An e-mail was sent on Thursday to Facebook users who were members at the time that its controversial, now-defunct Beacon advertising program was operated: it's the official notice about the proposed settlement for the class-action lawsuit against Beacon. The terms of the settlement have been public since September, but the court-ordered summary notice is the last step in the process before final approval on February 26.
"This is not a settlement in which class members file claims to receive compensation," the notice explained (possibly crushing the hopes of any Facebook members who might have got excited that this would be an easy way to make some pizza money). "Under the proposed settlement, Facebook will terminate the Beacon program. In addition, Facebook will provide $9.5 million to establish an independent nonprofit foundation that will identify and fund projects and initiatives that promote the cause of online privacy, safety, and security."
A Web site has been set up to explain the terms of the settlement for the case Lane et al. vs. Facebook Inc. et al., which was originally filed last summer.
Beacon, an advertising program that shared members' activity on participating third-party sites on their Facebook profiles without much warning or notification, was a much-hyped part of the Facebook Ads initiative that debuted in the fall of 2007. But it was, unfortunately for Facebook, a complete public relations disaster.
Pressure from privacy and activist groups resulted in notable changes to the product and member controls thereof, but image repair proved to not be enough and Facebook let Beacon fade to black.
Facebook head of communications Elliot Schrage posted a company blog entry on Thursday inviting members to review proposed updates to the social network's privacy policy, and much of it deals with what happens to the content of accounts that members have opted to delete.
"Specifically, we've included sections that further explain the privacy setting you can choose to make your content viewable by everyone, the difference between deactivating and deleting your account," and the process of memorializing an account once we've received a report that the account holder is deceased," Schrage wrote. Earlier this week, Facebook detailed the process of "memorializing" an account, which leaves the profile intact to current friends but hides potentially sensitive information.
Now, in the proposed new policy, which members are invited to review and comment on until November 5, Facebook explains to users that they can "deactivate" their account, which hides it but keeps information stored for potential reactivation, or alternately choose to delete it for good.
"Even after you remove information from your profile or delete your account, copies of that information may remain viewable elsewhere to the extent it has been shared with others, it was otherwise distributed pursuant to your privacy settings, or it was copied or stored by other users," the new wording explains. It's referring to content like posts and comments on other members' profile 'walls.' "However, your name will no longer be associated with that information on Facebook."
It's been a long and twisted road for Facebook's privacy regulations. The new policy was put into place after a complaint from the Canadian Privacy Commission called into question what would happen to member profile data if a user deactivated an account.
That fiasco followed outrage over changes to Facebook's terms of service that implied Facebook claimed an "irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license" to member content even if the account had been deleted. One privacy advocacy group readied a federal complaint, and Facebook backed off and returned to its old terms of service.
In July, Facebook cleaned up its user privacy controls as it prepared to open up more of its profile content to public access and search engines.
But the Canadian Privacy Commission had also taken issue with how much Facebook profile information could potentially be shared with third-party developers or advertisers. Facebook made additional modifications to its user privacy controls in August in response to concerns about the developer platform, and in Thursday's post about the new privacy policy Schrage highlighted that the social network does not intend to share personal data with advertisers.
"The information we provide to advertisers is 'anonymized,' meaning that it can't be traced back to you as an individual in any way," Schrage's post explained.
It's finally over for Beacon, the ill-fated advertising program that the social network initially launched with splashy Madison Avenue fanfare nearly two years ago.
The social network has settled a year-old class action lawsuit that targeted the social network's alleged failure to provide adequate information and privacy controls to users with regard to Beacon, which shared information about users' information on third-party partner sites in Facebook news feeds.
One of the terms of the settlement? Any last vestiges of Beacon, which failed to gain traction amid a barrage of negative press stemming largely from advocacy groups like MoveOn.org, will be shut down completely.
Also as part of the settlement, which is still pending approval from a judge, a $9.5 million "settlement fund" has been established to set up an independent foundation to "fund projects and initiatives that promote the cause of online privacy, safety, and security," according to a release. Up to a third of that fund, however, can potentially be recovered by the plaintiffs' lawyers.
"We look forward to the creation of the foundation and its work to educate Internet users on how best to control their privacy; engage in safe social-networking practices; and, generally, enjoy themselves more online by having knowledge that gives them a greater sense of control," a statement from Facebook representative Barry Schnitt read. "We fully expect the foundation to team with other leading online-safety and privacy experts and organizations that have been working diligently in these fields."
The suit was filed in August 2008 on behalf of 20 plaintiffs, most of whom were Texas residents. Named as defendants were Facebook, along with current and former Beacon participants Blockbuster, Fandango (owned by Comcast), Overstock.com, STA Travel, Zappos, Hotwire (owned by InterActiveCorp), and GameFly. Another, earlier Beacon-related lawsuit had been filed against Blockbuster several months earlier, claiming that its participation in the advertising program violated the Video Privacy Protection Act of 1987. Facebook was not named as a defendant in that suit.
Shortly after the negative buzz about Beacon started, Facebook began tweaking and modifying the program to allow more user control over the feature. But it was too late: advocacy groups claimed that it still wasn't enough, some existing partners pulled out, and others were likely deterred from participating because of the unsavory implications. Surprisingly, a "small number of customers" were still using it; Facebook will work to transition them out of it.
Facebook's experiments in social-media advertising turned instead to "engagement ads," which have come under some scrutiny themselves, and the "fan pages" that it encourages brands, organizations, and celebrities to create.
The irony behind Friday's news is that the thinking behind Beacon ultimately evolved into the phenomenally successful Facebook Connect, the universal log-in standard that, among other things, shares third-party activity on members' Facebook profiles.
The privacy controls on Connect are clearer and more extensive, but perhaps more crucial to Facebook Connect's success has been the fact that it's been marketed as a utility for ordinary members rather than an advertising tool for paying clients. It's free for third-party sites to implement, and with only a few exceptions, sites working with Facebook Connect code it in through the social network's application programming interface, or API, rather than ink a formal partnership.
And offering Facebook users the chance to register and log in to external sites without separate usernames and passwords gives Facebook Connect's marketing a slant of user convenience--and security, as some Web users may be more comfortable hitting a "Connect with Facebook" button than registering for an account with a new Web service.
"We learned a great deal from the Beacon experience," the statement from Facebook's Schnitt read. "For one, it underscored how critical it is to provide extensive user control over how information is shared. We also learned how to effectively communicate changes that we make to the user experience. The introduction of Facebook Connect--a product that gives users significant control over how they extend their Facebook identity on the Web and share experiences back to friends on Facebook--is an example of this."
A recent simplification of Facebook's user privacy controls wasn't enough for some policymakers.
On Thursday, in conjunction with the Canadian Privacy Commissioner, Facebook announced a new set of modifications to its user privacy controls as well as its developer API, and the targets of these changes are the thousands of third-party applications built on Facebook's developer platform. That means there may be major implications for developers--some of whom rely almost exclusively on Facebook activity as a revenue source.
The Canadian Privacy Commissioner's office released a set of recommendations for Facebook last month, specifically highlighting concerns that third-party applications could access a significant amount of users' personal data. "It's clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates," commissioner Jennifer Stoddart said in a release at the time.
Facebook's newest set of changes will require third-party applications to specify which fields of user data they access (birthdays, favorite music, geographic location, etc.) and will require users to offer explicit permission before an app can access any of their friends' profile data. This is also in tune with recommendations offered earlier this week by a chapter of the American Civil Liberties Union, which highlighted the amount of personal data that third-party apps can access--sometimes without a user knowing it.
"Our productive and constructive dialogue with the Commissioner's office has given us an opportunity to improve our policies and practices in a way that will provide even greater transparency and control for Facebook users," Elliot Schrage, Facebook's vice president of global communications and public policy, said in a release Thursday. "We believe that these changes are not only great for our users and address all of the Commissioners' outstanding concerns, but they also set a new standard for the industry."
But what does it mean for developers? This could make it difficult for some apps--particularly the sillier ones that rely on heavy viral spread and often one-time use--to gain traction and stay effective. These are similar concerns to those that arose when Facebook cracked down on apps that it deemed "spammy" (and often rightfully so). But on the other hand, the new privacy controls could stem off bad press that could easily paint the developer platform as a whole as unsafe or untrustworthy.
"It is important for developers to have access to information, but we want to balance that with transparency and control for users," Ethan Beard, Facebook's director of platform product marketing, said in a blog post geared toward developers.
"We have committed to making these enhancements over the next twelve months, and anticipate a lengthy beta period including opportunities for you to provide input, multiple blog posts, and updated documentation delivered well ahead of time," Beard's post continued. "Understanding that this will likely require modifications to your code base, we want to give you the earliest heads up that these enhancements are on our road map."
The Northern California chapter of the American Civil Liberties Union has put out a campaign designed to raise awareness of the privacy implications of Facebook's developer platform. It's focusing specifically on the popular "quiz" applications, like "Which Cocktail Best Suits Your Personality?" and "Which Wes Anderson Movie Character Are You?" These are largely one-time-use apps that many a Facebook user clicks on and tries out with little concern.
According to the ACLU chapter, "millions of people on Facebook who use third-party applications on the site, including the popular quizzes, do not realize the extent to which developers of quizzes and other applications have access to personal information. Facebook's default privacy settings allow nearly unfettered access to a user's profile information, including religion, sexual orientation, political affiliation, photos, events, notes, wall posts, and groups." For the promotion, it's put together a quiz about how much you know about Facebook-based quizzes.
Side note: Creating a Facebook quiz app to draw attention to the pratfalls of Facebook quiz apps is very meta.
"It's time for Facebook to upgrade its privacy controls so that quizzes can only see what people want them to see," Chris Conley, technology and civil liberties fellow at the ACLU of Northern California, said in a release. "Users need stronger protections than Facebook currently provides."
So are the ACLU-NC's claims legitimate? The most damning one asserts that "regardless of whether a user's Facebook profile is 'private,' by taking a quiz the user allows its developer to gain access to the user's profile information...by Facebook default, every time one of a user's friends takes a quiz, the quiz has access to that user's profile information." That could have particularly alarming security implications if an app turns out to be malicious.
Facebook does not deny this, but notes that "sensitive" information like contact details are not available to third-party apps, and that Facebook has settings for users to tweak exactly how much their friends' apps can see.
Last month, the company modified its privacy settings to make them more user-friendly.
The ACLU chapter recommends that Facebook make it an opt-in, rather than opt-out process for apps to access a user's friends' data and require that apps list the specific profile data fields that they will be accessing.
"We generally agree with (the ACLU's) recommendations and have already made public announcements about relevant changes that are under way," Facebook spokesman Barry Schnitt said in an e-mail. "Specifically, we recently disabled hundreds of applications, including quiz applications, that were inconsistent with Facebook Platform policies...We've also had productive discussions with the Canadian Privacy Commissioner about improving user data controls on Platform. We'd be glad to also have productive discussions with the ACLU and generally catch them up, if they want to give us a call."
The office of the Canadian Privacy Commissioner, which has taken issue with Facebook's privacy policies, is holding a press conference on Thursday to address the subject, and Facebook plans to hold a conference call with reporters in response.
A Twitter account can be used as the command center for harnessing a "botnet" of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers found an account, @upd4t3, which was tweeting out links to download a piece malware called Downloader.Sninfs. The account has since been suspended by Twitter.
Downloader.Sninfs, also known as Infostealer.Bancos, is a Trojan that uses the guise of a Brazilian banking site to collects passwords and related personal information from infected computers.
Security on Twitter is front and center right now, as the microblogging site was completely downed by a distributed denial-of-service attack last week that was targeting a Georgian political blogger. While other services like Facebook and the Google-owned Blogger were also hit by the attack, Twitter was the only one to suffer a full-out, hours-long outage, and it called into question just how secure the service really is.
But in this case, the Twittering botnet doesn't necessarily highlight a vulnerability that would be unique to Twitter.
"Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication," Coogan wrote.
This post was updated at 1:05 p.m. PDT to note that Arbor Networks also reported the Twitter-based botnet.
An investigation by Canada's Privacy Commissioner is concerned that Facebook is only paying lip service to members' privacy, and has called on it to do more.
"It's clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates," commissioner Jennifer Stoddart said in a release Thursday, which explained that the investigation was spurred by a complaint from the Canadian Internet Policy and Public Interest Clinic (CIPPIC).
About 12 million of Facebook's 250 million active users are Canadian.
More specifically, Stoddart expressed concern that while it's easy for members to deactivate their accounts, it's less clear on how to actually delete them. Facebook therefore can retain member data from deactivated accounts for an indefinite period of time, which is in violation of a Canadian privacy law; Stoddart's office's investigation recommended that Facebook designate a time period after which that data is permanently deleted.
The report also suggests that Facebook tighten privacy regulations on its developer platform to ensure that third-party developers can't access too much personal information from the users who have installed their applications.
Here's something interesting from the release: "As a result of the investigation, Facebook has announced a new privacy tool for its site, which is aimed at giving users more control over who gets to see each item on their Facebook page."
Facebook launched those new tools in a conference call with reporters early this month. But the social network did not say at the time that there had been any impetus from lawmakers behind it.
"Facebook is pleased that the Canadian Federal Privacy Commissioner has dismissed most of the inaccurate claims brought by CIPPIC, and that we were able to collaboratively resolve other issues raised in the complaint," a statement from Facebook read. "The Commissioner also recognized, as we do, that privacy and user control on the social web is a new area, which requires websites, users and data protection authorities to work together. Without question, Facebook and the Canadian Privacy Commissioner's Office share the common goal of making the Internet more privacy friendly for Canadians and users across the world."
"As part of our continued leadership in developing privacy tools that advance user control over their information, Facebook will soon be introducing a number of new additional privacy features to its service that we believe will keep the site at the forefront of user privacy and address any remaining concerns the Commission may have," the statement continued. "In the meantime, we will also continue our efforts to work with the Canadian Federal Privacy Commissioner to address the outstanding areas highlighted in the report and will continue our efforts to raise awareness of the privacy controls on Facebook."
This post was updated at 11:04 a.m. PDT with comment from Facebook.
A coalition of advertising industry trade groups have agreed on new guidelines for privacy related to behavioral targeting on the Web. Officially released on Thursday and expected to go into effect early next year, the set of principles concern what advertisers can do with personal data collected in order to zero in on target audiences.
The groups involved are the American Association of Advertising Agencies (4A's), the Association of National Advertisers (ANA), the Direct Marketing Association (DMA), and the Interactive Advertising Bureau (IAB).
The guidelines take the form of seven principles, ranging from a commitment to better consumer education about behavioral targeting, to a focus on keeping potentially sensitive data secure.
"Consumers deserve transparency regarding the collection and use of their data for behavioral advertising purposes. I am gratified that a group of influential associations--representing a significant component of the Internet community--has responded to so many of the privacy concerns raised by my colleagues and myself," Federal Trade Commission (FTC) commissioner Pamela Jones Harbour said in a release.
"These associations have invested substantial efforts to actually deliver a draft set of privacy principles, which have the potential to dramatically advance the cause of consumer privacy. I commend these organizations for taking this important first step."
Lawmakers have paid close attention to the evolution of online behavioral targeting over the past few years, especially as the vast amount of personal data on social networks makes it possible for advertisers to target more and more specific niches. Some have even suggested that behavioral targeting should be opt-in by default.
Last month, several subcommittees of the U.S. House of Representatives Committee on Energy and Commerce hosted a hearing about behavioral ad standards, and executives from companies like Facebook, Yahoo, and Google testified. At least one of those companies has come out publicly in support of the new guidelines.
"One of the key strengths of the principles is the fact that they apply to a broad range of companies participating in online advertising--advertisers, publishers, and ad networks," a post about the new measures on Google's public policy blog read.
Social-networking sites and other Web services can't be held liable in a sexual assault on a minor that stemmed from a meeting online, according to a ruling in a California appeals court that consolidated a number of complaints against MySpace on behalf of teenage girls and their parents.
Reuters reported late on Wednesday that the Second District Court of Appeals in Los Angeles cited the Communications Decency Act in coming to the conclusion. Claiming negligence and product liability, the plaintiffs had alleged that MySpace had failed to put in place age verification software or to keep profiles on a "private" setting.
Other federal courts have come to similar rulings. Last year, a Texas court ruled that the family of a 14-year-old girl who was assaulted by a man she met on MySpace could not hold the social network responsible. The girl in question had lied about her age when she created a profile, claiming to be a legal adult, and the court ruled that it was her parents' job, not MySpace's, to keep her safe.
This week's ruling in Los Angeles received a thumbs-up from MySpace and parent company News Corp. It could also have repercussions across other social networks and community-based Web sites, which have been subject to scrutiny from authorities over both safety and decency standards. Craigslist, for example, has faced a crackdown on sex-related ads after both allegations of rampant prostitution and a high-profile case in which a Craigslist encounter allegedly ended in murder.
The situation can be different, if there is actual harassment conducted through the social network, rather than an offline assault. In that case, if it appears that a Web service isn't doing enough to keep members safe while using the site, it can, in some cases, be held responsible.
Facebook and MySpace are working with state attorneys general to keep registered sex offenders out of their user bases, following allegations from lawmakers that they weren't doing enough to maintain a safe environment for minors.
On Thursday, the sentencing is expected in another Los Angeles court for Lori Drew, who has been convicted of three misdemeanors after impersonating a teenage boy on MySpace and harassing a 13-year-old girl allegedly to the point of suicide.
Drew could be sentenced to up to three years in prison and forced to pay a fine of $300,000, a far lesser sentence than she originally faced.
Revamped privacy settings are coming soon to Facebook.
The social network's privacy controls had gotten so sprawling that they were distributed across six separate pages and 40 different settings, according to a conference call the company held on Wednesday.
"These can add up and pile up and not be as clean as one would like," Facebook chief privacy officer Chris Kelly said on the call. From what it sounds like, they'd gotten so complicated that many members just ignored them altogether--something that Facebook certainly doesn't want as it encourages its 200-million-plus members to post and share even more content.
As a result, Facebook's new controls will be more streamlined so as to offer easier and simpler controls about how much everything from entire profiles to individual pieces of content are shared. Users will be introduced to this through "transition tools" that allow them to toggle how open everything on their profile will be--totally public, friends-only, restricted to company or school networks, etc.
One of the biggest changes along with the new controls is that Facebook is getting rid of "regional networks," the opt-in way that members could designate themselves as residents of certain geographic areas. Only half of members even joined these networks, according to Facebook. It's a change that's been anticipated for some time, and privacy controls regarding regional networks have already been phased out.
"Networks were kind of the bedrock of privacy," product manager Leah Perlman said on the call. "When we expanded past college and work (networks), we created the concept of regional networks in order to have our privacy model expand." Members could share content selectively with members of their regional network, but representatives said that it was never quite clear as to exactly who else was in that regional network, and the delineation of networks was messy--some were defined by city, other by broader region or state, and others encompassed entire countries.
Facebook chief privacy officer Chris Kelly is also considering a run for attorney general of California.
(Credit: Kelly2010.com)There were, for example, separate networks for each of New York City's five boroughs, but most residents just chose to join the broader "New York, NY" one instead. Facebook says that this shouldn't affect locally targeted advertisements: the company will be porting regional network data to its "Current City" field, and has already been using other data like IP address information to hone local ad targeting.
Facebook is keeping school- and company-based networks intact.
This comes in the wake of an announcement that Facebook would be tweaking its "publisher," the toolbar that lets members update their status messages or post content like individual photos and videos. The "publisher" will now have a privacy toggle for individual pieces of content, letting a user choose whether to make them available to friends only, custom friend groups, or--for the first time--to the Web at large. Making content available publicly will bring Facebook better in line with the thirst for real-time, searchable mass information that Twitter has captured so effectively thus far.
So how will this be handled? Facebook members will be guided through one of the aforementioned "transition tools," which representatives said will take one of two forms: either an ultra-specific set of granular, custom controls or a more no-brainer set of radio buttons. The new controls will first be tested with 40,000 users in the U.S. before rolling out to a bigger, international group of beta testers and then worldwide.
Last updated at 12:20 p.m. PDT.
