Facebook and Online Privacy

Many people are happy to hand over their personal information to social media companies such as Facebook, but few people have much idea of:

• exactly who or what receives their information;
• how much information about them is obtained from other sources;
• what happens to the information they hand over;
• the possible consequences of handing over that information.

Who are You Giving Your Information to?

People often assume that when they fill in a form on a website, they are lending their personal details to a faceless digital computer. In fact, they are handing over their information to the human beings who own the website.

Typing words into a box on a computer screen is not fundamentally different to writing words on a piece of paper. Clicking a button to send the information down the phone line is not fundamentally different to putting the piece of paper in an envelope and posting it. Yet people treat electronic interaction quite differently to pen–and–paper interaction.

Other Sources of Information About You

Social media companies will of course have access to all the personal information you give them, but they will obtain information about you from other sources too:

• They will often be able to match your personal details to any information which other people provide about you, such as tagged photographs. Facebook’s facial recognition technology allows you to be identified in a photograph even if you are not explicitly tagged.
• Facebook cookies exist on many non–Facebook websites. These cookies allow the company to build a picture of an individual’s web browsing habits, and to match your personal details to that picture.
• Facebook ‘Like’ buttons function in much the same way as cookies, by allowing Facebook to match your IP address to the websites you visit.

Losing Control of Your Information

Once your information is out there, it is almost impossible to get it back. As film and music companies have discovered, information in digital form can easily be copied and distributed without your consent.

Personal information which you used to control is now controlled by others. This loss of control is especially noticeable in the case of social media companies, whose terms and conditions generally state that by the act of uploading information, users are allowing the company control over that information.

Selling Your Information to Advertisers

Most social media companies are set up specifically in order to sell their subscribers’ personal information to advertisers, with the cost passed onto those who buy the advertisers’ products. Facebook even sells images of its users’ faces to advertisers, without asking permission, without payment, and without giving the users the chance to opt out. The company was sued, and paid $10 million to settle the case.

Newspapers have been selling readers to advertisers for ages, of course, but they do not sell as complete a profile as that amassed by social media companies. A newspaper company will not normally possess any information about your age, health, education, leisure interests, or employment history. Many people willingly hand over that sort of information to social media companies.

Facebook Applications

Facebook goes one step further. It makes its users’ personal information available also to those who create applications such as quizzes and games.

If you sign up for a Facebook application, you are in effect handing over to the application’s developer all the information which is held about you by Facebook. Because there are many thousands of Facebook applications, it is impractical for Facebook to impose any kind of quality control. Your information could end up anywhere. Plenty of crooks have set up Facebook applications specifically in order to obtain personal information.

Fortunately, it is straightforward to delete Facebook applications.

Other Social Media Users

It is not only social media companies and their customers who own your personal information. Other users are able to obtain access to more information than you might think, such as unlisted phone numbers. Facebook even encourages its members to upload the phone numbers of non–members, which are then made publicly accessible.

What Happens When Your Information Goes Astray?

Once you lose control of your information by posting it on a social media website, anything can happen to it:

• It is common practice for employers to look online for information about potential employees. You may have forgotten about that embarrassing photograph that your friend put on Facebook last year, but it’s still out there, and it may well be tagged with your name.
• Plenty of people have lost their jobs after broadcasting unflattering comments on social media websites, unaware of how widely the comments are distributed. Here is one example, and here is another. Even if you do this in your own time, using your own computer and your own internet connection, some employers will find out about it, and will not see the funny side. Employers may or may not be justified in sacking people for this, but you should be aware that they will often have the power to do so.
• Identity thieves prey on those who broadcast their personal details on social media websites.
• Fraudsters have been known to set up a fake Facebook account, using personal information taken from a genuine account, and then to use this fake account maliciously.
• People have been harassed — or worse — by ex–partners or random strangers who had made use of information that the victim had posted on social media websites. By the way, if you are thinking of looking up an old friend (or enemy) you should be aware that Facebook will know about that too.

Facebook’s Effective Privacy Policy

One common complaint about Facebook in particular is that its privacy controls are vague, too lax by default, and poorly explained. It is of course in the company’s interests for its users to provide as much personal information as possible. Its privacy policy serves to achieve this. The length of the privacy policy, around 6,000 to 7,000 words, serves to deter all but the most dedicated readers from discovering exactly what it contains.

Deleting Information from Facebook

Deleting specific pieces of personal information from a social media account is generally easy to do. Deleting an entire Facebook account is more difficult, but it can be done. There are plenty of reasons why you might want to delete your Facebook account.

How to Delete Your Facebook Account

1. Log into your Facebook account.
2. Go to http://www.facebook.com/help/contact.php?show_form=delete_account.
3. Under the heading, ‘Delete My Account’, you will see two buttons, marked ‘Submit’ and ‘Cancel’. Click Submit.
4. You will see this message: ‘You are about to permanently delete your account. Are you sure?’. There are two boxes for you to fill in.
5. Type your Facebook account’s password in the box marked ‘Password’.
6. Underneath the password box, there is a larger box containing two squiggly words. Type them in the empty box immediately underneath.
7. Click Okay.
8. Ignore all the stuff about how badly your friends will miss you.
9. You will see a message telling you that you have 14 days in which to change your mind. Click Okay again.
10. Do not log into your Facebook account within the next 14 days, or the cancellation process will itself be cancelled, and your account will remain active.

What Happens When I Delete Information?

When you delete part or all of your personal information from a social media account, you are not erasing the information from the computers on which it is stored. All you are doing is erasing a publicly accessible link to that information.

The organisation to which you have given your information, and any organisations with which it in turn has shared that information, still retains it, and still owns it, as this interview with a Facebook employee makes clear.

How Do I Transfer Information away from Facebook?

You can’t. If you want to transfer your information from Facebook to a different social media website, you are out of luck.

Unlike some social media websites, Facebook operates what is known as a ‘walled garden.’ You are welcome to enjoy the garden, and you are encouraged to bring your personal details with you, but on the way out you will be frisked and you will have to empty your pockets. All the photographs you gave to Facebook, and all the messages you sent and received via Facebook, will remain with Facebook.

How to Use Facebook Safely

Social media provides a service that many people value. Despite all the problems, it is possible to use it while retaining a reasonable amount of personal privacy.

Most of the following advice applies to all social media companies, but it applies especially to Facebook because of the company’s size and its laxity with data.

Give Less Information to Facebook Directly

• Set up separate accounts to deal with different circles of friends, acquaintances, and work colleagues. This is against the rules of some social media companies, but it is very common, and the companies usually turn a blind eye.
• Set up each account using a false name, and make sure that all of the accounts’ personal details are incorrect. Again, this is a common technical infringement, which Facebook is unlikely to notice unless you happen to share a name with a famous person. If the company requires you to provide an email address, create a separate one for each account, and do not include your real name in any of them. You can get a free email address from any number of places, such as Google, Yahoo, and Hotmail.
• Keep each online social circle as small as possible.
• Learn how to use Facebook’s privacy settings, and understand what your own Facebook privacy settings mean. Keep up to date with any changes the organisation makes to those settings; admittedly, this is easier said than done.
• Never upload bulk lists of phone numbers or email addresses from your computer or mobile phone.

Give No Information to Facebook Indirectly

• Each time you log out of your Facebook account, clear your cookies. Facebook has a network of cookies on other websites, and can use this network to construct a picture of your interests. Simply logging out will not prevent Facebook tracking you from website to website; you must also delete its cookies. If you don’t know how to do this, see the instructions on our Internet Privacy page.
• Most of the Facebook ‘Like’ buttons on other websites are generated by JavaScript. Using NoScript will prevent Facebook tracking you in this way, and will also provide a defence against malicious software and unwanted advertisements.
• Finally, the most obvious point, which you have probably already worked out — never, ever visit any other websites while logged into a Facebook account. If you absolutely must stay logged in, use two web browsers: one of them exclusively for Facebook, and one for general browsing.

Controlling Your Personal Information

Of course, it is impossible to function online without giving away some personal information, but the less information you hand over, the more control you will have over your own life. As the old saying goes, you can’t put the toothpaste back in the tube.

(N.B. — This was written in 2011, when Facebook was the dominant social media organisation. By the time you read this, Facebook may well have gone the way of earlier, now forgotten, social media companies, but a new monster will no doubt appear, and the advice will still apply.)

Update (2013)

There is a detailed account of how Facebook shares your personal information, and what you can do about it, here: https://www.eff.org/deeplinks/2013/04/disconcerting-details-how-facebook-teams-data-brokers-show-you-targeted-ads. The article looks at the problem from a US point of view, but things won’t be much different elsewhere in the English–speaking world.