Published:
December 06 2007, 05:06 PM
by
Stefan Berteau
Yesterday, Facebook's CEO Mark Zuckerberg issued an apology
via his blog, and announced major changes to the Beacon system, effective
immediately. These changes are good
news, and go a long way to address privacy concerns, including statements that
they immediately delete information which is sent in from users who are logged
out or who have not opted in. Despite
these actions, however, significant issues remain. Facebook has not yet placed this statement in a
binding privacy policy, and could therefore alter their policy with regard to
this data at any time, without being required to notify its users. We have been informed that Facebook will be revealing an updated privacy policy later tonight, and we will be looking at that when it becomes available. As long as data about user activities are
being sent in to Facebook, then users need a binding commitment as to how it
will be handled, and until such a commitment is in place, their privacy will remain at risk.
The following statement was posted to the Facebook Blog at
7:00am Wednesday, December 5:
About
a month ago, we released a new feature called Beacon to try to help people
share information with their friends about things they do on the web. We've
made a lot of mistakes building this feature, but we've made even more with how
we've handled them. We simply did a bad job with this release, and I apologize
for it. While I am disappointed with our mistakes, we appreciate all the feedback
we have received from our users. I'd like to discuss what we have learned and
how we have improved Beacon.
When
we first thought of Beacon, our goal was to build a simple product to let
people share information across sites with their friends. It had to be
lightweight so it wouldn't get in people's way as they browsed the web, but
also clear enough so people would be able to easily control what they shared.
We were excited about Beacon because we believe a lot of information people
want to share isn't on Facebook, and if we found the right balance, Beacon
would give people an easy and controlled way to share more of that information
with their friends.
But
we missed the right balance. At first we tried to make it very lightweight so
people wouldn't have to touch it for it to work. The problem with our initial
approach of making it an opt-out system instead of opt-in was that if someone
forgot to decline to share something, Beacon still went ahead and shared it
with their friends. It took us too long after people started contacting us to
change the product so that users had to explicitly approve what they wanted to
share. Instead of acting quickly, we took too long to decide on the right
solution. I'm not proud of the way we've handled this situation and I know we
can do better.
Facebook
has succeeded so far in part because it gives people control over what and how
they share information. This is what makes Facebook a good utility, and in
order to be a good feature, Beacon also needs to do the same. People need to be
able to explicitly choose what they share, and they need to be able to turn
Beacon off completely if they don't want to use it.
This
has been the philosophy behind our recent changes. Last week we changed Beacon
to be an opt-in system, and today we're releasing a privacy control to turn off
Beacon completely. You can find it here. If you select that you don't want to
share some Beacon actions or if you turn off Beacon, then Facebook won't store
those actions even when partners send them to Facebook.
On
behalf of everyone working at Facebook, I want to thank you for your feedback
on Beacon over the past several weeks and hope that this new privacy control
addresses any remaining issues we've heard about from you.
Thanks
for taking the time to read this.
Mark
This statement reflects some very positive things, and
announces some steps which are in line with what we had hoped to see. They are taking this issue seriously and have
made changes. Overall, it reinforces the
impression that Facebook did not set out to do a bad thing, but rather did a
thing badly. Furthermore, they are
starting to take action to address the risks posed by Beacon, and while they
have not yet mitigated them they have taken some very important steps.
So what has changed?
There are two major changes introduced yesterday: the addition of a
universal opt-out from Beacon, and the placement of a statement about the
silent transmission of data in their Help section.
The universal opt-out feature has been added just below the
individual site settings on the "Privacy Settings for External Websites"
page. Our tests indicate that it
overrides individual site settings, so that a universal opt out means that no
sites will be able to post stories to your profile, or even present the dialog
box. This results in Facebook erring on
the side of opt-out when ambiguity is present, and represents a major
improvement over the previous controls offered.
Facebook also updated its Actions From External Websites
pages, and now discloses the transmission of this data. Their statement, which says that data
received about users who are not logged in is not associated with an account
and is deleted immediately, is in their "Help" section under "Actions from External Websites". The statement becomes visible when the
seventh item is expanded.
As stated above, these are good changes, and the universal
opt-out in particular addresses our biggest concern about the user interface. Not everything that we were concerned about
has changed, however.
First, there is no change in the data being sent to
Facebook unbeknownst to the average user. Data is sent silently from affiliate
sites and with no indication to the user at time of transmission - whether
users are logged in, logged out, or have never even opened an account with
Facebook. In the case of users of affiliate
sites who do not have a Facebook account, the data is effectively anonymous,
but for many Facebook users the data comes with their Facebook user ID,
allowing it to be tied directly to their account. The newly offered global opt-out does not
prevent this data's being sent to Facebook.
Second, as of this writing, there has been no change to
the Facebook privacy policy since September 12, 2007, according to Facebook's privacy
policy. Facebook has made statements
and posted a help page explaining its policy on the silently transmitted data
it receives, but the privacy policy remains unchanged. We expect to see an update to the privacy policy tonight, however, and remain hopeful that it will address the privacy risks currently posed by Beacon.
Third, while visiting affiliate sites, there is no mechanism
to indicate to users that data is being transmitted to Facebook. We did a survey of privacy policies for
BlockBuster, Kongregate, Sony, Bluefly, STA Travel, TripAdvisor and Travel
Ticker. None of them make any specific
mention of Facebook or the data which gets transmitted.
As a result of these three aspects remaining unchanged,
several of our concerns continue, and users of Facebook and Beacon affiliate
sites still face a threat to their privacy.
The silent transmission of data about actions on third-party websites to
Facebook poses a serious risk, and must be mitigated by both prominent notice
to the user, and a binding commitment on Facebook's part to handle the data
properly.
What Facebook has provided is something which is commonly
termed "discoverable notice". Actions
From External Websites is not a section of the website which is visited during
the course of creating a Facebook account or modifying your Beacon
settings. Users wouldn't even find it
under the help section labeled "Privacy and Security". Even if users do visit the page, the
statement about data being deleted is hidden unless they click to expand the
sixth bulleted item. The data being sent
to Facebook represents a significant enough threat to user privacy that users
cannot be expected to dig through the site looking for notice of the
transmissions. They must be actively notified by information which is prominently displayed. Notice that data will be transmitted to Facebook even when users are logged out or have opted out should be visible on the "External Websites" section of the user privacy controls. As it currently stands, the Facebook website
is not adequately informing users that it is receiving data about their
off-site activities.
Beyond active notice, mitigation of the threat posed by this
data requires a binding commitment on the part of Facebook to handle the data
properly. Facebook and its users agree
to use the site in accordance with the Privacy Policy and Terms of Use. Only these documents are binding on the
parties, so adding a statement to the FAQ or Help section, without more changes
elsewhere, would have little to no effect on the users' rights. Furthermore, Facebook has to notify end-users
of any material changes to its Privacy Policy and give them 30 days prior
notification of such changes by email or on the Facebook home page or Privacy
Policy site. All changes must be
posted on the Privacy Policy change, along with their effective date. Thus, if Facebook is willing to commit to
the deletion of data for end-users who opt out of the Beacon advertising
program, it should appear as a change to their Privacy Policy. As previously mentioned, we are waiting for the release of their updated privacy policy, and will be evaluating that when it becomes public. We remain hopeful that it will contain a commitment to the deletion of such data, because without that language users are simply required to trust that this voluntary policy will not be
changed.
Finally, the affiliate sites have a responsibility to their
own users to inform them that certain actions will result in Facebook receiving
information, even if they do not have a Facebook account. For users without a Facebook account, this information
is anonymous, and therefore discoverable notice in the affiliate's privacy policy would be
adequate. To date, however, none of the affiliates we have checked provide explicit mention of their data transfer to Facebook.