In response to the Washington-based Electronic Privacy Information Center (EPIC)’s recently filed complaint against Facebook for its new privacy policy changes, Jules Polonetsky, Co-chair and Director of the Future of Privacy Forum, wrote the following comment:

“How Facebook handles user reaction is more important than even an FTC complaint. Certainly the new privacy setting changes will lead to some Facebook users sharing information more widely, and that warrants privacy scrutiny and debate. Other users may use the new controls to make case by case decisions about what they share. The key question is whether users are aware of the settings and whether they are using them. So far, many users seem to be aware of the changes and are adjusting the privacy controls as they see fit. As people react to the new options, Facebook should continue to respond as they have done by continuing to add educational information and to adjust to ensure they meet user expectations.”

(“Statement in Response to FTC Complaint Filed Regarding Facebook Privacy Settings“)

One cannot object that a company intend to make profits when, like in Facebook’s case, the company aims at monetizing its users’ profile information by making some of it fully public, and selling it to advertisers, search engines and other businesses. However, it’s a big no no for a company to mislead its users. Firstly by leading them to think that the latest change to its privacy policy is an “upgrade” when it should instead be called a “downgrade” — much more information is now considered “publicly available” like contacts and friends’ list, geographic region and profile picture). Secondly, by disregarding its users’ previous privacy settings by, e.g., making their profiles available for indexing by search engines.

If, as Jules Polonetsky writes, “how Facebook handles user reaction is more important than even an FTC complaint”, then the company should, first of all, have been straighforward by telling its users the truth: that its business model is based on extensive data mining and targeting of users; that users should carefully review all of their privacy settings; that its formerly acclaimed granular privacy settings are now a thing of the past; and that the main aim of the changes are to make even more personal information available publicly or to the company’s API (application programming interface) developers and advertisers. This would then have been properly called “educational information”. Instead it cannot be called otherwise than misinformation and deception (a “representation, omission or practice that is likely to mislead the consumer acting reasonably in the circumstances, to the consumer’s detriment”, as the U.S. Federal Trade Commission’s definition goes), especially when considering that many of Facebook’s users are still in high school, or even younger than that.

Consumer privacy and the protection of personal information are an essential value of the online social networking experience. It cannot be a hostage to a constantly changing privacy policy that does not have any other (business, not educational) purpose than monetizing its user base. Like in the offline world, in the online one, you are ready to share certain types of information depending on whom you address the information to, be they friends, colleagues or strangers. Facebook by changing, from one day to the other, the basic assumption on which many people relied upon when they signed up for the service — that your list of contacts and friends is not public information — is deceiving its users.

For all these reasons, the complaint to the Federal Trade Commission is well-founded and will be very educational for the general public and Facebook’s 350 million users.

Here are a few links truly educative for Facebook’s users, detractors and apologists alike about the nature and implications of its recent privacy policy changes:

- Kevin Bankston (Electronic Frontier Foundation), Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly (9 Dec. 2009)

- Jason Kincaid (TechCrunch), The Looming Facebook Privacy Fiasco (1 July 2009)

- EPIC’s complaint with the U.S. Federal Trade Commission (17 Dec. 2009)

Here is a detailed legal analysis of the Facebook website under Canadian data protection rules:

- Elizabeth Denham (Office of the Privacy Commissioner of Canada), Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act (16 July 2009)

and a legal analysis of social networking websites under European Union data protection rules:

- Article 29 Data Protection Working Party, Opinion 5/2009 on online social networking (12 June 2009)