The senators have taken issue with recent changes to Facebook’s privacy policy, as well as the social network’s new ‘Instant Personalization‘ service that allows third-party Web sites to customize site features to an individual users’ tastes. The senators have asked the FTC to recommend privacy guidelines for online social networks, and the lawmakers may even introduce legislation to govern privacy on social networks.
The thing is, Facebook has been relatively responsive to user concerns in the past, and could regain user trust if it would just change some of its behaviors. Here are five things that I think Facebook needs to do out right away.
Opt-out, not opt- in
The four senators were right to criticize Facebook over its opt-out process for the social network’s Instant Personalization feature. The opt-out process is not as clear as it should be. It takes several clicks to find the opt-out check box for Instant Personalization; it’s practically buried within the user’s privacy settings, and Facebook did not provide a clear and unambiguous path to get to the setting when it recently started the program. Not to mention the fact that even if you opt-out for yourself, Instant Personalization sites can still obtain your information through interaction with your Facebook friends.
This is not a Facebook-specific problem, though, as many online services have this preference for opt-out instead of opt-in features. Google, for example, ran into a lot of trouble over Buzz, the search giant’s Gmail-based social tool, because of its opt-out approach.
Be upfront about changes or rewrites
Did you know that Facebook changed the wording of its privacy policy and Statement of Rights and Responsibilities last Friday? I bet you didn’t. It appears that just the wording of the policies has changed, and the policies themselves haven’t been significantly affected. Nevertheless, Facebook should have been more upfront about these revisions, and announced them when they went live. Instead, Facebook closed a three month process of user review in early April, and then implemented the changes. It would have been better for Facebook to announce the revisions in a blog post, and clearly discuss the changes. As far as I can tell, that hasn’t been done in the last week.
Stop being vague
Facebook’s recently revised policies sometimes explain things with vague and ambiguous language. Here’s a choice quote from section 3 of the latest Facebook Privacy Policy, called Sharing Information on Facebook:
“Connections. Facebook enables you to connect with virtually anyone or anything you want, from your friends and family to the city you live in to the restaurants you like to visit to the bands and movies you love. Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.”
It takes a close reading of this paragraph, as well as reading parts of Section 2 of the revised policy, to understand that connections means, at a minimum, your friends, likes, and interests. But your connections may also mean current city, hometown, family, relationships, networks, activities, interests, and places. It’s also unclear about how, exactly, your connections are made public and to whom. You have to read several sections later to understand that your connections are made by public to third-parties by default.
Facebook should state specifically what they consider to be your profile connections, and they should also be unambiguous in section 3 about the fact that connections are made public by default.
Let me control information access
Facebook users interacting with a third-party Web site or application need to have more control over what information those third parties can get from their profiles. I’m not convinced, for example, that many sites really need access to things I’ve publicly posted to my Wall or even my friends list. I can understand wanting to know my name and gender for demographic purposes, but it would be better if I could decide on a case-by-case basis, which parts of my public profile the site would get to see.
In fact, this is one of the fixes recommended to Facebook last summer by the Office of the Privacy Commissioner of Canada. In response, Facebook said it would “introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared .” At the time, Facebook said it would implement policy changes recommended by Canada’s privacy watchdog by the end of August 2010. So the network has a few months yet to introduce its new approach to third-party access to user information.
Bring back the 24-hour user data storage policy
Facebook has made it very clear that the decision to allow third-party Web sites and applications to store Facebook user data indefinitely does not alter a user’s privacy rights. Third parties you interact with are still forbidden to sell your Facebook data or do much more than use it in relation to Facebook. But it does make it easier, at least in theory, for a rogue site or application to start building a user database based on Facebook profile information.
Facebook should make just a few tweaks to how it does business to regain user trust. Because if they don’t act now, it’s possible that Congress will.
Connect with Ian on Twitter (@ianpaul).