Safe and Secure

Facebook users are about to see an unfamiliar screen when they sign on to the service--a request to configure their privacy preferences. But it's not really a request. It's a requirement.

"As far as we know, it's the first time in the history of the Internet," said Facebook spokesman Simon Axten, "that so many people have been required to make affirmative decisions about their privacy."

The company on Wednesday provided details of the changes that CEO Mark Zuckerberg blogged about last week. These include eliminating regional networks and giving users more granular control over who can see individual pieces of content while making some basic profile information available to everyone. Also, Facebook is simplifying what this blogger and others have criticized as overly complex privacy controls, but it is also requiring members to make some information available to the public.

Controversial privacy history
Over the years, Facebook has been the subject of criticism, lawsuits, and threatened federal action over various changes to its privacy policy.

In 2007, Facebook announced its Beacon advertising service, which broadcast member activity on partner sites to their Facebook friends. If you bought a movie ticket on Fandango, for example, all of your Facebook friends would immediately know about it. The Beacon program unleashed a campaign from consumer advocacy groups including MoveOn.org as well as a class action law suit that was settled this September. As part of that settlement, Facebook agreed to shut down Beacon and to donate $9.5 million to an independent foundation to "fund projects and initiatives that promote the cause of online privacy, safety, and security."

In February of this year, Facebook found itself at the center of another privacy storm after it announced a change in its policy that would give the company seemingly perpetual control over user-supplied content. That prompted the Electronic Privacy Information Center to threaten filing a complaint with the Federal Trade Commission and also led to the formation of a Facebook group called People Against the new Terms of Service that attracted nearly 150,000 members protesting the changes. The uproar caused the company to rescind those changes and resulted in CEO Mark Zuckerberg holding a press conference where he announced that the company would create "a new approach to site governance" so that its decisionmaking would be more transparent.

Mandatory privacy settings
All users will soon be confronted with a "privacy announcement" informing them that they must configure their settings. Initially, you will be able to "skip for now" but you will later be required to go through the steps in order to continue using the service, according to Axten.

To encourage people to share information, Facebook has set the default to "everyone," but you can later go back to set more restrictive settings. You can also keep your old settings. If you're not sure what they are, you can display them by hovering over the radio button.

In the final step, Facebook displays your settings and gives you a chance to change them. At this point or at any time in the future you will be able to adjust any of your settings

The Facebook settings will be based on four basic levels: friends, friends of friends, everyone, and customize. If you belong to a network, you will also have the setting friends and networks. As before, you will also be able to customize settings to include or exclude specific friends or groups of friends.

Some information must be publicly available
Some information--including name, profile picture, gender, current city, networks you belong to, friend lists, and pages you're a fan of--will be available to everyone. The only way to keep that information from the general public is to not include it as part of your Facebook profile. Users also have the ability to limit what can be found via a search on Facebook and what information Facebook will make available to search engines like Google and Bing.

According to Axten, that information is being made publicly available to make it easier to find people using Facebook search, especially people with common names. If you locate a "John Smith" in a Facebook search, seeing his picture and knowing where he lives can make it easier to pinpoint the right person. Though not mandatory, Facebook, according to a spokesperson, is encouraging people to make other information public such as where they went to school or where they work. However Axten added that if a user had previously configured their privacy settings, they should keep what they already have.

While adults have the option of making content available to everyone, the maximum exposure available to users under 18 will be friends of friends or school networks.

Control over who gets to see your posts
The most important change is that you will now be able to specify who can see each piece of your content including status updates, photos, and videos. Each time you add content, you'll be able to determine whether it can be seen by everyone, friends and network, friends of friends, only friends, or a custom setting. Customized settings allow you to include or exclude individual people or lists of people. For example, one could share last night's exploits with his fraternity brothers but not with his fellow church members or office mates. The list feature, which has long been available, allows you to divide your friends into groups. For example, as a journalist, I encourage readers to "friend" me at Facebook.com/larrymagid, but I also maintain a list of "real world friends."

Third-party application settings
As in the past, you will have some control over the information that can be seen by operators of third-party Facebook applications. Facebook has added the ability to fully block an application from accessing any information but, in most cases, that will disable the application.

Facebook's Axten said that application developers will have access to all publicly available information, but can only access other information with the user's permission. Applications are also required to only access user information that is essential for them to run. The company, said Axten, has an enforcement squad to ensure compliance.

Facebook is also launching a new Privacy Center that will offer "a comprehensive guide that helps users understand and control how they share information."

Disclosure: Facebook is one of several companies that provides support to ConnectSafely.org, a nonprofit Internet safety organization I help run.

Shopping online does carry some risk, but so does shopping at brick-and-mortar stores. At least online shoppers don't need to worry about fender-benders in the parking lot, pick pockets at the mall, or getting the flu from all those fellow shoppers.

But the nice thing about shopping online is that by following some basic guidelines you can be reasonably sure you'll have a safe experience.

Secure your PC: The first thing you need to do is be sure your computer is secure. Trend Micro's education director David Perry, says that "bad guys these days are operating by planting a keylogger on your system that listens in, surreptitiously waiting for you to use your credit card or your bank password so that they can steal your money." So, even if you're dealing with a legitimate merchant, you're at risk if your computer is infected. Your best protection from these attacks is to keep your operating system and browsers updated and use a good and up-to-date security program. If you're getting or giving a Netbook or other PC for the holidays, make sure that security software is installed right away. Most security companies offer a free-trial version that will tide you over for a month or so, but be sure to subscribe so you get ongoing protection.

Click with care: You're going to be getting a lot of offers via e-mail this holiday season. While they might be legitimate, there is the possibility of some offers coming from criminals trying to trick you into giving your password to a rogue site or visiting a site that can put malicious software on your computer. Your best protection is to not click on any links--even if the message looks legitimate--but to type in the merchant's URL manually.

Know the merchant: : If you're not familiar with the merchant, do a little research like typing its name (and perhaps the word "scam") into a search engine to see if there are any reports of scams. Look for user reviews on sites like Eopinions.com. Look for seller ratings if you locate the merchant through a shopping search engine like Google Shopping . Google doesn't certify the integrity of the sites that come up in its searches, but if you see lots of seller ratings that are mostly positive, that's a pretty good sign. You're generally pretty safe with sellers that are affiliated with shopping aggregators like Amazon.com, Yahoo Shopping, Retrevo or BizRate. Microsoft's new Bing search engine offers a cash-back program with affiliated merchants.

It's a good idea to look for seals of approval from Truste or Better Business Bureau Online, but remember that a seal is only a graphic. It can be counterfeit. To be sure, visit the certifying agency's site to look up the merchant.

When you're about to enter your credit card, make sure you're on a "secure "site. The URL should have an https at the beginning (s for "security") and there should be a small gold lock in the lower right corner of the browser. This isn't an iron-clad guarantee, but still worth looking for.

If you're still not sure, look for a phone number and call them. Aside from eliminating the chance of a keylogger grabbing your information, you may get a little more assurance talking to a human being.

Pay by credit card: Credit cards offer you an extra level of protection including the right to "charge back" if you feel you're a victim of fraud. The credit company will investigate your claim and permanently remove the charge if fraud can be proven.

Also some credit card companies offer extra protections including extended warranties and protection against loss or theft. Federal law limits your liability for misuse of a credit card to $50 but many credit card companies will waive that limit. Unless you're very sure about the merchant, don't provide them with a checking account number and never disclose your social security number to online merchants.

It's also a good idea to check your online credit card statement frequently. Most credit card companies will display recent charges online within a few days of the actual transaction. While you're on your credit card company's site, check your interest rate. Credit card companies have been known to "adjust" rates (usually upward) for a variety of reasons.

Know the real price: Be sure you understand the actual cost of the item, including shipping, handling, and sales tax. That can have an enormous impact on the final price. Many merchants are offering free shipping during the holidays and some merchants that have both online physical stores will let you pick up the item in the store for free. In most states if you do business with a merchant that has a physical presence in your state, the merchant is required to collect state sales taxes. Although it's tough to enforce, some states expect you to self-report all of your online purchases and pay sales taxes when you file your state income tax return.

Happy returns: Be sure you understand the merchant's return policies including the deadline for returns and what documentation you'll need. In most cases, they won't refund the shipping charges and you'll have to pay to ship it back. Always keep your packing until you're sure you're not going to return it.

Read the privacy policy: The policy, according to the American Bar Association's Safeshopping.org, should disclose "what information the seller is gathering about you, how the seller will use this information; and whether and how you can "opt out" of these practices."

Enjoy the holidays: By paying attention to these tips, the odds of your being victimized by online fraud are pretty low --another good reason to be cheerful during the holiday season.

A new report from the Progress & Freedom Foundation says that officials in some states want to pass legislation that would extend the Children Online Privacy Protection Act (COPPA) from covering children under 13 to covering teens until they're 18.

COPPA, which became law in 1998, requires verifiable parental consent before a child under 13 can provide personally identifiable information to a Web site that caters to children. Expanding the law to cover teens till they're 18, according to the report, would "require Web sites to obtain more information about both minors and their parents, which runs counter to the original goal of the Act: protecting the privacy of minors." Ultimately, say the authors, "this would actually make minors less 'safe online.'"

In this podcast, the report's co-author, PFF Senior Fellow Adam Thierer, explains the original COPPA law and why, in his opinion, the expanded law could have a chilling effect on the free speech rights of minors.

The podcast runs 11:30

Listen now: Download today's podcast

Facebook CEO Mark Zuckerberg announced on February 26 that, from now on, the company will post proposed changes to its terms of service and other policies for member input.

If more than 7,000 people comment, the policy will be put to a vote, and the result "will be binding, if more than 30 percent of all active registered users vote."

Based on Facebook's current 175 million user base, that's nearly 53 million people, which makes it questionable whether the company will ever get sufficient voter turnout.

CBS News and CNET Technology analyst Larry Magid discuss the move with Jamie Court, president of Consumer Watchdog.

Listen now: Download today's podcast

Facebook's decision to open up its policy making to user input is a very nice gesture but it's not exactly on par with the American revolution or the fall of the Berlin Wall.

Facebook CEO Mark Zuckerberg announced on Thursday that from now on the company will post proposed changes to its terms of service and other policies for member input. If more than 7,000 people comment, the policy will be put to a vote and the result "will be binding if more than 30 percent of all active registered users vote." Based on Facebook's current 175 million user base, that's nearly 53 million people. What isn't clear is what happens if voter turnout is less than 30 percent which seems pretty likely given that not all Facebook users are as passionate about terms of service as the thousands who protested Facebook's last attempt to change its policies regarding its rights to re-use user data.

Zuckerberg made it very clear, however, that he's not turning over the keys to the boardroom. It affects issues like data ownership and privacy but not the company's products and services. "There will be hundreds and thousands of product changes going forward, and that's not what we're talking about. This is about the rules and framework," he said in a press conference

That brings up more questions than answers. If, in the opinion of some, a product change threatens user privacy is that considered a change of policy and if so, is it subject to review and a vote?

Of course it's easy to be cynical about what a company does in response to widespread user anger and it's tempting to call this a PR stunt. But I think there is more to it than that. Facebook is a Web 2.0 company and its officials seem to be trying to figure out what it means to run a company where users, not professionals, provide most of the content. In some senses, Facebook is a media company but unlike newspapers, TV networks and even most blogs, its contributors aren't employees or contractors. It's those 175 million members. When I contribute an article to a newspaper or Web site, I understand that I'm giving up some rights to my intellectual property. But when I post something to my Facebook page, I feel that I alone should have control over my intellectual property rights.

CBS News Slideshow: Using Facebook's privacy settings

Watch CBS Videos Online

Zuckerberg says he agrees but even in its just proposed Statement of Rights and Responsibilities Facebook is a little fuzzy on this issue. Clause 2.3 now reads, "For content that is covered by intellectual property rights (like photos and videos), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use, copy, publicly perform or display, distribute, modify, translate, and create derivative works of ("use") any content you post on or in connection with Facebook." However, unlike the last proposed data retention policy it also says "This license ends when you delete your content or your account."

That statement is already generating some negative comments on the very page where it's posted now that Facebook is encouraging users to comment on proposed policy changes. But that's the whole idea--the company floats a proposal and lets users weigh-in on what they think. Only a few hours after the new policy was posted, there were more than 400 comments from 287 people. That's a lot of people, but it's not even a measurable fraction of the site's membership It will be interesting to see how many comments are added during the 30 days before the issue can be put to a vote.

In the mean time, I'm going to keep my eye on Facebook just as I'm keeping my eye on President Obama's pledge for more transparency in government. The comparison between the governance of our country and the running of a social-networking site isn't perfect because the issues are different and, with Facebook, the stakes aren't nearly as high. Still, Obama and Zuckerberg deserve both credit and scrutiny.

Disclosure: Larry Magid is co-director of ConnectSafely.org, a nonprofit Internet safety education group that receives financial support from Facebook and some of its competitors.

Podcast: Larry Magid talks about Facebook's new decision making process with Jamie Court, president of ConsumerWatchdog.org

Listen now: Download today's podcast

All of the hoopla about Facebook's controversial user policy sidesteps the point about what social Web users really need to know about protecting their privacy and intellectual property.

The latest controversy erupted last week after a blog trumpeted an otherwise largely ignored change in Facebook's terms of service that would have granted Facebook an "irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license" to use your material and "use your name, likeness and image for any purpose, including commercial or advertising."

Needless to say, the privacy and users' rights community and a lot of bloggers were justifiably alarmed. The Electronic Privacy Information Center reportedly was on the verge of a federal complaint until Facebook decided to rescind the change last Tuesday night.

But there was another clause in that short-lived policy that--depending on your reading--either clarifies or contradicts the rest of it. The legalese that gave Facebook perpetual rights was "subject only to your privacy settings" and those settings are hard-wired to limit exposure to your material.

Privacy settings can be tightened
The site's privacy settings, in most cases, don't even permit you to expose your information to everyone on the Web. By default, the settings typically show your profile and other data only to "My Networks and Friends." While that might include a lot of people, it doesn't include the entire world. So if Facebook is subject to its own privacy settings, it would be very limited in its right to distribute content from your page to anyone outside your network.

These settings can be modified, but most of them can only be tightened. With a few exceptions, you don't even have the option to make a lot of your information available to the public at large. One exception is media files such as photos and videos, which, by default, can be viewed by "everyone." But you can use privacy settings to restrict who can see your photos all the way down to specific friends or even "only me."

The problem with Facebook's privacy controls is that a lot of people don't know about them, and even those who do might find them unintuitive to use. Facebook Chief Privacy Officer Chris Kelly agrees that the company has work to do in this area, and said they are developing a privacy wizard to make it a lot easier to set your controls.

Mouse over to privacy settings
In the meantime, you might want to hover your mouse over the "Settings" tab near the upper-right corner and select Privacy Settings. There you'll find options to control who can see your profile as well as other information about you, such as your "personal info," status updates, photos, videos tagged of you, and who your friends are. You can control who can see your profile within Facebook and you can turn off access to public search engines such as Google. There are plenty of other settings, including ones to control who can write on your wall and who can comment on notes, photos, or other elements of your site.

Settings vary according to what you're trying to control and, because of the confusing user interface, you might have to hunt around a bit. For example, to change the privacy settings on your own photo albums within the Privacy Settings area you would have to find the fine print under Photos Tagged of You that says "Edit Photo Albums Privacy Settings" or navigate from the Applications tray at the bottom left corner of your browser. That "privacy wizard" they're working on can't come a moment too soon.

Another relatively unknown feature is the ability to create multiple friends lists and assign different privileges to people on different lists. For example, if you want only certain people to know your cell phone number you can create a list like "good friends" and another called "colleagues" to make that information available only to people on those lists. You can create lists by clicking on the Friends tab on the blue navigation bar and then clicking on "Make a New List" in the left column.

Third party applications
Be especially careful when it comes to third-party applications. For example, I use an application from Eye-Fi that automatically syncs my photos to Facebook and Flickr through my Wi-Fi network. When I review cameras, I often take ugly and stupid test pictures and, if I'm not careful, those pictures can be automatically loaded to my Facebook page for everyone to see. But my most embarrassing moment was about a year ago, when I tried out the New York Times Quiz on a day I hadn't read the paper, only to have my low score posted for all my Facebook friends to see, including my editor at The New York Times.

Regardless of how you configure your privacy settings, there is a reality of the social Web that can't be configured away. Any digital information that is posted can be copied, captured, cached, forwarded, and reposted by anyone who has access to it. Even if some embarrassing photo or information is up for only a few minutes, there is the possibility that someone might copy it and send it around. And--as many people are painfully aware--friends can become ex-friends. So even if you're reasonably careful about who you let on your page, you never know what they might do with the information you post.

Disclosure: Larry Magid is co-director of ConnectSafely.org, a non-profit Internet safety education group that receives financial support from Facebook and some of its competitors.

As is now well known, Facebook angered some of its users and some privacy advocates when it recently changed its terms of service to give itself the right to permanently retain user information even if a user deletes an account.

That policy was rescinded after an uproar and a likely federal complaint from the Electronic Privacy Information Center (EPIC), a Washington-based privacy watchdog group.

To try to better understand the issue, I spoke with EPIC's executive director, Marc Rotenberg, as well as Facebook's chief privacy officer, Chris Kelly.

Listen now: Download today's podcast