If you're reading this article, chances are good you have a page on Facebook, too. More than 150 million Americans already use the site, and the number grows daily because Facebook makes it so easy to keep up with friends, family, and colleagues, discover great content, connect to causes, share photos, drum up business, and learn about fun events.
To deliver this service, Facebook and other social networks collect enormous amounts of highly sensitive information—and distribute it more quickly and widely than traditional consumer data-gathering firms ever could. That’s great when it helps you find old classmates or see ads for things you actually want to buy. But how much information is really being collected about you? How is it being used? And could it fall into the wrong hands?
[Related: Facebook: A masterpiece and cultural catastrophe]
To find out, we queried Facebook and interviewed some two dozen others, including security experts, privacy lawyers, app developers, and victims of security and privacy abuse. We dug into private, academic, and government research, as well as Facebook’s labyrinthian policies and controls. And we surveyed 2,002 online households, including 1,340 that are active on Facebook, for our annual State of the Net report. We then projected those data to estimate national totals.
The picture that emerges has bright spots but also many causes for concern, including the following:
Some people are sharing too much. Our projections suggest that 4.8 million people have used Facebook to say where they planned to go on a certain day (a potential tip-off for burglars) and that 4.7 million “liked” a Facebook page about health conditions or treatments (details an insurer might use against you).
Some don't use privacy controls. Almost 13 million users said they had never set, or didn’t know about, Facebook’s privacy tools. And 28 percent shared all, or almost all, of their wall posts with an audience wider than just their friends.
Facebook collects more data than you may imagine. For example, did you know that Facebook gets a report every time you visit a site with a Facebook “Like” button, even if you never click the button, are not a Facebook user, or are not logged in?
Your data is shared more widely than you may wish. Even if you have restricted your information to be seen by friends only, a friend who is using a Facebook app could allow your data to be transferred to a third party without your knowledge.
Legal protections are spotty. U.S. online privacy laws are weaker than those of Europe and much of the world, so you have few federal rights to see and control most of the information that social networks collect about you.
And problems are on the rise. Eleven percent of households using Facebook said they had trouble last year, ranging from someone using their log-in without permission to being harassed or threatened. That projects to 7 million households—30 percent more than last year.
Some of these issues arise from poor choices users themselves make. But there is also evidence that people are treating Facebook more warily; 25 percent said they falsified information in their profiles to protect their identity, up from 10 percent two years ago. Other problems can stem from the ways Facebook collects data, how it manages and packages its privacy controls, and the fact that your data can wind up with people or companies with whom you didn’t intend to share it.
Andrew Noyes, Facebook's manager of public policy communications, says the company takes privacy and safety issues seriously. He pointed us to a blog posted last year by founder and CEO Mark Zuckerberg, who wrote, “We do privacy access checks literally tens of billions of times each day to ensure we’re enforcing that only the people you want see your content.” And Facebook has made efforts to respond to concerns. Even as this article went to press, the company announced that it would offer users greater access to records of their past Facebook activity.
But some critics worry that the very existence of such a massive repository of personal data demands extraordinary protections and controls. “Last time I checked, large corporate interests aren’t allowed to trample on widely recognized fundamental rights just because their founders have invented some new, profitable privacy-busting product, yet that is exactly what has happened to privacy rights over the past few years,” charges James Steyer, founder of the children’s-advocacy group Common Sense Media and author of the book “Talking Back to Facebook.”
[Related: Hiding Money From Your Spouse Has Gotten a Lot Harder]
In this article, we examine the gap between these two viewpoints to see where the truth lies. We focus on Facebook because it is the world’s largest social network, with 800-million-plus users, far more than competitors such as Google+ and LinkedIn. Facebook is also of interest because it has declared its intent to go public and is poised to raise billions more dollars in funding. What we found was sometimes fascinating and other times disquieting—but always worth knowing if you wish to keep your data under better control.
Social networks are rewriting social rules
One thing is for sure: Facebook and other social networks are changing the way the modern world operates and “rewriting the rules” of social engagement, as Chief Operating Officer Sheryl Sandberg puts it.
Examples abound. Facebook recently partnered with the Department of Labor and others to help connect job seekers and employers, developing systems to make job postings viral. When tornadoes hit the Midwest and Texas this year, photos of animals posted on Facebook helped families find lost pets. The network keeps active-duty soldiers in touch with families, including a National Guardsman serving in Afghanistan who not only reconnected with the woman who later became his wife but now uses it to follow the daily milestones of his newborn daughter. And millions now turn to Facebook to express their opinions to government and businesses, flexing their collective muscle in ways never possible before.
The site also aids commerce. Last year, 1-800-Flowers.com boosted sales of its Modern Embrace Pink Rose & Lily Cube and Make Mom’s Day Bouquet before Mother’s Day by asking moms to use a “Like” button to indicate their preference. And more than 18 million people visited or “liked” a brand’s page after learning that friends had done so, our survey suggests. That’s why so many organizations maintain pages on Facebook. At the Consumer Reports page, for example, we host live chats with our experts, share articles, and query visitors to help in our reporting. We have also bought ads on Facebook to tell users about our activities.
Ads like those are what keep Facebook so profitable. The company uses your data to help advertisers deliver ads that you may find useful. Suppose, for example, that you have “liked” the San Francisco 49ers page, or simply posted comments about football. You shouldn’t be surprised to see ads in the margins for football tickets, fan paraphernalia, and the like. Facebook does not share any of your information with advertisers that buy those ads unless you give permission. If you click the ad and purchase something, the advertiser obviously learns who you are. And even if you simply “like” a brand page, the company can automatically send posts to your account. Such reach helped Facebook multiply revenue almost fivefold in the past two years, to $3.7 billion in 2011.
This revenue model dovetails neatly with Zuckerberg’s oft-stated goal of “making the world more open and connected.” The more data you share, the more Facebook knows about you and the more powerful its ad-targeting machine becomes.
Privacy experts worry that Facebook’s business model runs contrary to people’s interests. “Facebook has purposefully worked to erode the concept of privacy by disingenuously claiming users want to share all of their personal information,” says Jeff Chester, founder of the Center for Digital Democracy, a D.C.-based consumer group.
Others, like widely followed blogger Robert Scoble, scoff at this fear. “I make everything public on my Facebook account and I’m not worried about privacy because the more I share about who I am and what interests me, the more Facebook can bring me content that I care about,” says Scoble, startup liaison officer for Rackspace, a global Web-hosting company. “Yes, people have lost jobs because of things they have posted on Facebook, but you can also end up getting jobs and making all kinds of great connections because you’ve posted about your passions.”
Different standards regarding your privacy
This deep division of opinion is reflected in the widely divergent approaches that nations have adopted regarding laws that govern privacy.
In Europe, companies must notify consumers before collecting their data, and people have the right to obtain and correct copies of their information. The European Commission recently proposed even tighter rules that would require explicit “opt-in” consent before data were gathered and let you order that your data be permanently deleted—a provision known as the “right to be forgotten.”
In the U.S., on the other hand, there are strong federal privacy laws covering your financial and health data. But Americans have few federal rights to see and control much of the information they share through social networks.
Given the differing protections, it’s worthwhile to ask what data Facebook actually keeps about you. Until recently, that was hard to find out. Even Facebook's “Download Your Information” tool yielded only part of your personal file.
We know that thanks in large part to Max Schrems, a 24-year-old Austrian law student who managed to get a fuller copy of his personal information last year from Facebook's Dublin office, which oversees relations with users outside the U.S. and Canada. Schrems was surprised to discover, among the 1,222 pages of data covering three years of Facebook activity, not only deleted wall posts and messages, some with sensitive personal information, but e-mail addresses he’d deleted and names he’d removed from his friends list.
Schrems formed an activist group called Europe-v-Facebook.org, which posts redacted copies of the files he and others have freed from Facebook. His file contained 57 categories of personal data, including the date and time of log-ins and his last known geographic location, including longitude and latitude.
Facebook collects the same type of detailed information on American users, as confirmed by documents it released to Boston police during their investigation of Philip Markoff. He committed suicide in jail in 2010 shortly before going to trial for the murder of a young woman in what news accounts had dubbed the “Craigslist Killer” case. Markoff’s Facebook file included copies of his wall posts, page after page of photos, a list of the exact times he logged in, his IP addresses (the unique strings of numbers that identify where you’re accessing the Internet), as well as his list of friends.
“It is very likely that no government or corporation has ever managed to gather such a huge amount of personal and often highly sensitive data,” Schrems said in complaints filed with the Irish Data Protection Commission. The commission conducted an audit and said it would review in July Facebook’s progress toward giving European users greater control over their data. The changes Facebook announced recently represent a step in that direction, though users still won’t be able to get everything. Facebook says the expanded data will be rolled out in Europe and Canada first, and later in the U.S.
While improved privacy controls are welcome, some observers say they don’t address the core issue. Eben Moglen, a Columbia University law professor who supports decentralized data sharing, worries that Facebook's focus on privacy controls is “like a magician who waves a brightly colored handkerchief in the right hand so that the left hand becomes invisible. From a consumer’s viewpoint, Facebook’s fatal design error isn’t that Johnny can see Billy’s data. It’s that Facebook has uncontrolled access to everybody’s data, regardless of the so-called privacy settings.” And even users who adjust those settings can be surprised by where their information winds up.