The Facebook privacy paradox

Can the everyday Facebook enthusiast be expected to protect privacy on an inherently social site?

The birthday paradox, a classic illustration used in probability theory, states the probability that in a set of randomly chosen people, a pair will have the same birthday. The magic number is 23, which means that with 23 people, there is more than 50 percent probability that some pair of them will have the same birthday. As Wikipedia notes, such a result is counterintuitive to most people. Want to get to a 99 percent probability a pair will share a birthday? All you need is 57 people.

There is a similar paradox when it comes to Facebook. The paradox is why people openly share such private information as their date of birth (amongst myriad other personal details) in their Facebook profile. Over the past few months, I have made it a habit of reaching out to people and wishing them a happy birthday, courtesy of the friendly reminders I get from Facebook, like the following:

facebook reminders

Invariably, the response will be "oh my gosh, thank you, but how did you know?" For those who don't accept my answer of having a photographic memory, I inform them that I got their birthday from their Facebook profile. To which their answer is almost always, "Wow, I didn't realize it was in there."

Also see 10 reasons to quit facebook (and one reason to stay on) on CSOonline.com

Many people enter their birthday on the Facebook signup page (which is a required field at signup), but neglect to change their settings in the Facebook. Even though the page clearly states, "Visit your privacy settings to control who can see the information on your profile," the reality seems to be that most people simply bypass this in the rush to start posting on their wall.

The current Facebook default privacy setting is to allow friends to see your birthday.

facebook display birthday
facebook privacy settings

Facebook has become the whipping boy of privacy. With articles such as Danah Boyd's Facebook's Privacy Trainwreck: Exposure, Invasion, and Social Convergence [pdf link] and presentations like Gross and Acquisti's Privacy Disaster Waiting To Happen? - The Facebook and Privacy on Social Networking Sites [pdf link], it seems to many as if Facebook does the same level of data extraction that the Constitution prohibits the NSA from performing.

I think the issue is not so much Facebook privacy, but rather that the vast majority of Facebook users simply don't get privacy. Even with Facebook's new and improved privacy features, how many of the over 400 million Facebook users really and truly care about privacy? How many have taken the time to understand the nuances of what it means? Of what they need to do?

A brief statistic is telling. The video of a woman dragging her kid through the Verizon store has more than 750,000 views as of mid-June 2010. My webinar on Information Security and Social Networks is approaching the 1,500 views mark. Perhaps the secret is to get Charlie to bite the finger of privacy, as he has more than 200 million views.

As of mid-June, only 7,539 of Facebook users have liked the official Facebook and Privacy page -- 7,539 is but .000018% of Facebook users, not exactly banging down the privacy door. In other words, an infinitesimal amount of Facebook users seem to truly care about privacy.

In the coming months when Facebook hits the half-billion user mark, will even a fraction of them take action on something as relatively simple as the Facebook Privacy & Security Guide from SocialMediaSecurity.com? The truth be told, that guide is not so simple to the average user, who is not technologically savvy. And the average user seems to be the vast majority of Facebook users.

Put it this way -- if scary messages from the Surgeon General cant get people to quit smoking, do you really think that the Facebook Privacy Policy (currently more than 5,700 words long), will scare them straight about the dangers of inappropriate wall posts?

There is a naivete that if you build the Facebook privacy controls, then "they will come" and implement them. In Making Control Simple, Facebook founder and president Mark Zuckerberg writes that "the number one thing we've heard is that there just needs to be a simpler way to control your information." Even with more user-friendly controls, we run precisely into the same problem that researchers Alma Whitten and J. D. Tygar did in Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 [pdf link].

In this seminal paper, the authors showed that users have great difficulty using the PGP encryption software. In the study, only four out of the 12 college students who participated (and who were quite computer literate) were able to correctly sign and encrypt an email message within 90 minutes. Twenty-five percent of them actually accidentally sent the secret email in clear text. Whitten and Tygar concluded from the usability test that "designing security software that is usable enough is a specialized problem, and user interface strategies that are appropriate for other types of software will not be sufficient to solve it."

It's not that Scott McNealy was wrong when he said, "You have no privacy anyway, get over it." The reality is that privacy in the era of social networks is far too abstract as a concept, and far too difficult as a technical control for the populace to effectively implement over the long term.

Security and privacy can't be simply implemented in a few mouse clicks. Consider that the HP security checklist [pdf link] for a multi-function printer is 50 pages in length. While the manual for the Black & Decker model T2707S toaster is but six pages, privacy is clearly harder than making toast.

From a privacy perspective, Facebook is more than a single site like Amazon or eBay. Facebook is a global platform that enables Facebook users to interact with other users across the Facebook universe. The downside to this is that affords significant power to Facebook. But even with that, most people seem to further embrace Facebook, even with it privacy and application vulnerability issues, rather than flee from it with privacy concerns.

Also see 5 Facebook, Twitter scams to avoid

Will privacy apprehensions be the ultimate undoing of Facebook? I doubt it, but Diaspora bills itself as "the privacy aware, personally controlled, do-it-all, open source social network." Designed as a decentralized alternative to Facebook, Diaspora is scheduled for release in September 2010. Only time will tell if Diaspora will become the site for people who care about privacy. But history is lined with failed privacy companies such as Zero-Knowledge Systems; and others, such as PGP, while important, still have not achieved critical mass.

For those who really want privacy on Facebook and other social networks, taking to heart the refrain of the song from Cracker -- "Get Off This" -- would likely benefit them much more than navigating the rough waters of Facebook privacy -- if you want to change the world, shut your mouth.

Ben Rothke CISSP, CISA (ben.rothke@bt.com) is a Security Consultant with BT Professional Services, the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education)

.

Rothke's previous articles for CSOonline include a look at Who's Who directory scams as well End-to-End Encryption and other articles on PCI compliance.

Join the discussion
Be the first to comment on this article. Our Commenting Policies