It hasn't been the best 10 days for Facebook.
After instituting changes meant to improve user privacy, Facebook has been hit with a Federal Trade Commission complaint alleging the social networking site did the exact opposite. According to a host of consumer and privacy groups, Facebook's changes actually did more harm than good.
But just how much privacy do users really want? To hear Facebook tell it, only a small number of its 350 million-plus users were actually taking advantage of the privacy settings that existed before the changes were implemented.
"The mass of our users had never done anything at all," said Tim Sparapani, director of public policy at Facebook, in an interview with eWEEK Dec. 10. "Hundreds of millions of people had never stopped and thought about the consequences of sharing information. So we thought that it was important enough, as people who care about user privacy, to walk them through that process."
Users are the X factor in any security strategy. In a report earlier this year, the Ponemon Institute said that roughly half of the 967 end users they surveyed reported their corporate data security policies are largely ignored by employees and management. The policy violations ran the gamut, from copying confidential information onto USB sticks to turning off desktop firewalls and antivirus.
Cormac Herley, a principal researcher with Microsoft Research, argued here in a recent paper (PDF) that following security advice can sometimes be more trouble than it is worth for users in terms of time and effort.
"It is often suggested that users are hopelessly lazy and unmotivated on security questions," Herley wrote. "They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort."
In the case of Facebook's privacy settings, there may have been a decision that they did the best they could as far as educating the public, opined Berin Szoka, senior fellow at the Progress and Freedom Foundation. Facebook announced its intention to make the changes earlier in the year, and included a "transition tool" that featured information about what the changes were as well as their impact.
"You're kind of damned if you do, damned if don't, because sometimes these companies will create an interface and somebody will say, -Well there are too many choices ... nobody will ever use it,'" Szoka said in an interview with eWEEK Dec. 17. "But if they take away some of the choices, then the criticism is you're [narrowing] users' control. I think if people calm down a little bit more, we can have perhaps slightly more rational conversations about these things."
Still, Facebook's move generated no shortage of user reaction on its blog, much of it lambasting the changes. A Facebook spokesperson said that as of Dec. 14, 220 million users had saved settings through the privacy wizard, with about 20 percent selecting their "old settings" for at least one piece of information. More than 40 percent of those who have Facebook's recommendations preselected are "customizing." Overall, more than 50 percent of users chose Facebook's recommended settings, which are the most open.
In response to the filing of the FTC complaint, Facebook spokesperson Andrew Noyes told eWEEK Dec. 17 that the company had gone to "great lengths to inform users about [its] platform changes."
"We're pleased that so many users have already gone through the process of reviewing and updating their privacy settings and are impressed that so many have chosen to customize their settings, demonstrating the effectiveness of Facebook's user empowerment and transparency efforts," he said. "Of course, the new tools offer users the opportunity to decide on privacy with every photo, link or status update they wish to post, so the process of personalizing privacy on Facebook will continue.
"We discussed the privacy program with many regulators, including the FTC, prior to launch and expect to continue to work with them in the future," he added.
Critics, however, remain skeptical, and while Facebook did respond to user complaints recently by limiting the exposure of a person's "friends" list, it is clear some users think the social networking site has not gone far enough.
"Considering the many tens of millions of American consumers who use Facebook, we hope and expect that the FTC will seriously consider the important questions raised by today's complaint," according to a blog post by Tim Jones, Activism and Technology Manager at the Electronic Frontier Foundation.
UPDATE: This story was updated to add information from Facebook e-mailed to eWEEK late Dec. 18.