After several failures, online social networking service Facebook actually seems to have understood that many of its users have significant concerns about their online privacy and the way in which information they upload to Facebook is shared with the public, application developers, advertisers, and other sites. Facebook recently bent over backwards to rework its privacy controls into a simpler configuration users could more easily understand and manage…but a group of consumer advocacy groups thinks Facebook could go further, and sent Facebook CEO Mark Zuckerberg an open letter (PDF) detailing their specific concerns. And, surprisingly, Facebook has responded point-by-point.
The open letter asks Facebook to take six concrete steps to further shore up its privacy stance:
- Give users capability to decide what third-party Facebook apps can access their personal information
- Make Facebook’s instant personalization of third-party partner sites opt-in by default
- Do not retain data about visitors to third-party sites using Facebook social plug-ins or Like buttons unless visitors specifically interact with those tools
- Provide users control over all information shared via Facebook, including the shared-by-default items like name, gender, profile picture, and networks
- Protect all interactions with the Facebook site from third-party man-in-the-middle attacks by encrypting them using SSL
- Provide tools for users to export content they’ve uploaded to Facebook and details of their social network so they can opt out of Facebook without losing their information.
The open letter is signed by a number of notable privacy and consumer advocate groups, including the American Civil Liberties Union of Northern California, Center for Democracy and Technology, Center for Digital Democracy, Consumer Action, Consumer Watchdog, Electronic Frontier Foundation, Electronic Privacy Information Center, Privacy Activism, Privacy Lives, and Privacy Rights Clearinghouse.
Facebook’s point-by-point response basically boils down to:
- Facebook has already announced a new permissions model for apps, and it should be rolling out to developers soon
- Facebook says instant personalization is misunderstood, and partners only have access to information that’s public on users profiles
- Facebok kind of misses the point on not retaining data from third parties using social plug-ins or like buttons, but says it only hangs on to the information for 90 days and doesn’t share or sell it
- Facebook doesn’t budge on letting users control whether default profile information gets shared. “It has been our experience that people have a more meaningful experience on Facebook when they share some information about themselves. That way, they can find friends and friends can find them, which is the reason most people come to Facebook.”
- Facebook is testing SSL and hopes to add it as an option soon
- Facebook also misses the intent of the open letter’s sixth point, saying users can export data they themselves have uploaded to Facebook, but can’t let users export information about others, since doing so would violate those users’ privacy.
What’s interesting about this dialog isn’t so much the specific details—most of this is gobbledegook for anyone who isn’t serious about online privacy—but that the dialog is happening at all, and furthermore that it’s happening rapidly and in a public forum. If nothing else, that speaks well of Facebook’s intentions to be transparent about the ways it is—and plans to—protect its users privacy, as well as the sensitive issues on which it simply will not budge.