This anti-Facebook diatribe currently kicking around the interwebs is starting to get a bit tedious. The irony is that in barely any time at all it will probably be forgotten (and everyone will be jumping onto a new train of hate).

Which sucks for those of us who've been playing the Facebook privacy game for at least the last year.

So, here is an attempt to open some more sane debate on the issues. Across 3 posts I'm going to :

  1. Analyse Facebook from the perspective of someone who has been studying them for over 18 months
  2. Discuss Diaspora (the new "solution" on the block), why it is a great thing to work on and why it might not be a proper solution
  3. And suggest a simple, effective solution to the privacy concern.
Facebook

So, part one, the eponymous Facebook.

We've been hearing a lot about how crap their new privacy control is and that everything you  post is now public. I've been sticking up for them a little; partly because I tend to stand up for the attacked (whether they deserve it or not, everyone should have a defender) but mostly because pretty much all of the ranters have come to this issue recently and have, honestly, no clue how bad it used to be.

Ye Olde Days

Lets go back to early 2009. As a security researcher I maintain a number of Facebook accounts with which to do testing and monitoring - back then accessing someone's details was trivial. Even those who locked up their profile could be cracked with a minimum of effort.

Through all of '09 Facebook addressed those concerns one by one, locking it all down.

And, so, they came into 2010 in pretty good shape; not the best by a far margin, but those who wanted too could lock themselves up pretty tight (and a surprising number did so).

This, I guess, is where it all went to hell; because then Facebook inexplicably started to open things up again. Or did they?

The truth is that most elements of Facebook privacy settings are honoured by the social graph API and fan pages etc. While it was popular to claim "there is no way to stop your posts appearing on fan pages if they are deemed suitable matches" the truth was that if you lock up your wall posts they won't show.

That's not to say there weren't valid concerns, but they seemed to get lost in a swill of rants and raves.

One such concern are pictures; and people tagging you in them. Which segues me into the next section...

Why Now?

Picture tagging is a valid concern; but why is it an issue now?

Today photo's are harder to find & access than they were this time last year. Ok, so if a friend sets his/her photo to public then the world can see your name on it. Right. However, 12 months ago even supposedly private pictures were pretty accessible.

This problem has been partially solved - and yet it is a big issue suddenly, today, right now.

Great, raise that problem (and the others) loudly and vocally. Keep it on the radar (hah...). But don't brand Facebook evil in the process, right, because they've actually made this problem a bit less bad. Give a little credit!

Also you may not have noticed but some tags don't appear, even on public photographs. This is the same for content all over Facebook - it's more obvious with comments (when you come across a thread with a user apparently replying to thin air - one of the participant is just not there).

I've not actually managed to figure out what arcane combination of privacy settings will create this situation - but it appears to be something entirely under your control.... ...if it could be understand.

The Real Problem (with Facebook)

Like a runaway train that takes me onto the crux of this matter; the real problem.

You see there *is* a problem with Facebook, it's a big problem, it's a privacy problem and we are going to need to solve it. Just like we needed to solve it last year.

It comes in three parts:

  • Complexity: privacy is complex, Facebook is complex, your social graph is complex. In fact it's a complete mess. Ensuring that every reasonable element of information about you is correctly "privatised" is far from a non-trivial problem.
  • People: this is a huge problem. No one (not even you or I really) considers how information could impact them if they don't take precautions. What makes it worse is that the vast majority of people don't understand exactly what privacy means in the context of social networks - and why it affects them.
  • Abuse: I hesitate to use the word but it best sums up the third element. In a world where everything is minutely locked down companies like Facebook will struggle to make a quick buck in quite the same way. So there is a temptation make thing difficult for users.
"People" is not something we can necessairily fault Facebook for. In part the same applies to "Complexity"; as laid out above, Facebook have been tackling the problem head on for the best part of 18 months. They aren't there yet (not by a long stretch) but it seems reasonable to let them give it a go.

"Abuse", though, is somewhere we can call them on. Not in the "OMG FACEBOOK ARE EVIL" way that seems so popular at the moment. But instead by explaining some of the problems with the current setup.

Simple questions like:

  1. Why is it so complicated to lock down your profile
  2. Why is instant personalization working the way it does (this is a big problem)?
  3. Why can't privacy be "in your face" obvious?
  4. Why is it not clear what is accessible when locked up, and what isn't?
Which is a far from comprehensive list.

For Facebook the "right step" is in making Privacy much much easier for everyone to grasp, raising it's profile and showing their users where their information appears. Currently that is not an open process...

It is a lack of openness more than anything that has lead to this recent spate of hatin'

Solutions? (and the real real problem)

There are a number of third party solutions trying to (sensibly) make Facebook privacy more understandable.

By far the best is Reclaim Privacy (which I recommend you check out).

In fact that is precisely the sort of "one click check" Facebook themselves should implement.

But Reclaim is simply an interim measure. There is a much wider problem that needs addressing - which is that Facebook has a stranglehold over the Social net. It has the biggest user base and, as such, they can play the game whatever way they like. If Facebook decides that our names are "public knowledge" then that's how it goes - or get out.

It's a shitty kind of set-up and, so, the future of social web has to be made up of independant projects and companies all capable of working together. This way the "industry" is self regulating - and if one provider breaks their bond of trust with users they simply lose custom.

The parts are there already; OpenID/Oauth, photo sites, Twitter, Blogging tools, Youtube. All we need is something to drag it, kicking and screaming together into a package even your gran can use.

Check back next time when I'll talk about the current hot-topic "solution" Disapora* (and why it's not really, in my eyes, that solution)