It’s well established that joining a social network means trading privacy for information. Your Facebook friends, for example, get to see that picture of you looking like you might be stoned, and you get to “like” their posts celebrating the legalization of marijuana in Washington and Colorado. Or, perhaps you simply post about your 50th birthday party or celebrating Ramadan. Potential employers get to see all that stuff too, depending on your privacy settings, and there is evidence that some of them discriminate on the basis of age and against Muslims. Facebook, meanwhile, gets to target ads at you.
What’s not as well appreciated, but becoming increasingly clear, is that users of social networks in general, and of social networking kingpin Facebook in particular, are ill-equipped to evaluate the price they’re paying in this trade — to determine just how much privacy they’ll lose over time in exchange for status updates from their friends, and what that loss will eventually mean for themselves and their loved ones.
Part of the reason it’s hard to think clearly about privacy tradeoffs is that data collection now occurs at a staggering scale. Facebook earlier this year announced that it had figured out how to store a billion gigabytes, known as an “exabyte,” in each “data hall” room in its data centers. As people upload two billion pictures a day to the social network, older photos are moved to these “cold storage” exabyte systems.
Facebook’s data hoard is being mined in ever more inventive ways. To take just a few examples: information uploaded to Facebook was sought by the Manhattan DA in a recent social security fraud case; Facebook earlier this year announced research on new techniques for performing facial recognition on partial digital images; and the company last month defended a patent acquired while purchasing a company that could be used to evaluate a person’s loan application based on the credit of his or her friends. Meanwhile, Facebook’s own rules about how its data is handled have grown more opaque, according to a recent study; in 2012, even the sister of Facebook’s co-founder accidentally made a private picture public.
“Facebook’s story is that we trade privacy for access to its service,” says Cory Doctorow, a best-selling author, co-editor of the pioneering futurist blog Boing Boing, and consultant for the civil liberties group Electronic Frontier Foundation. “But it’s clear that none of us really know what we’re trading. People are really bad at pricing out the future value of today’s privacy disclosure. … It’s nothing like any other marketplace. … In a market, buyers and sellers bargain. In Facebook’s ‘market,’ it gets to treat your private data as an all-you-can-eat buffet and help itself to whatever it wants.”
No one goes into Facebook planning to share tons of data. When you signed up, all you wanted to do was upload a few flattering vacation photos because your relationship status was, well, It’s Complicated. But people tend to get sucked into Facebook. In 2010, Austrian law student Max Schrems asked for, and eventually received, all the data Facebook had compiled on him. The information arrived in the form of a 1200-page PDF file. It contained both active and deleted personal data, including information on who had “poked” Schrems; a record of who he had friended and de-friended; a list of Facebook users he shared computers with; his RSVPs to various events; email addresses he had never provided Facebook, presumably culled from address books shared with Facebook by his friends; and all his messages and chats, some marked “deleted.” He later formed an activist group called Europe v. Facebook and, among other legal maneuvers against the company, filed a complaint with the Data Protection Commissioner in Ireland, where Facebook has its European headquarters, arguing the company’s practices violated an amendment to the European Union charter.
If a user like Schrems asked for a data dump today, it would probably look quite different. As Facebook evolves and offers more features, it generates new types of information, information that often remains hidden away. “Social networks foster an environment of mutual participation … on the premise of a social good,” says Dr. Richard Tynan of the U.K. organization Privacy International. “However, behind this apparently benign act exists an ecosystem of algorithms and decisions, known only to Facebook.”
Facebook’s tendency to appropriate more and more information led, in 2011, to a complaint by the U.S. Federal Trade Commission that the company had “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.” Without admitting wrongdoing, the company settled the case that same year, agreeing to 20 years of audits. Among other things, Facebook said it would announce all privacy policy changes widely and give people 60 days to change settings on their posts or delete their account. One commissioner disagreed with the ruling on the basis that it was, in his view, too lenient, allowing Facebook to settle without admitting wrongdoing.
A Facebook spokesperson offered, “We want people to understand how Facebook works so they can make informed decisions and control their experience. In an effort to help people really understand our data policy, we’ve made it 70 percent shorter and easier to navigate.”
Some studies dispute this. A 2015 study conducted by undergraduates at Harvard University for a publication run by data and privacy expert Professor Latanya Sweeney found that Facebook’s privacy policy became markedly more opaque and less explanatory over the years. It also argues the policy’s length has grown, which is disputed by Facebook along with the study’s general thesis. Other researchers, like the Center for Plain Language, offer praise for Facebook’s policies compared to companies like Apple.
Doctorow holds a different view. “Facebook’s playbook is easy to understand and sleazy as hell: a privacy dashboard that’s so complicated that even the Zuckerberg family can’t figure out how to share things with just family members; periodically changing everyone’s privacy settings by fiat to grab more than they’ve said they’re willing to give, then backing off to a point that’s less private than it was before, while issuing a non-pology for the ‘misunderstanding,’” he says.
Even when Facebook wants to keep your data private, it may not be able to. Earlier this year, Facebook was joined by the New York Civil Liberties Union (NYCLU) in challenging a sweeping warrant by the Manhattan District Attorney’s office. The DA wanted to see all Facebook data for 381 people under investigation for social security fraud. At the time it won the appeal, the Manhattan DA released a statement saying this became “the third court to deny Facebook’s efforts to block lawful evidence gathering,” and cited 108 guilty pleas and $24.7 million in forfeiture and restitution. “In many cases, evidence on their Facebook accounts directly contradicted the lies the defendants told to the Social Security Administration,” the statement said.
NYCLU attorney Mariko Hirose says Facebook was under a gag order, prevented from initially telling those under investigation about the warrants. “We’re not saying that social media information can’t be used in a criminal investigation,” Hirose says. “The question is complying with the Fourth Amendment, probable cause and particularity. They didn’t particularize the warrant. They asked for everything — photos, videos, IM chats with friends and family.” A Facebook spokesperson said the company is still considering whether to file a motion to appeal.
As hard as it is to fathom all the ways Facebook data is used today, the possibilities only multiply when you project into the future. Earlier this year, several researchers from Facebook and the University of California, Berkeley, published the paper “Beyond Frontal Faces: Improving Person Recognition Using Multiple Cues,” advocating for a new and, in their research, highly improved way of deriving people’s identities using partial, side, and even back-of-head pictures. In August, Facebook took moves to defend a patent acquired by Facebook in the purchase of another company, envisioning in one use case that “when an individual applies for a loan, the lender examines the credit ratings of members of the individual’s social network who are connected to the individual through authorized nodes.” The core of the patent was a technique to see how users are networked; other envisioned uses included spam prevention and personalized search.
A Facebook spokesperson stated, “Facebook didn’t invent the contents of this patent, so it’s misguided to think we are working in this area based solely on a single, unclaimed footnote in the document. Furthermore, we don’t allow people to use Facebook to confuse, deceive or defraud anyone, and we aggressively enforce this policy.”
The lending idea actually appears prominently in the patent application, taking up a fifth of the “summary of the invention section,” warranting its own diagram, and getting several other mentions, all outside of footnotes. And the strong wording of Facebook’s statement does not actually preclude the use of the platform for financial analytics. There’s also research that indicates that the startling idea of using social media for financial predictive analytics might actually work, and thus potentially catch on.
University of Maryland business professor Siva Viswanathan has looked into how “soft information” — like social contacts — can augment hard information like credit history to help lenders make better decisions. In his studies, this “soft information” has proven valuable. He studied social lending platforms like Prosper and Kabbage, not Facebook, but those platforms share with Facebook the challenge of showing that online networks can be as robust and stable as real-world connections. “We were surprised,” Viswanathan says. “Online was not perfect, but having the information did allow better [lending] decisions. The question remains how much better.” He also believes it’s quite possible that if social networks are adapted for predictive analytics in lending, people will alter their behavior online. “You have what we call adverse selection. You might end up getting the wrong crowd that manipulates connections, or people who care about privacy who are creditworthy borrowers who might stay out of the system.” Nonetheless, Viswanathan believes the model is viable.
It’s not at all clear how to help people navigate a world where the seemingly trivial act of accepting a friend request can have life-altering financial implications. Privacy International’s Tynan advocates increased disclosure of future risk; but does that mean that privacy policies would become more like dystopian sci-fi stories? “It is no longer acceptable for companies to simply detail what data they collect on their users,” he says. “They must be honest and explain what the implications are.” More radical is the idea of moving social networks to a different business model. Many people, including UNC professor Zynep Tufekci, have advocated that there be an option to pay for Facebook directly rather than by being data-mined. Some users, like me, stay on the platform as-is but greatly restrict the types of information we post. I genuinely enjoy the updates from my friends and U.S. family, and a glimpse into the lives of my relatives in Zimbabwe. But I block anyone else from posting on my wall and limit what I upload largely to pretty photographs and self-promotional links about my work. It’s hardly a deep glimpse into my life but my presence is still mineable, particularly the data on what items I click on and like by other users.
Of course, people can always leave Facebook. But you don’t even have to be on Facebook to be on Facebook. When I entered Doctorow’s name into Facebook’s search engine, I got a page that included a neatly formatted teaser link to his Wikipedia entry, plus a section titled, “Photos of my friends and Cory Doctorow.” He turns up in two pictures, uploaded and tagged by people who I’m friends with on the platform. At the bottom it reads, “This Page is automatically generated based on what Facebook users are interested in, and not affiliated with or endorsed by anyone associated with the topic.”