Facebook has a dismal reputation when it comes to privacy issues. This is evidently a problem that starts at the top, with Facebook co-founder, President, and CEO Mark Zuckerberg. Nick Bilton summed it up neatly in a Tweet:

Off record chat w/ Facebook employee. Me: How does Zuck feel about privacy? Response: [laughter] He doesn’t believe in it.

This does not appear to be a new development, either. In 2003, when Facebook was called “The Facebook” and Zuckerberg operated it from his Harvard dorm room, he said some regrettable things in an IM conversation about users of the fledgling social networking site, according to a SocialMediaNews article:

Zuck: Yeah so if you ever need info about anyone at Harvard.

Just ask. I have over 4,000 emails, pictures, addresses, SNS

(Friend): What? How’d you manage that one?

Zuck: People just submitted it. I don’t know why.

They “trust me”

Dumb f**ks.

This has manifested in a number of ways that show significant negligence, sometimes to the point of appearing to be hostility, toward issues of Facebook users’ privacy. Lifehacker reported that “Facebook ‘Delete’ Can Take 16 Embarrassing Months,” for instance.

It gets bigger than that. The Wall Street Journal reports, in its article, Facebook in Privacy Breach, that many of the most popular Facebook apps have been giving users’ identifying information — and that of their Facebook friends — to advertising and Internet data mining companies:

The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook’s strictest privacy settings. The practice breaks Facebook’s rules, and renews questions about its ability to keep identifiable information about its users’ activities secure.

It has gotten so bad that, as ClickZ puts it, “Congressmen Question Facebook About Alleged Privacy Breach.”

The way Facebook is insinuating itself into everything else on the Web, from other sites’ login mechanisms to the now-ubiquitous “Like button”, the problem seems destined to grow worse. Arnab Nandi explains that “Deceiving Users with the Facebook Like Button” is easy:

Users can be tricked into “Like”ing pages they’re not at.

He goes on to elaborate on some of the issues with Facebook and its Like buttons in “Reputation, Misrepresentation, Trail Paranoia and other side effects of Liking the World.” He offers some “solutions” to problems he raises. He puts “solutions” in scare quotes to address the fact that some people do not think there is a problem in need of solving; this article does so because his “solutions” do not really address the root of the problem, and are prone to being undermined — and thus do not solve the real problem at all.

Even supposedly improved privacy settings at Facebook are a mixed bag at best. In the EFF‘s report of December 2009, Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly,” we learned:

Facebook is finally rolling out a new set of revamped privacy settings for its 350 million users. …Unfortunately, several of the claimed privacy “improvements” have created new and serious privacy problems for users of the popular social network service.

The total result of the change was to clarify privacy settings for users so it is more obvious what they are allowing and disallowing, but otherwise to actually reduce the effective privacy that can be achieved. The EFF article takes issue with Facebook’s recommendations for privacy settings as well, correctly pointing out that those recommendations are actually designed to convince people to share more about themselves publicly rather than less. The EFF offers some alternative recommendations that do seem better designed for purposes of protecting user privacy.

Why don’t Zuckerberg and Facebook respect privacy?

All indications are that Zuckerberg is actually on the right side of a lot of issues important to the EFF and the kind of people who like the EFF. He seems to really believe in the importance of openness — open source software, openness about policies, and so on.

At the same time, however, the evidence clearly points to Zuckerberg having a distinct lack of respect for privacy. It seems likely, if one speculates freely, that Zuckerberg simply does not believe in privacy — believes it effectively does not exist, and in some respects may even conflict with an ethical approach to the issues important to him. It would seem, given his reputed interest in openness, that he extends the healthy concern for openness represented by organizations like the EFF to unreasonable extremes, including a complete disregard for anyone’s desires to keep some information private. He may be merely misguided, rather than malicious.

That is cold comfort for those of us who care about our privacy, however. Someone with such a dismissive attitude toward privacy as to believe it simply does not exist as a meaningful, valid concept is likely to do things that violate privacy expectations in an underhanded manner. So, too, is a company that person controls. This is, at it turns out, exactly what happens with Facebook; marketing rhetoric suggests that the social networking corporation respects privacy while its policies in practice directly contradict that image.

With that in mind, it should come as no surprise that Facebook has developed a reputation for resetting privacy settings to more-open configurations, on the sly. A number of times, people have discovered that after they have tightened up their privacy settings, Facebook reset them to a less protective configuration. It has gotten bad enough that there is now a Facebook group called “Facebook reset my privacy settings.”

Are Zuckerberg and Facebook misguided? Perhaps.

Is Facebook’s handling of privacy issues underhanded, deceptive, and generally bad? Certainly.

If Facebook was simply more forthcoming about its effective attitude toward privacy — that it is an illusion, or at least an unimportant concern that the company will do its best to circumvent — things would not be so bad. If there were no privacy settings at all, and Facebook very clearly and obviously conveyed to its users that it would share their information with any and all, the situation would not appear so dire.

It is not so much the fact that Facebook does not provide effective privacy to its users that gives it the image of a seedy, deceitful back-alley dealer in private information, worthy of the hate it attracts. It is the fact that Facebook implies concern for the privacy and security of its users in policies, in the presentation of configuration options and marketing rhetoric, then undermines those expectations with a will. Even if privacy itself is not “real”, the violated trust placed in Facebook is very real.

What should I do about it?

There are a number of software tools one can use to monitor and manage privacy settings at Facebook. That such tools are needed — that they exist at all — is indicative of the breadth and depth of the problem.

The EFF’s recommendations for privacy settings may help, in conjunction with some of those third-party tools. The end result is still of running the risk of information you wish to keep private being passed on to parties you would not want to see it, however. That Facebook allows people (your Facebook “friends”) who can see your private information to automatically share that information with others is a significant problem with the idea that the right privacy settings on Facebook can ever solve its privacy problems for you. There is no reasonable option for changing your mind in the Facebook world, either; “deleting” something from Facebook, in reality, often results in nothing more than hiding from you the fact that it is still on Facebook and publicly accessible.

There are, in essence, only two ways to ensure any real privacy on Facebook:

  1. Never use Facebook. Never create an account in the first place. If you must use a social networking Web application similar to Facebook, use a competitor — maybe even use a new service called Diaspora that is currently in development, whenever it becomes fully usable. Unfortunately, for those of us who have already created Facebook accounts, the best we can do in this regard is delete the account, which Facebook tries to discourage, and hope that the deletion actually works. It may be a vain hope.
  2. Never share anything with Facebook that divulges any information at all that you would prefer to keep private. This includes email addresses as part of your supposedly private account data that you would not want shared with spammers, or authentication information (usernames and passwords) you use anywhere else. There are cases where Facebook provides a significant benefit to companies and other organizations that need to be able to reach out to members and customers in social networks, but using an email address created solely for a Facebook account is a reasonable step. Similarly obscuring any actually private, or otherwise sensitive, data is only good sense when dealing with something like Facebook.

This is good advice not only for Facebook, but for any Website that is in a position to abuse your trust. That means most of them. We all tend to make some decisions to try trusting people who we do not actually know well enough to trust. Are you using an email address you use for anything else to log in here at TechRepublic? Have you ever sent anyone (including me) a peer mail here at TechRepublic that included any information you would not want shared with others?

The majority of such people and Websites we trust to some minor degree like that may not violate our expectations of privacy, but it is difficult to be sure that we are selecting the right people to trust. This is why, of those we choose to trust, only the majority do not violate it; those who do end up violating our trust represent the cases where we guessed wrong.

It is not reasonable to never trust anyone at all, but there are times when we should definitely not give someone our trust. One of those times is the case of Facebook and privacy. The corporation has proven over and over again that it does not care about our privacy, and is in some respects actively hostile to it. When its founder, president, and CEO has stated his complete disregard for issues of privacy, too, the evidence that Facebook should not be trusted for reasons of privacy only grows.

It has been said that to keep certain information private, one should never post it to the Internet. That seems obvious — but even people who believe that do not effectively live by it. The truth of the matter is that to be sure something remains private you should not even include it in your login information, let alone in your public profile, or even a “private” profile.

Benjamin Franklin’s Poor Richard’s Almanac informed us that three can keep a secret if two of them are dead. That may seem a bit extreme at first glance, but it is worth keeping in mind when considering whether you can trust any Website to protect your private information. Even worse, Facebook has effectively declared that it will never respect your privacy.