Monday, March 03, 2008

Why Facebook's new policies still pose a privacy risk

Anita Ramasastry has been contemplating Facebook's about-face in deciding to allow subscribers to allegedly totally delete their details from the system. She concludes that the new policies still pose significant privacy risks.

"Has Facebook become like the Hotel California, where "you can check out any time you like, but you can never leave"? Until recently, that was how it felt to Facebook users who wanted to remove themselves, but found the process was neither quick nor straightforward.

Facebook used the term "deactivate" in its privacy policy, and "deactivation," it turned out, was not the same as deletion. Instead, Facebook would keep material stored in case users later wanted to reactivate their accounts. Thus, the site reportedly warned users that "[r]emoved information may persist in backup copies for a reasonable period of time," and "[e]ven after removal, copies of user content may remain viewable."

In light of recent criticisms in the blogosphere, however, Facebook has wisely changed its policy. It now allows users to remove themselves and their data from Facebook with a single email request.

In this column, I will examine Facebook's prior policy, and analyze whether it was legal. I will also consider other facets of Facebook's data retention and privacy policies. Finally, I will argue that users need to be more cautious about signing up for social networking sites because, on such sites, their privacy cannot be fully guaranteed...

Facebook's Prior Rules Were Legal in the U.S., But Perhaps Not in the EU...

Unfortunately, even true deletion of a profile by Facebook is unlikely to address users' concerns about embarrassing information remaining accessible. Information may be cached outside Facebook, or simply saved by an individual who views it...

Most savvy Internet users will be well aware of the risks of copying and caching information posted on Facebook and similar sites. But they may not be aware that Facebook reserves the right to supplement user profiles with information it collects from other sources. In other words, on Facebook, users may not even have full control over their own profiles...

Finally, as the Electronic Privacy Information Center (EPIC) has pointed out, those users who install third-party applications - which the Facebook Platform allows -- also face privacy concerns. When someone installs an application, the application (program) can "see" or retrieve the same information the user can see...

In sum, users who think that simply removing their Facebook profiles will protect their privacy should think again. Until Facebook changes other rules, serious privacy risks will persist on the site."

No comments: