Facebook held a major press event this week to introduce some significant changes to the site, including Facebook Groups. While the intent of Facebook Groups is to enhance privacy and provide users with more control over how information is shared, the implementation of the concept leaves a little to be desired.
Chet Wisniewski, a senior security advisor with Sophos, describes the problem in a blog post. "Facebook's newly announced groups feature may not be the boon for privacy some have predicted. Although only a small percentage of Facebook's users are upgraded to the new features it would appear people are exploring the possibilities in a rather aggressive way."
Wisniewski goes on to explain, "The problem of course is that you can create a group with any name you want, and add any friends you want without any confirmation that they wish to be a member of said group. It would seem obvious that this is a terrible idea because when you are added to a group it will post a status update saying you joined it... And it didn't take long before someone used it on Zuck."
What Wisniewski is referring to is that someone set up a Facebook Group for NAMBLA--the pro-pedophile North American Man Boy Love Association--and added TechCrunch's Michael Arrington to it. Arrington, appreciating the irony of the prank, then paid it forward by adding Facebook founder Mark Zuckerberg. If Zuckerberg and the Facebook team didn't understand the issue before, this prank should be a poignant example of the problem with default opt-in and no approval or confirmation process.
The Facebook Help Center answers the question "Can I Prevent People From Adding Me to a New Group?" with the following: "The functionality of approving a group membership is not available. Similar to being tagged in a photo, you can only be added to a group by one of your friends. When a friend adds you to a group, a story in the group (and in News Feed for Open or Closed groups) will indicate that your friend has added you to a group."
However, once you have been added to a group, you can remove yourself from that group, and once you remove yourself from a group you can't be added to that same group again by any of your Facebook friends.
Wisniewski laments, "There doesn't seem to be a way to opt-out of this feature, although you are notified if you are logged into Facebook. As usual it would appear the ability to connect trumps your ability to decide what should be done with your identity when it comes to Facebook."
And, as usual Facebook's good intentions are thwarted by default opt-in. The underlying concept of Facebook Groups is solid, and I think once the dust settles on this initial launch that it will be successful in meeting the objective Facebook designed it for. But, Facebook should always set up features with assumed privacy and put the ball in the user's court to consciously opt-in to share information.