Facebook Timeline and Privacy
Background
Timeline is a digital scrapbook that contains all the information about a user that has ever been disclosed to Facebook. Timeline acts as a user's profile page and automatically summarizes the user's life, from birth to the present day. Once Timeline is enabled, Facebook users have seven days to edit their Timelines before the content that they display becomes public.
Facebook first announced Timeline at the 2011 F8 Development Conference in September. Although users can choose to use Timeline now, Timeline will soon be mandatory for all Facebook users. As of January 2012, Facebook was committed to rolling out Timeline for everyone in the "coming months."
Privacy and Security Risks
Security experts and privacy and civil liberties groups have discussed several aspects of Timeline that create new privacy and security risks to users.
First, by increasing the ease with which personal information can be accessed, Timeline removes the practical obscurity that had protected much of Facebook users' personal data. ZDNet's David Meyer explains that "[u]ntil now, Facebook has allowed a certain amount of obscurity for older content, but that is no longer the case." In Facebook's words, information that was disclosed to Facebook in the past had essentially "vanished." Second, in several cases, Timeline either generates and displays new information about users or makes information that had been directly restricted newly available. For example, Timeline lists the date on which a user joined Facebook. Timeline also displays the "friending" activity of users who had previously chosen to keep such activity private.
Timeline will not be limited to the types of information shared in the past. As users connect to social apps, Timeline will contain new categories of information regarding media consumption and lifestyle habits. Timeline's new "Health and Wellness" item, for example, encourages users to disclose medical data, turning Facebook into "an actuarial goldmine."
Security experts have said that Timeline makes it "a heck of a lot easier" for computer criminals to unearth personal details that can be used to craft attacks. "Because people often use personal information to craft passwords or [in] the security questions that some sites and services demand answered before passwords are changed, the more someone adds to Timeline, the more they put themselves at risk." Timeline's treasure trove of personal information can also provide a tempting target for stalkers, government agents, or employers. A writer for the Vancouver Sun commented that "the kind of people who would want to spend hours digging through the minutiae of your life are not your friends . . . but those who don't know you that well and are really motivated to find out."
EPIC's Filings
On September 29, 2011, EPIC and several privacy and civil liberties groups first wrote to the FTC requesting an investigation into Facebook. The letter focused on recent changes to Facebook's business practices, including the announcement of Timeline. EPIC wrote that "[t]hese changes in business practices give the company far greater ability to disclose the personal information of its users to its business partners than in the past," and asked the FTC to determine whether the deployment of Timeline constituted an unfair and deceptive business practice.
On November 29, 2011, the FTC announced a proposed agreement with Facebook that followed from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The proposed settlement agreement bars Facebook from making future changes privacy settings without the affirmative consent of users and requires the company to implement a comprehensive privacy protection program and submit to independent privacy audits for 20 years. EPIC submitted comments on the proposed agreement, specifically recommending that the Commission implement the following changes:
- Restore Original Settings: The FTC order should Facebook to restore the privacy defaults users had in 2009 before Facebook changed the setting
- Know What They Know: The FTC order should require Facebook to let users access all of the data that Facebook keeps about them.
- Facial Recognition: The FTC order should prevent Facebook from using facial recognition profiles without users’ consent.
- Transparency: The FTC order should require that the Facebook’s privacy report is available to the public.
- Secret Tracking: The FTC order should prevent Facebook from secretly tracking users across the web.
EPIC's comments also addressed the implementation of Timeline. EPIC explained that the FTC's proposed consent order requires Facebook to "clearly and prominently" notify users and obtain their "affirmative express consent"; before sharing their nonpublic user information in a way that “materially exceeds the restrictions imposed by a user’s privacy setting(s).” “Nonpublic user information” is defined as “covered information that is restricted by one or more privacy setting(s).” “Privacy setting” is defined as “any control or setting provided by [Facebook] that allows a user to restrict which individuals or entities can access or view covered information.” Finally, “materially” means “one which is likely to affect a consumer’s choice of or conduct regarding a product.”
Thus, EPIC explained, it is possible that Timeline violates the terms of the FTC's agreement. The old Profile design required users to click “Older Posts” repeatedly to view the past personal information of others. Accordingly, the Profile design can be seen as a “privacy setting” that “restrict[s] which individuals or entities can access or view covered information” by effectively preventing disclosure to individuals that are unwilling or unable to click through a user’s posting history. Furthermore, Timeline affects consumers’ “conduct regarding a product,” as numerous web sites have devoted articles to explaining how consumers should conduct themselves now that their personal information is more widely available. Thus, Timeline represents a “material change.” Because Timeline arguably falls within the terms of the Order, EPIC urged the Commission to clarify whether Facebook is required to obtain the affirmative express consent of users before introducing Timeline.
Finally, EPIC
News Reports
Share this page:
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.