EPIC - Electronic Privacy Information Center

Social Networking Privacy

• Background |
• News |
• Resources |
• Previous Top News

Latest News/Events

• Facebook to End Beacon, Establish Privacy Foundation: Facebook has entered into a proposed agreement to end Beacon, the controversial advertising technique that broadcast user purchases in their public profile. EPIC and other privacy advocates objected to Beacon’s privacy implications and successfully persuaded Facebook to adopt opt-in for the service. Under the terms of a class-action lawsuit in California, Facebook will now terminate Beacon and contribute $9.5 million towards the creation of a foundation dedicated to protecting online privacy. A class-action lawsuit concerning Beacon is also pending in Texas. For more information, see EPIC Facebook Privacy and EPIC Testimony on the "Impact and Policy Implications of Spyware on Consumers and Businesses." (Sep. 22, 2009)
• Following Canadian Investigation, Facebook Upgrades Privacy: The Canadian Privacy Commissioner issued a report last month raising concerns over Facebook business practices. The Office asked the social networking firm to cease the sharing of user information with application developers, clarify the policy on deactivation and deletion of accounts, protect the personal information of non-users, and "memorialize" the account of deceased users. In complying with the Commissioner's report, Facebook will include new notifications, update its Privacy Policy, and implement technical changes to enable more user control over information accessed by third-party applications. EPIC had previously raised similar concerns about the use of Facebook data by application developers. See also EPIC Facebook and EPIC Social Network Privacy. (Aug. 28, 2009)
• Canadian Privacy Commissioner's Deadline for Facebook Arrives, Some Changes are Made at the Social Network Company: In mid-July, the Canadian Privacy Commissioner released a report recommending several changes to Facebook's business practices. The Commissioner's Office advised the social networking firm to limit application developers' access to user information, and inform users specifically about the nature and use of shared information. The Office also said that deactivated account information should be deleted, and that the privacy policy be amended to include all intended uses of personal information. Facebook was given 30 days. Facebook updated its privacy policy last week and has asked application developers to respect user privacy settings. See also EPIC Facebook and EPIC Social Network Privacy. (Aug. 17, 2009)
• EPIC Forces Disclosure of Government Contracts with Social Media Companies, Privacy Terms Missing: In response to an EPIC Freedom of Information Act Request, the Government Services Administration released several contracts between the federal government and web 2.0 companies, including agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace. EPIC also obtained amendments to agreements with Facebook, Slideshare.net, Vimeo.com, and AddThis.com. The contracts do not address the privacy obligations of social media companies. The GSA letter to EPIC explained that “no specific Web 2.0 guidance currently exists,” but provided EPIC with Training Slides that raise privacy issues. The GSA Agreement with Google actually states that, “to the extent any rules or guidelines exist prohibiting the use of persistent cookies in connection with Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google.” Some of the agreements also permit companies to track users of government web sites for advertising purposes. For more information see EPIC Social Network Privacy, EPIC Facebook, and EPIC Cloud Computing. (Aug. 12, 2009)
• Canadian Privacy Commissioner Holds that Facebook Must Strengthen Privacy Safeguards: The Office of the Privacy Commissioner of Canada today released a Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic against Facebook Inc. The complaint, filed under the Personal Information Protection and Electronic Documents Act, contained twenty-four allegations concerning a range of Facebook business practices, including Default Privacy Settings, Advertising, and Third-Party Applications. The Commissioner found that Facebook has taken some steps to address privacy, but that more safeguards are necessary. Facebook has 30 days to respond. See EPIC Facebook Privacy and EPIC Social Networking Privacy. (Jul. 16, 2009)
• EPIC LiveTweeting Sotomayor Hearing: EPIC Executive Director Marc Rotenberg, a former counsel to the Senate Judiciary Committee, is tweeting the Sotomayor nomination hearing this week. The tweets cover #privacy #sotomayor and #scotus. Recap and updates available at @privacy140. EPIC has prepared an extensive background page on Judge Sotomayor. See EPIC Nomination of Judge Sotomayor. (Jul. 16, 2009)
• Facebook to Change User Privacy Settings: Facebook announced planned changes to user privacy controls today. Chris Kelly, Facebook's Chief Privacy Officer, stated that the new policy will promote "control, simplicity and connection" for user data. The announcement states there will be no changes in term of "the information Facebook provides to advertisers" but does not address concerns about the information provided by Facebook to app developers. In June, European Privacy Commissioners warned about the secondary use of personal data collected by social network services. The officials issued an opinion requiring robust security, privacy-friendly default settings, and the application of European privacy law. In April, EPIC supported the adoption of the new Facebook Terms of Service when Facebook said that "users own and control their information." See EPIC Social Networking Privacy. (Jul. 1, 2009)
• European Advisory Group Issues Opinion on Social Networking : The European expert group on data protection and privacy issued a guidance to Social Network Service providers on measures needed to ensure compliance with EU law. The key concern of the group is the dissemination and use of information available on such networks for secondary, unintended purposes. The opinion recommended robust security and privacy-friendly default settings. Topics included processing of sensitive data and images, advertising and direct marketing, and data retention. In January, EPIC suggested regulation of Social Network Service partners, including advertisers and application developers. See EPIC's Page on Social Networking Privacy. (Jun. 17, 2009)
• EPIC Urges Privacy Protections for Government's Use of Social Media: The DHS Privacy Office is seeking public comments on developing best practices on the government's use of social media. EPIC submitted comments on the benefits, issues and privacy best practices. EPIC recommended Privacy Act protections to the data collected, prohibit commercialization and sharing, and the use of a model certification system. See also EPIC's page on Social Networking Privacy, Network Advertising Initiative, and Deep Packet Inspection and Privacy.. (Jun. 3, 2009)
• EPIC Seeks Government Agreements with Social Networking Companies: EPIC submitted a Freedom of Information Act request to the Government Services Administration seeking agency records concerning agreements the GSA negotiated between federal agencies and social networking services, including Flickr, YouTube, Vimeo, Blip.tv, and Facebook. In the FOIA request, EPIC is asking for the public release of the contracts and any legal opinions concerning the application of the Privacy Act of 1974 and Freedom of Information Act to the services that collect information on citizens. For more information see EPIC’s pages Social Networking, Facebook, and Cloud Computing. (Apr. 30, 2009)
• International Privacy Officials Recommend Social Networking Privacy Safeguards. The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces. Regulators should ensure openness, and oblige data breach notification. Providers must be transparent; live up to promises made to users; and use privacy friendly defaults. Privacy and consumer groups are also recommended to raise the awareness of regulators, providers and the general public. (Apr. 17, 2008)
• Facebook Caves to Privacy Demands, Adopts Limited Opt-In. Social networking site Facebook.com significantly modified the privacy features of its new "Beacon" advertising system. Facebook users found their purchases on third party sites were being broadcast to their Facebook friends. Users had only limited options for opting out of the broadcast. In response to complaints from EPIC, the Center for Digital Democracy, Moveon.org, and thousands of users, Facebook will now ask that users opt-in before broadcasting their details. Facebook will continue to collect information from third party sites and will continue to ask for opt-ins until the user consents. See also EPIC's Facebook Privacy Page. (Nov 30, 2007)
• Facebook to Collect, Distribute User Interactions With Third Party Sites. Social networking website Facebook.com introduced its "Beacon" feature to much controversy. Facebook users who shop at third party websites will have their purchases broadcast to their friends via Facebook. Facebook receives this third party information and shares it unless user opt-out during a brief pop-up window at the third party site. Interest group MoveOn.org has started a petition campaign and Facebook group against this feature. The MoveOn petition and Facebook group demand that Facebook share user information only with explicit opt-in permission. Facebook considered, but did not adopt, a blanket opt-out for the beacon feature. (Nov 28, 2007)
• Facebook Unveils New "Social Ads." Social networking site Facebook.com unveiled "social ads," a new advertising product. Marketers create Facebook profiles and purchase advertising targeting other users profile information. Further, a users name and picture will be shown to their friends in promotion of a product after that user interacts with the marketer in some way. A law professor has questioned whether this violates the privacy tort prohibiting commercial appropriation of name and likeness. Facebook's privacy settings do not currently allow one to opt out of receiving marketing or being used in it. (Nov. 14, 2008)

Background

Social networking Web sites, such as MySpace, Facebook, and Friendster have become established forums for keeping in contact with old acquaintances and meeting new ones. Users can create their own Web page and post details about themselves: where they went to school, their favorite movie titles, and their relationship status. They can link to friends on the same site, whose photos, names, and perhaps a brief description, will also appear on the Web page. While these Web sites are useful tools for exchanging information, there has been growing concern over breaches in privacy caused by these social networking services. Many users feel that their personal details are being circulated far more widely than they would like. In September 2006, Facebook's recently introduced News Feed feature spurred additional privacy concerns from users. Over 700,000 users signed an online petition demanding the company discontinue the feature, stating that this compromised their privacy.

Who Gets Access?

Social networking sites give their users an easy way to share information about themselves. However, many users are quickly finding that the information they intend to share with their friends can all too easily find its way into the hands of the authorities, strangers, the press, and the public at large. For example, job recruiters are looking to these sites as well as performing more traditional background checks on potential employees. Performing a search using these sites may provide a lot of unedited information about a person.

Many sites restrict who can join a site, and therefore access a user's information. Friendster, for example, requires that all its users be over 16, and this requirement is flagged on the registration form. Other Web sites only include age stipulations in their terms of use. Facebook requires a user to show that he or she is a member of a given community before adding them to that network of users. However, the ease with which digital information can be copied and distributed means that anyone within the authorized group may still pass the information along to others. Other sites are more exclusive in their membership. Orkut, for example, requires you to be invited by an existing member before you can join.

Who can access users' information, and how easily, is affected by the search tools each site offers. MySpace allows the general public to search its database of members, using search terms such as a name, e-mail address, or school. This search can be filtered down to a particular country or even to a postal code. If users included in the search results have not changed their privacy settings from the default level, searchers can view their full profiles. These profiles may include personal information such as occupation, hometown, sexual orientation, ethnicity, and religion, as well as photos of users, and their friends or family.

Facebook has a more limited search feature. Users must be registered with the site to conduct a search, and can only view the profiles of those in their network, or of those already on their list of contacts. Some profiles viewed in this way include cell phone numbers and postal addresses. E-mail addresses always appear on Facebook profiles. Friendster also restricts searches to members. However, members can view other users' full profiles, whether they are on the member's contact list or not. Notably, if the person searched for does not turn up in the Friendster database, the Friendster search engine provides a direct link to a data broker, which offers to search for the person.

Users who expect their information to be viewed only by people they know may be dismayed to realize how broadly their personal data is disseminated. Once it is published online, they retain little control over it. While a person's real-world friends may not all have the same level of access to that person's personal information, the hundreds of "friends" on a social networking profile all have the same status, and access to everything posted online.

Default privacy settings on individual accounts allow a great deal of information to be displayed to anyone who views a profile; personal features such as blogs and comments would be accessed by anyone viewing a profile page. If the default settings were set at a higher level, users would immediately have more control. A user who did not want every detail of his or her profile available to those outside their network of friends, or who did not want to allow photographs on his or her profile page to be downloaded, for example, would not automatically be consenting to these actions as soon as he or she set up a profile page.

Hand in hand with this fact goes the possibility that any one of a user's several hundred "friends" can download this information and use it wherever and however they wish.  In fact, access can extend beyond friends and members. Users need to realize that prospective employers, job recruitment agencies, law enforcement, and members of academic staff, can gain access to photographs, comments and information posted on profile pages, whether or not this information comports with the image you would like to portray to the world outside the network.

Control of Information: The Means of Dissemination Matters

In September 2006, a change made by Facebook to how it distributed information caused an uproar among users. The change involved the introduction of a News Feed feature that gathered information on the actions of all of a user's contacts and compiled it into a chronological list on the user's home page. In response to the new feature, a grassroots movement began among Facebook's users. Students Against Facebook News Feed, one of many groups that petitioned against the new feature claimed in its' mission statement that Facebook "went a bit too far this time." Thousands of users voiced their complaints about the News Feed. "[Before,] you could make silly Facebook groups without having to worry about who might find out…It's starting to feel like there's too many tags on you. It's like you have to cover your tracks," one user said.

Many groups were set up on Facebook to campaign against this feature. According to one group, "any user of this Web site may and often does have 'friends' who they barely know, if at all. Some people have friend counts in the four, five, and six hundreds. Is it right for Facebook to automatically broadcast a break up with a boyfriend or a denied friendship-add to all those most peripheral of relationships?" The comments of those who joined the various groups echoed the general dissatisfaction among users. "The new features are almost like it's trying to make me be a stalker even though I don't want to," said one user.

Although they had already published information on their sites, the protesting Facebook users recognized that privacy can be incorporated in the ways that information is distributed, and not just in who is permitted to see the information. In response to the negative reaction to News Feed, Facebook apologized. "Somehow we missed (the) point with News Feed and Mini-Feed and we didn't build in the proper privacy controls right away," Mark Zuckerberg, CEO of Facebook, said.

Users also objected to the fact that Facebook allowed News Feed to begin distributing their information without any warning. Users had no notice of the new feature and, more importantly, were not given the opportunity to decide whether they wanted their information to be shared in this way. This illustrates the problems that may result from using an opt-out system. Opt-out systems assume consent in the absence of an affirmative act by the user, and so are less preferable to opt-in systems. An opt-in system gives the user more control, by allowing users to flag the specific disclosures they wish to activate. An opt-out system, on the other hand, allows widespread sharing of information, sometimes unknown to the user. This forces users to take the time to find and deactivate each disclosure in turn, to attain their desired level of security. 

The privacy controls enabled by Facebook are more opt-out than opt-in. Default settings still disseminate most profile changes to all of a user's contacts. Facebook's solution still allows for those who do not bother to read through the "my privacy" section, located on the left hand side of the profile page, to end up sharing more than they expect.

Privacy Policies

Like many Web sites that collect user information, the aforementioned social networking Web sites have privacy policies. However, there are some problems. These policies are disclaimers produced by a Web site, that become waivers once the user accepts them. By accepting the terms of the policy, the user volunteers to relinquish some known right or privilege they may have. If a user felt the Web site had broken promises it made in the privacy policy, it is doubtful that the user could sue the Web site for breach of contract on the basis of the policy. These policies also contain loopholes. Problems with these policies include a lack of visibility, insufficient information on how the Web sites change their policies, the lack of independent reviewers to monitor these Web sites, and unspecific details of whom the Web sites share user information.  

One problem is that these policies are difficult for users to find and read. Although reading these policies is part of the registration process, they may not be specified on the registration form. The privacy policy may just be mentioned in the Terms of Use of a Web site. Providing users with a box to tick to indicate they have read and accepted a privacy policy is not enough. All three Web sites should make their privacy policies more obvious and users need should be encouraged by the Web sites to actively read through what they are agreeing to.

Another problem with privacy policies is that they are fluid, and may be altered by the Web site. All of these Web sites state that from time to time changes may be made to their privacy policies, which will be posted on the site. It is never specified how long these changes would be posted for, or where. Notice alone is not enough. The changes should be explained to users, along with any specific results the changes incur. Another manifestation of this problem is that not only can terms change, but Web sites can also reset user preferences, and place them back at default level.

The only one of these sites to overtly use a third party to review its privacy policy is Facebook. Facebook pays to be a licensee of the TRUSTe Privacy Program. However, TRUSTe's program suffers several flaws. In the past, TRUSTe has not punished their licensees who have, in TRUSTe's own opinion, compromised consumer trust and privacy. TRUSTe has even been described as untrustworthy by certain commentators.

These policies are also unclear about the terms by which users' details are shared with third parties. Facebook, MySpace and Friendster affirm that the user can choose to share information with marketers through sponsored groups or other on-site offers, such as competitions or sweepstakes. The Web sites reserve the right to transfer personal information to a successor in interest that acquires rights to that information as a result of the sale of the Web site. They state that they will not share users' contact information with marketers without your permission. Facebook and MySpace assert that the user can tell when another company is involved in any store or service provided, and they establish that they may share customer information with that company in connection with the member's use of that store or service. However, they do not specify how it would be so clear to the user when another company is involved. MySpace may transfer personal information to certain ad partners, if the user has explicitly requested to receive information from these ad partners. How a user would go about doing this is vague though. The Web sites do not elaborate on what information they provide to advertisers in aggregate usage information, nor do they note the potential for third parties to disaggregate the information.

Privacy policies, like all agreements, should be clear and easy to follow, so that users have a firm grasp on what they are signing-up to. Unfortunately, Web sites' privacy policies, and terms of use often seem overly cross-referenced. Users need to do a great deal of switching between the two in order to get all the details, and definitions. This makes the task of reading through the information more difficult than it needs to be.

News

• Project ‘Gaydar’, Boston Globe, Sept. 20, 2009
• Update on Terms, Press Release, Facebook, Feb. 18, 2009
• Facebook 'withdraws' data changes, BBC, Feb. 18, 2009
• Facebook retains terms of service after users voice concerns, USA Today, Feb. 18, 2009
• How Does Facebook's TOS Compare To Other Social Networking Sites?, The Consumerist, Feb. 17, 2009
• Facebook backs down on privacy terms, Cnet, Feb. 17, 2009
• EPIC readying federal complaint over Facebook privacy policy, Cnet, Feb. 17, 2009
• Facebook Privacy Change Sparks Federal Complaint, PC World, Feb. 17, 2009
• Facebook's New Terms Of Service: "We Can Do Anything We Want With Your Content. Forever." The Consumerist, Feb. 15, 2009
• Social networks: Bait for cybercrime. CNN Money, Oct. 4, 2006.
• Security Warning For MySpace. Facebook Users, CBS, Oct. 3, 2006.
• Facebook's feeds cause privacy concerns. The Amherst Student, Oct. 3, 2006.
• $1 Billion for Facebook? LOL!. Slate, Sept. 28, 2006.
• Open Facebook. Forbes. Sept. 11, 2006.
• Saying It 'Messed Up,' Facebook Modifies Controversial Feature. The Washington Post, Sept. 7, 2006 .

Resources

• EPIC: Facebook Privacy Page.
• EPIC: Online Guide to Practical Privacy Tools.
• Federal Trade Commission: Social Networking Sites: A Parents Guide and Social Networking Sites: Safety Tips for Tweens and Teens.
• Privacy Rights Clearinghouse: Fact Sheet 18 Privacy and the Internet: Traveling in Cyberspace Safely.
• Canadian Privacy Commisison video on Privacy and Social Networks.
• The Privacy Jungle: On the Market for Data Protection in Social Networks.

Previous Top News

• Facebook Gets Ready to Adopt Terms of Service: Facebook has announced the results of the vote on site governance. The initial outcome indicates that approximately 75 percent of users voted for the new terms of service which includes the new Facebook Principles and Statement of Rights and Responsibilities. Under the new Principles, Facebook users will "own and control their information." Facebook also took steps to improve account deletion, to limit sublicenses, and to reduce data exchanges with application developers. EPIC supports the adoption of the new terms. For more information, see EPIC's page on Social Networking Privacy. (Apr. 24, 2009)
• Facebook Seeks Vote on Site Governance: In February, Facebook announced that it was opening its site governance to user voting after the new Terms of Service were widely criticized, and were to be the subject of an EPIC complaint to the Federal Trade Commission. Facebook restored the old terms and sought user feedback on the new Facebook Principles and the Statement of Rights and Responsibilities. These governing documents have now been updated to reflect feedback from users and experts. The voting to adopt the new terms or to maintain the previous terms is now open till April 23, 11:59 a.m. PDT. For more, see the efforts of People Against the New Terms of Service, and EPIC's Social Networking Privacy page. (Apr. 20, 2009)
• Facebook Announces Governing Principles, Statement of Rights and Responsibilities: Today, Facebook proposed guidelines and a statement of rights and responsibilities governing its relationship with users. The social networking service called for user comment on the principles, which include "Ownership and Control of Information" and "Transparent Process." Facebook further committed to "open up Facebook so that users can participate meaningfully in our policies and our future." Facebook's announcement follows last week's abandonment of changes to its Terms of Service on the eve of an EPIC complaint to federal regulators. For more and see the efforts of People Against the New Terms of Service, and EPIC's "Social Networking Privacy" page. (Feb. 26, 2009)
• On Eve of EPIC Trade Commission Complaint, Facebook Backs Down on Revised Terms of Service: Hours before EPIC planned to file a complaint with the Federal Trade Commission regarding changes to Facebook's Terms of Service, the social network service announced that it will restore the original policy. The new Terms of Service were announced on Feb. 4, were widely criticized, and were to be the subject of the EPIC complaint. Facebook users observed that, under the revised policies, Facebook asserted broad, permanent, and retroactive rights to users' personal information - even after they deleted their accounts. The EPIC complaint was supported by more than a dozen consumer and privacy organizations. Previous EPIC Complaints at the FTC have concerned Choicepoint, Microsoft Passport, and the Google-Doubleclick merger. For more, see EPIC's "Social Networking Privacy" page. Support EPIC's efforts to maintain your privacy in the social networking world. (Feb. 18, 2009)
• European Network Security Agency Recommends Security Protections For Social Networks.The European Network and Information Security Agency (ENISA) has issued a position paper on Security Issues And Recommendations for Social Networks. The paper concludes that social networks are a clear benefit to society; however, the study warns of the danger that new face recognition or other new technologies pose in a world were there may be a false sense of intimacy created by social networks. The agency grouped security threats into 4 categories: privacy, traditional network, identity and social threats. The paper recommends government and corporate policy changes, technical and research recommendation, such as increasing transparency of data handling practices, and encouraging social networking education rather than the banning of social networking sites in schools. (Oct. 1, 2007)
• Facebook Responds to Users' Demands. In response to the negative reactions of so many of its users, Facebook put new privacy controls on the News Feed feature into operation. Mark Zuckerberg, the CEO of Facebook, published an open letter on the Web site on September 8th apologizing for not having consulted with users prior to introducing feature, which notified users of all their contacts' activities, such as profile changes from "in a relationship" to "single." However, the change is simply an opt-out and puts the burden on Facebook users to protect their privacy. Over 700,000 users signed an online petition demanding the company discontinue the feature, stating that this compromised their privacy. (Sept. 25, 2006)
• Outcry Over New Facebook Feature. When social networking Web site Facebook introduced their new News Feed feature on September 5, the company was accused of invading the privacy of its' users and facilitating stalking. The goal of the new feature was to make it easier for users to keep up to date with the latest happenings in the lives of their online friends. However, user upset at its introduction sparked debate over how much control users expect to have over the information they place on these Web sites, and also whether the means of dissemination of this information matters. (Sept. 5, 2006)

Search epic.org

Hot Policy Issues

• Cloud Computing
• Deep Packet Inspection
• Domestic Surveillance
• Facebook
• FISA
• Fusion Centers
• Google Books Settlement
• Iraqi Biometric ID System
• Medical Record Privacy
• National ID
• National Security Letters
• Open Government
• PASS ID
• Privacy Convention
• Re-identification
• Search Engine Privacy
• Smart Grid
• Social Networking Privacy
• Whole Body Imaging

Connect with EPIC

EPIC on Facebook

EPIC on Twitter

EPIC RSS Feed

EPIC Bookstore

EPIC FOIA Litigation Manual 2008

More EPIC Publications...