Don’t Go Towards the Light – Facebook and Beacon

Recently it has been hard to keep on top of the unfolding problems at Facebook. For those who are unaware of what Facebook is, it is a social networking site popular amongst college students. Of course, this didn’t send them into the netherworld or online privacy issues. No their problems started with their privacy policy. Most importantly what it didn’t say. What it didn’t say is that facebook employees might just be browsing your online activity (that Facebook tracks) for their own entertainment. Now that might some issues but that at least the caveat emptor of privacy policies. In an age where people narrowly tailor their privacy policies, it then falls to the user to think of all the things that a company could do with their information and decide if they want their information used that way before accepting the terms of the service (and many companies change their privacy policy at will and without notice). This is an interesting bent on contracts and informed consent. The contract is being modified at any time and without notice (note: most sites do this, not just Facebook). Furthermore, this is a one sided contract modification (much like the strategy credit card companies use). There is no negotiation and there is probably a serious question as to whether both sides are agreeing on the contract with the new policy (I know of more than one company that get’s people to agree to changes in the employee handbook before they get to see it!). Although concerning, this probably pales in comparison to the recent brouhaha over their Beacon software.

Beacon is Facebook’s advertising platform. Facebook tracks its user’s actions on the web (and off their site). It then posted this information for all to see on their page. This meant, if you had a friend that wanted a new GPS for xmas and you went to buy it for them online, they might see that you just made the purchase on your page (whoops, surprise gone). Worse yet, what if you wanted a GPS and so did someone else and they told you they weren’t buying gifts this year, or were doing something else but you could see they bought one for someone else). This policy was Opt out so it was on be default. When news of this broke, Facebook turned off this feature; sort of. Turns out, they didn’t turn it off at all, they just turned of the reporting part of it. So they were still tracking you, you just couldn’t see they were doing it so visibly. Finally Facebook let users completely opt-out of the system.

Opt-out has become the mantra of the marketing industry (assuming tacit acceptance of their practices). There is an interesting debate about this in the tech. community about if it is better to use Technology to stop such things (NoScript and AdBlocker can be used to block Beacon completely (for the moment) if you have FireFox while others say that policy should be implemented to stop such actions. Finally there are those who feel that consumer pressure will drive this (I got an email from one Social networking site saying how they would never implement such a system (of course there is some bitter irony there since they sent me that email without my permission though a spam posting on another social networking site). Which solution will work best (policy, technology or market pressure) is an interesting debate; each with its own merits. What is clear, is that what is in place now is not working.

A Response To The Re-definition Of Privacy

***The following is a response to this posting (http://privacy-law.blogspot.com/2007/11/is-privacy-still-privacy.html) on the re-defining of privacy. ***


This is a dangerous game of re-definition. Indeed, it is not the benign use of private data that the ideas of privacy law are designed to protect. The misuse of data is the concern and there in lies the problem such re-definitions seek to maneuver around.
In the case of government, 4th amendment protections are there for those who have been wrongly searched and to protect people from intrusive, and intimidating, searches. The promise that "we'll look but trust us, we won't tell anyone or use it against you" is of small comfort. Privacy from a governmental aspect is one of concern based not only on what is happening now, but what may happen in the future. The example I think makes this most clear is Germany in the 1930s. To be Jewish in Germany in 1931 would not be much means for hiding this affiliation. By 1939, hiding this fact was, for some, a matter of life and death. The best protection a citizenry has against such misuses of information is to prevent it's collection in the first place.

In the private sector; the challenges are that the recourse people have is only civil. This creates a problem where an organization may choose to violate its privacy policy (we'll ignore the issues of informed consent, changing contracts without re-affirmation and liberty for now). A good example of this is when .coms in the late 90s would sell their only asset (a user list) upon bankruptcy. People who had their "private" information sold had little recourse since the company that they had given their information to (and thus had the contract with) was no longer around (and even if they were, the fact that they are in bankruptcy ensures that there will be relatively little way for them to receive adequate compensation for the wrong or for the court to provide a disincentive for such actions not to happen again).

My point in these two examples is that this re-definition has far reaching consequences that are somewhat masked by the gentle nature of this re-definition. People need to be sure they understand such implications before we re-write the law to turn the veil of privacy into the hope of non-disclosure.