Facebook responds to privacy concerns, but some still remain

From StopBadware.org...

Social networking site Facebook has been on the defensive lately for a variety of poor privacy and dislosure related decisions about its Beacon application. Beacon, which is turned on by default for Facebook users, allows users to update their Facebook news feed with information about recent purchases and other activities on third party web sites, such as Blockbuster.com, Overstock.com, and Epicurious.com.

To its credit, Facebook has worked fairly quickly to respond to many of the complaints:

*Initially, the default behavior for Beacon was to publish your purchases in your profile unless you explicitly said no. In response to public pressure, including a petition from MoveOn.org, Facebook changed its system so that you must affirmatively click “yes” before a story is published.

*There was originally no feature that allowed you to categorically prevent stories from a particular site from being posted to your profile. Facebook added this feature within the user profile privacy settings.

*Until today, there was still no global opt-out feature that simply says, “I don’t want my behaviors on other sites published in my profile.” Facebook announced availability of this feature today.

*Stefan Berteau at Computer Associates noted recently that even when you opt out, information about your habits on these third party sites are still sent along with your e-mail address to Facebook. Following publicity from Stefan’s report and dialogue between Facebook and StopBadware in which we encouraged far better disclosure, Facebook is updating its Beacon FAQ and has already updated its Actions From External Websites pages to disclose the transmission of this data. Facebook also released a statement clarifying that this data is deleted unless the user opts into publishing the story.

*Mark Zuckerberg, CEO of Facebook, apologized today and admitted making mistakes in the product and how the company handled the launch.

The engineers we spoke with at Facebook also point out that they built the system originally to ensure that data stored by Facebook, including e-mail addresses and other contact information, is never provided to the third party web sites.

We applaud Facebook’s commitment to privacy and its responsiveness to the community throughout this process. We don’t fully agree, however, with the conclusion of CEO Mark Zuckerberg’s statement where he says, “[I] hope that this new privacy control addresses any remaining issues we’ve heard about from you.” In our discussions with Facebook during the past 24 hours, we have raised a couple other privacy issues that we hope the Facebook team will still address:

1. Facebook offers its partner (third party) sites the option of whether or not to use an encrypted connection to send data (e-mail address, item purchased, etc.) from a user’s PC to Facebook’s servers. We encourage Facebook to make this mandatory, not optional, as this is an important step in keeping this data out of the view of malicious hackers or curious network administrators.

2. When a user chooses to opt out of Beacon or clicks “No Thanks” when asked to publish a story in his/her profile, it is not made clear to the user that the data will still be sent to Facebook. This should be an easy clarification to make in the text of these opt-out screens/boxes and would go a long way towards ensuring full disclosure.

We wish to thank Facebook for engaging in dialogue with us on these issues, and we encourage its leadership to continue listening to and learning from the community so the company can reach the goal they expressed to us of becoming a leader in user privacy.