On June 16, ten of the nation’s top privacy organizations sent a joint letter to Facebook (PDF) detailing outstanding privacy concerns. Facebook’s response glossed over many of the critical points raised about necessary next steps. The following reiterates our concerns and addresses Facebook’s response to our June 16 letter. We look forward to discussing these issues and Facebook’s plans in more detail to resolve these issues.
1. Fix the "app gap" by empowering users to decide exactly which applications can access their personal information and exactly what information these apps can access.
Facebook Says: It has heard the concerns of the privacy groups and plans to address them in an upcoming revamped data permissions model.
The Facts: The announced plan is an incomplete solution that does woefully little to resolve the app gap. Your personal information may still fall through the privacy cracks when your friends run apps because, by default, Facebook will continue to treats apps your friends run like it treats your friends themselves, giving those apps access to most of your information without your notice or consent.
Facebook’s announced data permissions model falls short in the following ways:
- You can’t choose which apps get access. Facebook’s planned adjustments will not allow you to proactively select which apps get access to your information. The only way to keep your information from flowing to any apps your friends run is: (a) to go through the list of 700,000+ apps and explicitly block every app you don’t want to access your information; or (b) to use the "nuclear option" and stop using apps entirely in order to prevent your friends from sharing your information. This is essentially an “all or nothing” decision, because it simply is not feasible to protect data by blocking individual apps since new apps are added every day.
- Your personal information is available to apps your friends run by default. The Facebook controls that exist to limit what a friend’s apps can see about you allow access to most of this information by default. You must find the app settings and adjust them to control the information that flows to apps. (Click here to find them.)
- You can’t protect all personal information. Facebook’s plans do not include settings to prevent your friends’ apps from accessing information such as “likes” and work history. If your friend can view this information, so can every random app your friend allows to do so.
- You have no way of knowing which apps have accessed your information. Facebook’s plans do not provide any way for you to know what personal information has been accessed by your friends' apps, which makes it difficult to make informed choices about your privacy.
Necessary Steps to Protect Privacy: In order to fix the app gap and make sure that personal information about users is only accessed by people and developers that they trust, Facebook needs to give users complete and meaningful control over which apps can access their information and what information these apps can access.
2. Make “instant personalization” opt-in by default.
Facebook Says: Instant personalization is “widely misunderstood,” and that there is no privacy concern because the only information that instant personalization partners receive from Facebook is public information.
The Facts: When you visit an ordinary web site, the site doesn’t automatically know who you are. But when you go to an “instant personalization” site while logged into your Facebook account, the site knows exactly who you are, including your real name, profile picture, and other public information on your Facebook profile.
It’s like entering a store that automatically scans your wallet or purse when you walk through the door and then links everything you do in the store to your personal information—without first asking you for permission.
Necessary Steps to Protect Privacy: You should not have your identity and information disclosed to “instant personalization” sites without your consent just because you are a logged-in Facebook user. Instead, instant personalization should be turned off by default and users who want this feature should affirmatively opt in.
3. Avoid collecting identifiable information received from "social plugins," including the "like" button, unless the user actually interacts with the plugin.
Facebook Says: Its social plugins are just like every other widget on the web.
The Facts: Social plugins are different from other widgets on the web because they can connect your online activity to all of the personal information attached to your Facebook account, creating an even more detailed profile of you. Facebook can track every time you visit a page with a social plugin, even just a “like” button, and connect this activity to your Facebook account—even if you don’t use the plugin or click on the button at all. Web site developers who don’t recognize this distinction may be violating their own principles or privacy policies unknowingly by using the like button and other social plugins.
Necessary Steps to Protect Privacy: Facebook should be fully transparent about the information that is collected through social plugins, and should not retain any information about individuals who do not actually interact with the plugin. Facebook should also ensure that the “like” button does not transmit information to Facebook about third party site visitors who do not click on the button.
3a. Restore the logout button to a prominent position.
In addition, it has also come to our attention that Facebook has moved the “logout” button to a submenu, making it harder to find. This makes it more difficult for you to log out of the service and be able to surf the web without having your online activity linked to your Facebook account.
Necessary Steps to Protect Privacy: Facebook should restore a prominent logout button on its main page to make it easier for users to log off and help them to keep their Facebook and non-Facebook activities separate.
4. Give users control over every piece of information they share.
Facebook Says: It has taken away privacy settings for information like name, profile picture, and network because “it has been [its] experience that people have a more meaningful experience on Facebook if they share some information about themselves.”
The Facts: Facebook’s refusal to give you control over every piece of information that they share is inconsistent with its stated principle that “People should have the freedom to decide with whom they will share their information, and to set privacy controls to protect those choices.” Not allowing users to choose for themselves is simply contrary to this policy.
Necessary Steps to Protect Privacy: Users should have full control over who (or what) can see every piece of their information, including the fields that are currently “publicly available.” Facebook should also continue to streamline privacy settings so that protections for all personal information can be easily configured.
5. Use HTTPS by default to protect users from outside threats.
Facebook Says: It is currently testing SSL access to Facebook and hopes to provide it as an option in the coming months.
Necessary Steps to Protect Privacy: We look forward to an announcement about using HTTPS in the coming months in order to better protect users from privacy threats. Once tested, Facebook should make HTTPS the default rather than require users to select it as an option.
6. Provide users with simple tools to export their content and connections from Facebook.
Facebook Says: It imposes no restrictions on users that prevent them from exporting the content that they have posted themselves on Facebook and has open APIs that permit applications to export this information.
The Facts: Facebook does not provide its own tool to automatically export your data. Thus, if you want to port your data from Facebook to another service, you must rely on workarounds involving some “approved” automated third party application to export your own content and connections — or get Facebook’s permission to create your own tool to do so.
Necessary Steps to Protect Privacy: Facebook should include built-in functionality that makes it easy for users to export their own uploaded content and contact list so that users can rebuild their social network on another service.