Facebook privacy creep

Always the punctual adopter, I joined Facebook around the end of 2007. Since then I’ve observed many tweaks to Facebook’s features, but not until recently when I set up a second account for work, did I really take notice of certain changes, especially those that relate to privacy and sharing of data.

If you don’t already know that I’m a huge cynic, then you will do shortly. I’m going to lay out my observations as factually as I can, but they will be tainted with my usual dose of suspicion, fear and resentment. Below is a list of feature creep that I’ve observed, but there is an underlying point. If you don’t want to read the list, just skip to the bit at the end.

Account verification via mobile phone

I thought I’d start with this one, because it erks me the most. My personal account has long since been verified. i.e. Facebook is satisfied that I am a real person, and not a robot.  If you aren’t verified you must pass a CAPTCHA test for any significant activity such as posting, or friend-adding. This isn’t new, but what seems to be new is that the only option for verifying that you are human now seems to be a SMS-based security check.

What erks me about this is that the CAPTCHA itself is the human/robot test – the mobile phone check is not proof of life; it is in fact little better than an email-based method which just proves an email address exists; it doesn’t prove that there’s a person at the end of it. I question Facebook’s motivation here. The upshot of this is that if you don’t give Facebook your mobile number you will be badgered with CAPTCHAs until you get so annoyed you verify. It also suggests they put a lower value on your email address. (Project Titan anyone?)

The “username” (vanity URL) feature is also denied to you if you do not verify. I particularly like the prompt to try another time.

iPhone address book feature

Continuing the mobile phone number theme: The superb Facebook iPhone app recently added a new feature which allows you to add your Facebook friends’ profile pictures to the corresponding entries in your phone’s address book. Before you enable this feature, you must make this fabulous clickwrap agreement (see image):

Now, don’t get me wrong – I’m not suggesting that Facebook are doing evil things with your friend’s numbers, I’m sure they really do need the phone numbers to automate this feature. I assume it’s the only unique identifier that could associate an address book entry with a Facebook profile and a manual process would ask too much of the user. But regardless of the technical reasons, this is still an example of the increasingly prevalent ‘features for data’ trade we are becoming more comfortable with. It can only make us more complacent about our own privacy.

“Tim W is no longer in a relationship”

This was actually the first of my recent observations. Facebook used to have user settings that allowed you to prevent certain events from being published as ‘news stories’. The example of relationship status is pertinent in that it is so personal. I actually went though a ‘Facebook breakup’ in 2008, but had the publishing of this story disabled. I also had the “X is now friends with Y” story disabled (for reasons I can’t be bothered to go into), but the point is that these options have disappeared. Why? Because Facebook want more activity not less, and that’s no secret.

The real-time shift accelerated by Twitter at al is to blame for this. Much of Facebook’s UX tweaks in 2009 were blatantly geared towards encouraging more chatter, more sharing, more data. Again we’re encouraged to publish more activity, but in this example it’s been achieved through denying us the right to keep it private. In my view, that’s sneaky.


This relatively new privacy option took me by surprise. Certain rather innocuous settings, such as showing the “Add as a friend” button have had their tightest option reduced to friends-of-friends. This seems reasonable, but with 300 friends each having 300 of their own, we’re talking about 90,000 people. The chance of a colleague, employer, or client being amongst that is high – In my case it’s guaranteed. Fortunately the most sensitive settings, such as photo albums, still have much tighter options, but the option itself is still a nudge toward publishing more data to more people.

The bit at the end

I must point out that I’m not accusing Facebook of any evil-doing, or breaking any laws. These examples are here to illustrate what I think is a clear direction in our use of the free (as in beer) web, and our relationships with companies like Facebook and Google where our activity has become both product and payment.

The greatest threat to our privacy is our own complacency over it. We want features, we want them for free, and we’re increasing willing to hand over whatever data is required to access them. What worries me is not what companies are doing with this data now, and not even what they might do with it in future; what worries me is how this creep is discreetly changing our behaviour such that we [as a society] no longer even care about our privacy.

We need to keep an eye on the direction in which we’re being nudged and keep an eye on the organisations that are doing the nudging. Geolocation is clearly the next thing for us to get complacent about, and personal data doesn’t get much more personal than your physical location. The recent Please Rob Me site, however tongue-in-cheek, should be enough for even the least educated to sit up and pay attention to the potential dangers of publishing your location.