Whenever Facebook introduces new services, especially those that expand into other parts of the Web, it doesn't take long before privacy advocates and users start complaining about the changes. This time, however, Senators Michael Bennet (D-Colo.), Mark Begich (D-Alaska), Al Franken (D-Minn.), and Charles Schumer (D-N.Y.) have joined the fray.
The thing is, Facebook has been relatively responsive to user concerns in the past, and could regain user trust if it would just change some of its behaviors. Here are five things that I think Facebook needs to do out right away.
Opt-out, not opt- in
The four senators were right to criticize Facebook over its opt-out process for the social network's Instant Personalization feature. The opt-out process is not as clear as it should be. It takes several clicks to find the opt-out check box for Instant Personalization; it's practically buried within the user's privacy settings, and Facebook did not provide a clear and unambiguous path to get to the setting when it recently started the program. Not to mention the fact that even if you opt-out for yourself, Instant Personalization sites can still obtain your information through interaction with your Facebook friends.
This is not a Facebook-specific problem, though, as many online services have this preference for opt-out instead of opt-in features. Google, for example, ran into a lot of trouble over Buzz, the search giant's Gmail-based social tool, because of its opt-out approach.
Be upfront about changes or rewrites
Stop being vague
"Connections. Facebook enables you to connect with virtually anyone or anything you want, from your friends and family to the city you live in to the restaurants you like to visit to the bands and movies you love. Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection."
It takes a close reading of this paragraph, as well as reading parts of Section 2 of the revised policy, to understand that connections means, at a minimum, your friends, likes, and interests. But your connections may also mean current city, hometown, family, relationships, networks, activities, interests, and places. It's also unclear about how, exactly, your connections are made public and to whom. You have to read several sections later to understand that your connections are made by public to third-parties by default.
Facebook should state specifically what they consider to be your profile connections, and they should also be unambiguous in section 3 about the fact that connections are made public by default.
Let me control information access
Facebook users interacting with a third-party Web site or application need to have more control over what information those third parties can get from their profiles. I'm not convinced, for example, that many sites really need access to things I've publicly posted to my Wall or even my friends list. I can understand wanting to know my name and gender for demographic purposes, but it would be better if I could decide on a case-by-case basis, which parts of my public profile the site would get to see.
In fact, this is one of the fixes recommended to Facebook last summer by the Office of the Privacy Commissioner of Canada. In response, Facebook said it would "introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared ." At the time, Facebook said it would implement policy changes recommended by Canada's privacy watchdog by the end of August 2010. So the network has a few months yet to introduce its new approach to third-party access to user information.
Bring back the 24-hour user data storage policy
Facebook has made it very clear that the decision to allow third-party Web sites and applications to store Facebook user data indefinitely does not alter a user's privacy rights. Third parties you interact with are still forbidden to sell your Facebook data or do much more than use it in relation to Facebook. But it does make it easier, at least in theory, for a rogue site or application to start building a user database based on Facebook profile information.
Facebook should make just a few tweaks to how it does business to regain user trust. Because if they don't act now, it's possible that Congress will.
Connect with Ian on Twitter (@ianpaul).