I have a confession to make. As a casual user of Facebook, I have no idea who has access to what I do. I have read the settings, the Facebook privacy policy (well, the policy this week) and played with the Facebook, but I still have no clue who can see what I write, access my photographs, know my location, comment on my postings, etc. And this is what I do for a living. And with Facebook “clarifying” its privacy policies and “enhancing” its facial recognition programs, more actual clarity is probably a good thing. So this is where I invite readers to answer (email comments@securitycurrent.com) a few questions about Facebook’s privacy settings.
1. Who can see my profile picture?
OK, so I have a profile picture. Well, maybe just one. I am not sure. When I look at other people’s profiles, I see more than one picture, but one of them is called “profile picture.” I know that my Facebook friends can see my profile picture. Who else can? I have no idea. Oh, and by “see” I mean more than just view. Can people other than my friends download, copy, scan, digitize, perform facial recognition on, or do other things with my profile picture?
Can they, for example examine any geo-tagging or embedded information in the picture?
Can they know the make and model (and serial number) of my phone, camera, scanner or other device?
Can I make any or all of this information “private” – to be seen by my friends only?
Can I say that only some “friends” can see my profile picture, but others cannot?
Can I create more than one “profile” picture – one in a suit and tie for “professional” friends (who I want to think I am working for them all the time) and one for “personal” friends (who I don’t want to think I am a workaholic)?
What are the default settings for the profile picture, and how do I change them? Who can access the profile picture (more than just view – edit, replace, etc.)?
Can advertisers see my profile picture, or access it, and if so, how is it collated? Can law enforcement or intelligence agencies access my profile picture? Can they access it just by knowing my name, or can they access it by characteristics? Can they access it by comparing the picture with other pictures?
Can my friends’ Facebook pages access my profile picture just by posting a picture of me? In other words, when a friend posts a picture that I might be in, will my friend’s Facebook page scan my profile picture for a “match” and then “tag” me?
Can non-friends (including law enforcement or Facebook security or other personnel) do the same facial recognition on my profile picture?
Can I know who has accessed or viewed my profile picture, and if so, how much information can I know about that? Can I limit who accesses my picture, or what they can do with it – e.g., view only, no copying?
Does Facebook require that my profile picture be “accurate?” I know I must provide “accurate” information when I create an account – name, address, age, etc. Does this include a requirement that the picture be accurate as well?
What is Facebook’s policy on my using a picture of someone ELSE as my profile picture (assuming that I own the copyright or have a license to use the picture?) Does it matter if the picture is old, no longer looks like me, or is actually a picture of my identical twin brother? Does Facebook care? Does Facebook check?
2. What’s in a name?
When I created my Facebook account, I used my real name and a real email address. So, who can see my name, or the fact that I have a Facebook page? Is this “public” information, available to any user of the Interwebs? Is it limited to people I have selected? To whom does Facebook share this information, and under what circumstances?
Again, can I know who has seen this information, or to whom Facebook has shared it? What personal information (location, pictures, etc.) can third parties actually see just by virtue of the fact that I have created a Facebook page? Can they see, for example where I went to school, where I work, etc.? I assume I can limit access to that information, but what is the default setting? Can I limit access to this information to specific individuals? Can I be notified when someone accesses this information? Beats me.
3. You’ve been Served
Like any other company, Facebook notes that they will comply with lawful demands for information. Cool. Do I get notified when there is a demand for information about me, or that impacts me? For example, if the Syrian government subpoenas my account information (or the NSA requests it) do I get a chance (by default) to know about and challenge the request or demand? Do I even get notified?
What steps does Facebook take to challenge the validity, legitimacy, or scope of any demand for information? What if there is a demand for information about me from a third party’s account – for example, the government wants pictures of me for facial recognition, but subpoenas them from my Facebook friends and not from me. While they are MY pictures for which I own a copyright, and they are pictures of me, does Facebook notify me, my friend, or anyone else?
How does Facebook assert things like privilege, copyright protection, or other defenses to this information if it doesn’t notify me about the demand for production? When, if ever, do I find out about the demand? What about requests or demands for my Facebook messages? Should I assume that these are public? Private? Privileged? Protected? Beats me.
4. You’ve Been Owned
In its most recent privacy policy, Facebook clarified the fact that it “owns” my Facebook picture. What does this mean? Sure, by posting it to Facebook, I give them the “right” to display it on my page and to allow those I have permitted to access it.
What other rights do they have in my picture? What do they plan to do with it? Can they take out ads with happy smiling Facebook users, and include my picture among the mix? Can they give my picture to the cops the next time a middle aged white guy is suspected of a crime so that my picture can be used in a photo line up? What does “ownership” mean in this context?
5. Postings
OK, so here’s another thing that has always confused me about Facebook. A “friend” posts something – maybe a picture of a cat, a news story, whatever. I then comment on that posting. Who can see this posting? My friends? Their friends? Their friends’ friends? The world? I should know the answer to this question, I just don’t. How long are these postings available and retained? How worried should I be about things I casually say or do? Same for when I “like” something. And why is there no “dislike” button?
6. Tag – You’re It
OK. Call me an old fogey. I don’t quite get tagging. So someone takes a picture of me, or has a picture of me that they took 50 years ago. They “post” it to their Facebook page. I got that. So does Facebook now scan all the images in their picture, and “find” my face, and “tag” the fact that I am in the picture? I know that the person can “tag” me in their picture (oh look, Mrs. Brown’s second grade class – front row R to L, ….).
So what happens when you are “tagged?” Does the picture they took and tagged show up on my Facebook page? Do my friends see that picture? Do my friends get notified that there is a new and embarrassing picture of me? Can I prevent this in any way other than going to each and every picture in which I have been tagged and “untag” myself? Can only my friends tag me, or can anyone tag me? What is the default setting for this? I am sure there are answers to these questions, but I simply don’t know.
Can I be notified when someone has posted a picture of me on their Facebook page even if they haven’t tagged me in it? If a person posts a picture of me in which I am not tagged, can a third party scan that picture and identify me in that picture by doing facial recognition against my profile picture? Can they download that picture and do it through third party software? Does it matter if any or all of these people are my “friends?”
7. Observations
All of this is to show that giving up privacy is easy. Very easy. Protecting privacy is hard. Privacy doesn’t mean keeping information away from people. It’s about knowing what information is being shared, with whom and for what purposes, and having a degree of control over that process. When I donned a blue silk Nehru jacket in 1968 (think Sgt. Pepper) for my fifth grade class photo, did I really expect a business colleague in 2013 to be able to see my shoulder-length hair? I think not.
The problem with privacy policies is that, to provide true granularity, they need to be very detailed. To be understandable, they need to be short and declarative. We can’t have both. But we try.