Guest post: Cleaning up privacy for a Facebook generation

Privacy is something we jealously guard in real life. We lock our doors, protect our bank details – we’re in control. But online it’s become a different story. Hardly a week goes by without

a major government hack, social network outage or search engine breach: accusations of fault and blame are levied, and our trust is further eroded.

The debate has two camps: those that care and those that don’t.

This is due to an underlying issue: for some reason, being online has shifted the definition of privacy. Two forms of privacy have emerged along with two sets of ‘best practice’ rules:

privacy online and privacy offline, (and the term ‘best practice’ is used loosely).

‘Privacy: freedom from public attention’ (Oxford English Dictionary) should be respected by businesses on and offline. And those interacting with businesses should expect the following

principles, rightly or wrongly:

A.      We are clearly told at what privacy level a service operates at

B.      The privacy level cannot be changed on us without us knowing

C.      We have an ability to have our information deleted should we so wish it

Many detailed and vast research papers and draft legislation, contend what should be privacy best practice. However the majority are not accessible for the average Internet users.

Simplification and accessibility must be the order of the day to communicate the privacy level that sites, such as Facebook, operate at.

Privacy online should have a standard system of easily understood levels:

3.    Friends: what I share with wider friends and acquaintances

4.    Business: what I share with a business, which is not shared onwards

5.    Business to Business: what I’ve shared with a business and that business then shares with other businesses

6.    Public: information in the public domain, found by anyone

There are multiple subgroups within these levels. For example at Level 2 / Family, there are things I choose to share with my wife, but don’t with my parents or children, and at Level 3 /

Friends, there are things I share with my friends that I party with that I don’t share with those I work with. These sub-groups are an inherent part of who we are and what we do in the

physical world; often impossible to define and ring fence in the digital world.

The fragile contract of trust is often down to a deliberate and convenient requirement for clarity. Two examples have recently involved Facebook and Dictionary.com, where its users have been

mislead into believing they are operating at Levels 2 / Family, and 3 / Friends, when actually their precious information has been sold in a firehose of information to businesses at Levels

4 / Business and 5 / Business to Business and to Level 6 / Public.

Facebook has a history of breaching the principles A and B (A: We are clearly told at what privacy level a service operates at, B: The privacy level cannot be changed on us without us

knowing). Since May’s public outcry, they have promised not to breach B again, saying that they will not change on us the privacy levels that we choose to set. However, in my opinion they

are still breaching principle A by being deliberately obtuse about their privacy levels.

At first glance, Facebook’s recommended settings look reasonable, with three items being shared with everyone, three with Friends of Friends, and three with Friends Only. However we are

recommend to share our status, updates, photos, posts, bio, family relationships – in other words, virtually all our information, with everyone. As individuals we do not derive any value

from this, however, this information is the gold at the end of the rainbow for Facebook.

In addition, Facebook, in common with most sites and services, does not follow principle C (that we can choose to delete our data at any time) at all. Accounts can be deleted from view, but

Facebook reserves the right to retain users data and old information will still show up in Google’s infinite memory box of search data.

Quoting from the Wall Street Journal about Dictionary.com’s business practices: “A visit to the online dictionary site resulting in 234 files or programs being downloaded onto the Journal’s

test computer, 223 of which were from companies that track Web users”. This is clearly a Level 5 / Business to Business use, particularly pernicious because the user is not aware that this

is being done at all – with no consent, implied or otherwise, provided. As the diagram of levels shows, the information is flowing ‘underground’ from Dictionary.com to others hidden from

view.

There is no reason why privacy and trust should be handled any differently online from the tight restrictions and respects offered it in the off-line world. If we don’t get privacy right

then the online consumer will revolt, which will negatively impact everyone involved in online businesses.

Discussions must be held at international level – it is the world wide web after all – to agree clearly defined privacy levels (either those proposed above, or some other widely adopted

definition).  This would be an important first step to helping users as the general public should not have to be experts in privacy law every time they go online.

This should be followed by a mandate whereby sites and services must be explicitly clear at what privacy level they operate.  Opt outs must be as easy as opt ins, for the sharing of data,

and retracting permission retrospectively should be possible.