Facebook has drawn a lot of criticism the last couple weeks as it again pushed the boundaries of what information about its users are shared through the introduction of Open Graph and Instant Personalization. You can count me as one of the critics. What I don’t understand is why some are giving Facebook the benefit of the doubt in light of its recent actions and when those actions are placed in context with its past actions.

For instance, Read Write Web has a piece calling the criticism of Instant Personalization a “knee-jerk reaction.” Its argument is basically that this is a cool feature, so don’t be too hasty to opt out. Oh, and your privacy concerns are overreactions. This piece by Mathew Ingram at Gigaom says privacy is a complicated matter, and while the piece acknowledges that the criticism “is all well and good,” it goes on to basically defend Facebook, saying Facebook is just “making some mistakes” and that it shouldn’t be a lightning rod for our dissatisfaction with normal human behavior.

Even some critics of Facebook’s actions seem to be giving them the benefit of the doubt. Jeff Jarvis has a terrific piece about the difference between “a public” and “the public” — the distinction that I think lies at the heart of why Facebook’s direction makes many uneasy. Yet, in the same piece, he cuts Facebook some slack by saying, “Facebook seems almost unaware of its line and perhaps that’s because its is harder to find.”

Can someone please enlighten me as to why we’re giving the benefit of the doubt to a company whose business model relies on getting its users to share as much of their personal information as possible and who has a shady track record at best on privacy issues. In the absence of a financial motive to protect our privacy, we’re left only with the hope that Facebook has the ethical standards to protect our privacy. Yet, its actions have indicated quite the opposite. The Electronic Frontier Foundation has a piece tracking Facebook’s eroding privacy policy over the years. The information in that piece is brilliantly visualized by Matt McKeon, and I think it should raise some concerns.

Here’s my biggest issue with Facebook: Its privacy moves are NOT mistakes, as Ingram’s piece says, or an unawareness of the line it’s crossing, as stated in Jarvis’ piece. From the evidence I see, they are implicitly designed actions to make more user information public without drawing their attention to it. That’s even worse than incompetence or mistakes. With a mistake, you recognize you did something wrong and try to keep it from happening again. With incompetence, if your people aren’t good enough to fix the problem, you get people who are. In Facebook’s case, it doesn’t even think it has a problem. Remember Beacon? Or when Facebook quietly amended its terms-of-use policy only to be brow-beaten into redacting it? That “act first, ask for forgiveness later” attitude is a terrible approach to privacy matters. And here they are again, creating features that push more of their users’ information out into the public view by default. Yes, they changed Instant Personalization to opt-in after the initial furor, but the fact that they made it opt-out by default in the first place — after their high-profile debacle with Beacon and despite the fact that nobody likes being automatically enrolled in things that they have to opt out of — shows that not only have they not learned from their past mistakes, they’re ignoring the backlash to those past actions in their push to, as this piece says, shift from “private by default, public with effort” to “public and commercial by default and semi-private with effort.”

And you want to give this company the benefit of the doubt … why? Because it offers neat features and is popular? I like new tools as much as anyone, but the key is the tools have to work for me, not the other way around. I CHOOSE when and how to use something. Facebook shouldn’t do that for me (and not tell me about it).

[DEEP BREATH]

What’s Private By Default? Not Much

Just for the heck of it, I created another Facebook account just to see what the default privacy settings are these days.

Let’s start with the Privacy Settings section. Here are the default settings under Personal Information and Posts:

Your bio and your posts are set to be viewable by everyone by default, and all but one of the other categories are viewable by friends of friends. So everything on this page, except your comments on posts, is viewable by default to people you don’t necessarily know. To me, that’s bad. I think of it this way: Would I go up to strangers at a friend’s party and start volunteering my religious and political views? Or better yet, would I just shout my views out loud at this party without knowing who’s there? Probably not without the assistance of alcohol. This is what the settings on this page amount to. Some people are more comfortable sharing some of these information than others, but shouldn’t that choice reside with the individual, by default?

Next, the Contact Information section:

The default settings on this page are actually pretty much what they should be, considering the extra sensitive nature of contact information. Of course, if these were set to “Everyone” by default, it would likely trigger a mass uprising and exodus — the only Doomsday privacy scenario that would hurt Facebook financially.

Next up, Friends, Tags and Connections:

Basically everything is set to “Everyone” by default. Facebook seems to think my photos and videos are more sensitive, so it gives those items a higher privacy setting, though apparently they are not sensitive enough to be limited to “Only Friends” by default. The problem here is that, from a privacy standpoint, “Friends of Friends” is a lot closer to “Everyone” than it is to “Only Friends”. I can pick my friends, but I can’t pick my friends’ friends. I don’t even know a lot of my friends’ friends who aren’t also friends with me, so to me, there’s little difference between “Friends of Friends” and “Everyone”. To draw a parallel, I wonder if Facebook would feel comfortable about its employees sharing everything they know about the company with their friends.

By the way, here’s the other thing about these settings: When you click on those dropdown menus to change the setting, the choices you get are “Everyone”, “Friends of Friends”, and “Only Friends”. I guess those are the only three privacy settings you get on Facebook. Oh well, I guess I’ll pick … but wait, what is this “Customize” link at the bottom of the dropdown menu? Why, it brings up a menu of options of who can see this information, and the last option on that dropdown list is … “Only Me”. It’s a privacy setting on the same hierarchical level as the other three, yet it’s hidden inside a dropdown menu inside another dropdown menu. Bad UI? Yup. Oversight? Not likely. A designer has to make extra effort to hide an option like this. This didn’t fall through the cracks. Facebook dug a hole and buried it there.

Moving on. Let’s go to Applications and Websites. Let’s see what your friends — note, your friends, not you — can share about you through the games they play and the sites they visit:

Several of those checked-by-default boxes give me some pause, including family and relationship status, videos, and photos. Back in the prehistoric days before Facebook — an age which some allege actually existed — you e-mailed photos to share them with friends. Now imagine some of your friends taking those photos and giving them to third parties looking to use them to make money. What a pal, right? On Facebook, your friends can do that without even realizing it. Basically, Facebook’s settings make your buddies crappy friends by default.

So after going through and adjusting all the stuff under Privacy Settings > Applications and Websites, I’m done with my privacy settings for applications and websites, right? Oh if only it were that simple. Go under your Account dropdown menu and go to Application Settings. Here you get a list of applications that you are running on your Facebook page.

Click “Edit Settings” and check the privacy level. Surprise, surprise, they are all set to either “Everyone” or “Friends of Friends”. Now, most of this stuff isn’t exactly top-secret sensitive material. But again, photos and videos are set by default to be visible by people other than those you know, and I can see how some people may not want the groups they are in to be visible to everyone. Also, the “Only Me” setting in this section is hidden under three dropdown menus. Man, they REALLY don’t want you to find it.

Ok, enough with privacy settings. I joined Facebook to share stuff with friends, not to wade through page after page of check boxes and dropdown menus (and that’s why Facebook defaults everything to public — it’s banking on you not looking too closely). Let’s go to the wall and post a message. What’s this little lock here?

It sets the privacy setting for my post. It’s set to “Everyone” by default. I don’t like that. Let me set it to “Only Friends”. Click, pick, done. I get this message the first time I change the settings:

I write a post. Ok, next post. Oh, the privacy setting is back to “Everyone” again. Sneaky. True, if you click on the lock and then on Customize, you can make it default to the level  you want. But again, an extra menu to navigate to when that option should be in the same place with the rest of the privacy settings. It’s another one of those little touches to get people to share more without drawing their attention to it.

Look, I’m not a prude about sharing information. I have five blogs (it’s an addiction). I argue with strangers on Twitter. I write about my family. I post Flickr galleries of what we had for dinner. I upload videos of our trips. But in all those cases, I’m putting up information about myself with the clear knowledge that it’s going to be viewable by the world (though my site traffic stats tell me my privacy is in no danger). That influences what I do and do not share. I may have choice words for some idiot on Twitter, but if it’s something that might reflect poorly on me later, I beat back the urge to tweet it. I may share a lot about my life on my blogs, but there are things that I won’t write about. On Facebook, it’s a different story because it started as primarily private, and the current line between private and public is murky, easy-to-miss, and complicated-to-adjust. I may want to tell my friends I’m out of town next week or that I hate so-and-so, but would I want the world to know that? Well, unless I dig through several layers of options, the world could easily know that by default, because my sharing with everyone is more profitable for Facebook than my sharing with just a few dozen people. Maybe Facebook is living proof that no service can/should be trusted to serve both our private and public sharing needs, especially when it has a vested interest in one over the other.

Comparison to Other Sharing Sites

Just out of curiosity, I wanted to see what the privacy settings look like for a couple other social/information-sharing sites.

Flickr:

What I like about this is that all your privacy settings are in one place. There’s no need to go to several different pages, and there aren’t multiple dropdown menus to navigate.

YouTube:

YouTube’s privacy settings are actually split between the “Privacy” and the “Activity Sharing” tabs. However, they are still pretty straight forward and don’t involve going into several layers of hierarchy to turn something on or off.

Twitter:

Obviously, Twitter has very few privacy settings. Your tweets are either public or private, and they’re public by default. That underscores the difference between privacy expectations on something like Twitter, where talking to strangers is the whole point, vs. Facebook, where a significant chunk of users (if not most) only want to interact with a select number of people. Yet, even on Twitter, a network that’s overwhelmingly public, it asks me whether I want to turn on location tweets instead of just turning it on for me, which is what Facebook does with many of its features.

Looking at these comparisons, it’s pretty sad that Flickr, YouTube, and Twitter — all networks that are perceived by their users to be much more public than Facebook — have clearer privacy settings than Facebook does. Considering the brainpower it took to build Facebook into the juggernaut it is today, it’s impossible to believe that the hoops you have to jump through on Facebook to make something private are merely oversights or results of incompetence. The people at Facebook know full well what they are doing, and furthermore, I think they fully expect to get the kind of backlash they are getting now. They probably also fully expect it to die down with a little time. Then they’ll get back to contracting the boundaries of what’s private on their network little by little and continue adding “Like” buttons across the Web. Maybe their goal is that at some point in the near future, the combination of the incremental erosion in privacy controls and Facebook’s ubiquitous presence across the Web will render privacy concerns a moot point from Facebook’s perspective. You may have worries about your information on Facebook, but when Facebook has a hand in everything you touch on the Web, you may have no choice but to get dirty.

So am I quitting Facebook?

No. Because I work in the communications realm, I need to understand the technology being used. I am, however, being careful with it. I have two accounts, one for work, which is set to be much more public, and one for personal use, which is set to share with basically only my friends. Even on my personal account, I have removed almost all of my personal information. While I can keep some of them private right now, I have no idea whether that’s going to be the case in the future or, more disconcertingly, whether Facebook will bother to tell me when that’s no longer the case.

UPDATE (May 17, 2010)

For an example of a quintessential Facebook apologist piece, see Ben Parr’s “In Defense of Facebook” on Mashable. This is about as bad an apologist piece as I’ve seen in the Facebook controversy, which is why I just had to rant a little about it here. Among other things, Parr says:

Protecting our privacy starts with us, not Facebook. While the company should have more clearly communicated its recent privacy changes, if you didn’t want your pictures shared with the rest of the world, you shouldn’t upload them in the first place.

And if I just wanted to upload some pictures to share with my friends, and the site I was uploading them to promised that they would be private? Parr totally misses the point here. The problem isn’t that Facebook wants to make information public. Plenty of social networks do that, and people are fine with it. The problem is that Facebook collected much of its users’ information with the promise that such information would be kept private and that users would have control over it. If Facebook had its current privacy policy back in 2006, users would have never provided as much information about themselves as they did. This goes back to my point above that when I post on a blog or on Twitter, I know what I’m posting is viewable by the world and I post it with that intent. On Facebook, people post with the notion that it’s private for themselves and their selected circle of friends, because that’s the notion Facebook pushed in order to convince people to share personal information. Facebook collected personal information by promising privacy and now it’s trying to monetize that information by publicizing it.

Imagine if Gmail decided to make your e-mails public by default. Would you still write the same e-mails as you have been? What Parr’s “if you don’t want to share it with the world, don’t upload it” argument is saying is that you either share with everyone or you share with no one, which is total BS, especially when the network you put those photos on explicitly promised that you CAN share with only those you choose. Keep sipping the Zuck Cool-Aid there, Parr.