You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

Facebook Timeline and Privacy

Background

Timeline is a digital scrapbook that contains all the information about a user that has ever been disclosed to Facebook. Timeline acts as a user's profile page and automatically summarizes the user's life, from birth to the present day. Once Timeline is enabled, Facebook users have seven days to edit their Timelines before the content that they display becomes public.

Facebook first announced Timeline at the 2011 F8 Development Conference in September. Although users can choose to use Timeline now, Timeline will soon be mandatory for all Facebook users. As of January 2012, Facebook was committed to rolling out Timeline for everyone in the "coming months."

Privacy and Security Risks

Security experts and privacy and civil liberties groups have discussed several aspects of Timeline that create new privacy and security risks to users.

First, by increasing the ease with which personal information can be accessed, Timeline removes the practical obscurity that had protected much of Facebook users' personal data. ZDNet's David Meyer explains that "[u]ntil now, Facebook has allowed a certain amount of obscurity for older content, but that is no longer the case." In Facebook's words, information that was disclosed to Facebook in the past had essentially "vanished." Second, in several cases, Timeline either generates and displays new information about users or makes information that had been directly restricted newly available. For example, Timeline lists the date on which a user joined Facebook. Timeline also displays the "friending" activity of users who had previously chosen to keep such activity private.

Timeline will not be limited to the types of information shared in the past. As users connect to social apps, Timeline will contain new categories of information regarding media consumption and lifestyle habits. Timeline's new "Health and Wellness" item, for example, encourages users to disclose medical data, turning Facebook into "an actuarial goldmine."

Security experts have said that Timeline makes it "a heck of a lot easier" for computer criminals to unearth personal details that can be used to craft attacks. "Because people often use personal information to craft passwords or [in] the security questions that some sites and services demand answered before passwords are changed, the more someone adds to Timeline, the more they put themselves at risk." Timeline's treasure trove of personal information can also provide a tempting target for stalkers, government agents, or employers. A writer for the Vancouver Sun commented that "the kind of people who would want to spend hours digging through the minutiae of your life are not your friends . . . but those who don't know you that well and are really motivated to find out."

EPIC's Filings

On September 29, 2011, EPIC and several privacy and civil liberties groups first wrote to the FTC requesting an investigation into Facebook. The letter focused on recent changes to Facebook's business practices, including the announcement of Timeline. EPIC wrote that "[t]hese changes in business practices give the company far greater ability to disclose the personal information of its users to its business partners than in the past," and asked the FTC to determine whether the deployment of Timeline constituted an unfair and deceptive business practice.

On November 29, 2011, the FTC announced a proposed agreement with Facebook that followed from complaints filed by EPIC and other consumer and privacy organizations in 2009 and 2010. The proposed settlement agreement bars Facebook from making future changes privacy settings without the affirmative consent of users and requires the company to implement a comprehensive privacy protection program and submit to independent privacy audits for 20 years. EPIC submitted comments on the proposed agreement, specifically recommending that the Commission implement the following changes:

  • Restore Original Settings: The FTC order should Facebook to restore the privacy defaults users had in 2009 before Facebook changed the setting
  • Know What They Know: The FTC order should require Facebook to let users access all of the data that Facebook keeps about them.
  • Facial Recognition: The FTC order should prevent Facebook from using facial recognition profiles without users’ consent.
  • Transparency: The FTC order should require that the Facebook’s privacy report is available to the public.
  • Secret Tracking: The FTC order should prevent Facebook from secretly tracking users across the web.

EPIC's comments also addressed the implementation of Timeline. EPIC explained that the FTC's proposed consent order requires Facebook to "clearly and prominently" notify users and obtain their "affirmative express consent"; before sharing their nonpublic user information in a way that “materially exceeds the restrictions imposed by a user’s privacy setting(s).” “Nonpublic user information” is defined as “covered information that is restricted by one or more privacy setting(s).” “Privacy setting” is defined as “any control or setting provided by [Facebook] that allows a user to restrict which individuals or entities can access or view covered information.” Finally, “materially” means “one which is likely to affect a consumer’s choice of or conduct regarding a product.”

Thus, EPIC explained, it is possible that Timeline violates the terms of the FTC's agreement. The old Profile design required users to click “Older Posts” repeatedly to view the past personal information of others. Accordingly, the Profile design can be seen as a “privacy setting” that “restrict[s] which individuals or entities can access or view covered information” by effectively preventing disclosure to individuals that are unwilling or unable to click through a user’s posting history. Furthermore, Timeline affects consumers’ “conduct regarding a product,” as numerous web sites have devoted articles to explaining how consumers should conduct themselves now that their personal information is more widely available. Thus, Timeline represents a “material change.” Because Timeline arguably falls within the terms of the Order, EPIC urged the Commission to clarify whether Facebook is required to obtain the affirmative express consent of users before introducing Timeline.

Finally, EPIC

News Reports

  • Tell Your Story With Timeline, Samuel W. Lessin, The Facebook Blog, Sept. 22, 2011.
  • Facebook May Have Taken A Privacy-Busting Step Too Far, David Meyer, ZDNet, Sept. 26, 2011.
  • Facebook's Timeline will be boon for hackers, Gregg Keizer, ComputerWorld, Sept. 23, 2011.
  • Facebook Timeline: The privacy settings it should have, but doesn’t, Chad Skelton, Curious Dad, Dec. 20, 2011.
  • Five Facebook Changes You Can't Wait to Make, Kristin Burnham, MacWorld, Dec. 21, 2011.
  • Timeline and Privacy: What You Need to Know, Jim Royal, Daily Finance, Dec. 20, 2011.
  • EPIC vs Facebook: Privacy through obscurity, Emil Protalinski, ZDNet, Jan. 9, 2012.
  • Facebook VERY SLOWLY rolls out Timeline, Kelly Fiveash, The Register, Jan. 9, 2012.
  • EPIC: Facebook Timeline changes users’ privacy settings, Emil Protalinski, ZDNet, Jan. 10, 2012.

    • Share this page:

    Defend Privacy. Support EPIC.
    US Needs a Data Protection Agency
    2020 Election Security