Wednesday, June 27, 2007

FaceBook Brought to Book?

My colleague Ian Brown of Blogzilla reports on an interesting post on why Facebook may be violating European privacy law.

The article reveals that creating an "exploit" in FaceBook - ie hacking the privacy of unsuspecting users - is trivially easy. All you have to do is use Advanced Search and you can search across controversial (and in European DP language, "sensitive") pieces of data such as Religion and Sexuality in apparently unlimited numbers of profiles. This is true even if the user has taken steps to protect the privacy of their data (see below). As Ian comments this is a security failure on FB's part, which should have been trivially easy to fix in their code.

Having just returned from the SCL Conference where it was revealed that over 3 million people in the UK are on Facebook (including apparently nearly every corporate lawyer in the UK.. and definitely at Allen and Overy :-) and it is growing in the UK at 6% per WEEK, this is serious, er, excrement.

Pangloss's own experimentation proves that in fact hacking FaceBook is even easier than this. Suppose you want to stalk person X who you know lives in London. All you have to do is set up an FB profile, join the London network - which requires NO validation, certainly not a University of London email address or the like - and suddenly you can see all their personal details - some of which (on brief inspection) are highly revealing , of social and sexual data that many people would not want public. Of course they may not have joined the London network - but very often it will be very easy to guess what network the stalkee is in.

Of course, will say FaceBook, you, the stalkee, can stop this. You can in fact change all your privacy defaults on FB so no one can see ANYTHING on your profile site unless they are people you have accepted as "Friends". (Pangloss has just gone and done this, with a vengeance.) Fair enough, except that the default privacy settings on FB are almost entirely in favour of disclosure and there is very little direction or instruction on the site to "change these defaults for heaven's sake, 300,000 people can see who you want to sleep with".

As the blogger above, Quiet Paranoia (great name) comments, "Users cannot be expected to know that the contents of their private profiles can be mined via [advanced] searches, and thus, very few do set the search permissions associated with their profile."

I agree. If an er um respected professor of privacy law can take some while to realise how exposed her data is on FaceBook, then it is unreasonable to expect children of 16 or 17 (FB is associated with high school students but the T & C say 13 up) to make these kind of difficult judgment calls, when what they are really concerned about is popularity and finding out about the good parties?

FB will say that they have provided opt-in to privacy, and anyone who does not avail themselves of the tools available is impliedly giving consent to processing of their data. They wil also point to their privacy policy which does not give the impression of overwhelming concern about the remarkably weak default privacy protection and indeed, security, offered by FaceBook.

"You post User Content (as defined in the Facebook Terms of Use) on the Site at your own risk. Although we allow you to set privacy options that limit access to your pages, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other Users with whom you may choose to share your pages and information. Therefore, we cannot and do not guarantee that User Content you post on the Site will not be viewed by unauthorized persons. We are not responsible for circumvention of any privacy settings or security measures contained on the Site. You understand and acknowledge that, even after removal, copies of User Content may remain viewable in cached and archived pages or if other Users have copied or stored your User Content."

Even Pangloss, who is no privacy fundamentalist, does not think this is good enough, particularly in relation to "sensitive personal data" where "explicit consent" to processing by third parties is required. (Is searching via key words "processing"? Almost certainly - see Art 2 of the Data Protection Directive which includes "retrieval" whether or not by automatic means. )

But FB will again say : Everyone who signs up to FB assents to the T & C. Does that mean they have given the requisite explicit consent to processing of sensitive data even by "unauthorised third parties"? Even if in pure contract law the T & C can be read this way, at this point both DP law and the Unfair Contract Terms Directive should surely both converge to make such a clause either void or unenforceable?

In comparison, another social networking site where Pangloss hangs out, Live Journal, has not only very sophisticated privacy controls, but also a culture of discussion and awareness that privacy and openness can be manipulated by the software. Of course privacy breaches do still occur (via "cut and paste fairies" for example) but they are pretty rare.

Do we need a legal solution? Is there a case for extension of DP law to cover the setting of defaults on social network sites? Should privacy not be the default, by law (perhaps with some exceptions to preserve functionality, such as name and network) and openness the opt-out, rather than the reverse? Maybe. Maybe all that is needed is an Industry Code of Practice combined with some upping of awareness of the issue. However with the number of people - especially young pre-employment proto-citizens - involved in web 2.0 sites rising by the minute, this really does seem an issue which is not merely knee jerk alarmism and should not be swept under the carpet. First year students may not care now about spilling their sexuality and contacts to the world: they may when they are older, wiser and looking for employment :)

Another suggestion might be the automatic expiry of social networking data after say six months unless the user chooses to opt in to keeping their data out there. Viktor Mayer-Schoenberger has made this kind of suggestion recently. In social networking sites where the whole business model is based around large databases of personal data, data is routinely retained apparently forever. Data retention is another area where the DPO authorities might want to have a bit of a look at whether the law needs tweaked.


Anonymous said...

The 'average user' might not know how to do advanced searches, but the brilliant parliamentary blogger Guido Fawkes clearly has the knack of it -- his blog is littered with Facebook screenshots of status updates that people probably didn't intend to be posted on the Interwebs.

Lock it down. Oh yes. And I am so leaving the London network -- I can't think what I wanted it for anyway.

pangloss said...

Thanks for the tip - tho looking at his blog are ANY of these facebook reports not from spoof acounts?



cearta said...

Daithí on Lex Ferenda has discussed these issues here (in the context of Bebo), here (in the context of Facebook) and here (in detail in the context of Facebook).