letter came from a group called the Article 29 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data. The Working Party is an independent advisory body on data protection and privacy established under E.C. Directive 95/46/EC. For a full explanation of the Working Party’s tasks, see the following two European Commission sources: Directive 95/46/EC, art. 29 and Directive 2002/58/EC, art. 15. For more information on the letter itself, see the Financial Times, and a press release from the Working Party.

The Facebook Social Plugins and the Open Graph

Facebook has two different collections of information products. One is the Social Plugins, and the other is the Open Graph.  Notwithstanding whatever Facebook may say, the former of these helps spread Facebook’s presence across the web, and the latter works to bring the rest of the web into the folds of Facebook.

The Social Plugins: Spreading Facebook  Across the Web

In 2009, Facebook introduced a new feature that allowed its users to show their approval for content posted by other users. This feature took the form of a link at the bottom of every post, appropriately labeled “like.” When a user clicked the “like” link under a post, others looking at that post could see his approval. The “like” feature was a success. Users could easily show their approval without writing a full comment. It was a quick way to interact with another user over a post. On April 21, Facebook announced it was going to take the “like” feature across the rest of the Internet, far beyond postings on Facebook. A third-party content provider can now install a Facebook “like” product onto any of its pages. When a user clicks a like button, the action shows up in the user’s newsfeed.

On the technical side, the first click of a “like” link on a page of third-party content triggers Facebook to automatically create a new Facebook page corresponding to the “liked” content on the third-party site. Through this mechanism, Facebook can keep track of all of its users who “like” the content. Facebook has a commenting product that works through a similar mechanism. The content provider can install a Facebook comment box on any of its content. When a Facebook user writes a comment on content on a third-party site, it shows up in the comment product, as well as in the user’s Facebook profile. The technical administration works the same way the “like” button does. The first person to comment triggers Facebook to automatically create a new Facebook page corresponding to the commented content on the third-party site. The comment product, the “like” product, and the fan product are just three of a collection of new Facebook products for integration into third-party sites. The collection is called the Facebook Social Plugins. To see a complete list of Facebook Social Plugins, see the Facebook Social Plugins website. As a general matter, the Facebook Social Plugins allow users to engage in the kind of social activity they are accustomed to from Facebook, anywhere on the web.

The Open Graph: Bringing the Web into the Folds of Facebook

The Open Graph covers the opposite direction. That is, it works to map content on the Internet in terms of relationships that Facebook can understand. Facebook has defined a set of tags that third-parties can add to their content that define the relationship between their sites and other sites. On the technical side, Facebook has done this by providing a place on the Internet dedicated to storing the schema for defining these relationships. The schema is known as an XML Namespace (XMLNS). The basic Open Graph tags are “title,” “type,” “image,” “url,” “description,” and “site_name.”  They represent the following data:

• Title The title of an object as it should appear within the graph, e.g., “How Privacy Limits Utility: Using Facebook as a Case Study”
• Type The type of your object, e.g., “blog post”
• Image An image URL which should represent your object within the graph
• URL The canonical URL of your object that will be used as its permanent ID in the graph, e.g., ”http://lawandcontent.com/2010/05/19/how-privacy-limits-utility-using-facebook-as-a-case-study“
• Description A one to two sentence description of your object
• Site_name If your object is part of a larger website, the name which should be displayed for the overall site. e.g., “LawAndContent.com”

There are other tags that can be expressed through the Open Graph protocol. For a complete explanation and list of tags, see the Open Graph homepage. These tags help machines to understand the kind of content on the Internet and its relationship to other content. For example, Facebook can understand when a user “likes” a “blog” as opposed to a “movie” or a “sports_team.”  It can treat different “likes” differently. Other services can also use Open Graph to understand content on the Internet. Presently, very few products use Open Graph, other than to describe their own content. Many possibilities exist for its implementation, however. To this author, search engine indexing and other content curation implementations come to mind. What all of these potential ideas have in common is that they would use the Open Graph to organize content, making it more accessible for interested users to interact with.

Morris is a third-year Suffolk University Law School student and publisher of the blog, LawAndContent.com.