washingtonpost.com
What Facebook Knows That You Don't

By Catherine Rampell
Saturday, February 23, 2008

So you've sworn off Scrabulous. You've given up on poking and SuperPoking. Never again shall you be newsfed, attacked by Zombies or be one of 1 million strong. You're done with seeing your friends' exhibitionism, and you're done with exhibiting yourself.

In other words, you've given up Facebook.

But as recent articles have pointed out, even if you "deactivate" your account, Facebook holds on to your profile data. This disclosure has gotten privacy groups and consumers up in arms. All the commotion about how Facebook hoards outgoing users' data got me wondering whether we're missing the more important privacy question: What happens to all the data we active members choose to delete, for privacy reasons or otherwise?

Facebook's privacy policy is disturbingly cryptic on this issue. It says the company "usually keep[s] a backup copy of the prior version [of updated profile information] for a reasonable period of time to enable reversion to the prior version of that information." Facebook declines to enumerate how many days (or centuries) constitute a "reasonable period of time." Facebook users do not have access to this information, so it's unclear who exactly would be doing the proposed "reversion."

Sure, Facebook archives must construct fascinating personal narratives. Anyone privy to my Facebook history, for example, would discover that my banjo lessons were embarrassingly short-lived and that my three most recent boyfriends are all named David. They would find the "Law and Order" episodes I've cycled through, the friends I've fallen out with and the music I've now gotten too cool for. And, my future biographers, take note: If you hacked into this treasure trove of information, you'd find a full dossier of my "status updates," the information Facebook users provide about what they're "doing right now." You might learn my diet, my sleep habits (or lack thereof, during college) and my emotional, or at least emoticonic, moods.

Of course, my imminent fame notwithstanding, those interested in the trajectory of my tastes and tempers are more likely to be advertisers than biographers. Facebook already uses profile information to target ads within its site -- and possibly outside of Facebook, through partner and minority-stakeholder Microsoft, which declined to directly answer questions about how it uses the data. Third-party advertisers also can see information about oblivious Facebookers; Facebook specifies only that such advertisers have "no access to your contact information," presumably leaving the rest of users' "private" information accessible.

The greatest potential for privacy violations, however, comes from the applications that have been developed by outsiders for the Facebook platform. Users who install these games and quizzes must agree to share all their information with unmonitored strangers, who can keep the data for any period of time, "reasonable" or otherwise. Tucked in its Platform Application Terms of Use is Facebook's absolution of itself of all liability should developers decide to do something mustache-twirlingly nefarious: "YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK."

At my own risk, then, I choose not to use any applications, preferring more limited social interaction over greater exposure to snooping. (But even so, the default setting on Facebook allows my private data to be accessed by applications my friends have installed. In other words, a deceitful "Which Disney Princess Are You?" quiz my editor adds could pilfer my prom photos.) Facebook seems to be betting that none of these applications will go rogue -- or at least go rogue and get caught -- and thereby discredit the entire social network.

So what, you say. Idiots like me and Facebook's 65 million other users are publicizing our personal lives voluntarily. Corporations aren't exactly sneaking into our bedrooms; we're inviting them in. The problem is that most people who perfunctorily fill out social networking forms don't understand the privacy risks. It's not just the publicizing of data that endangers privacy, after all; as other analysts have articulated, it's also the ability to search, aggregate and find uses for that data. Unlike newsfeeds and Beacon -- controversial features that broadcast users' activities to their friends -- data mining by Facebook, third-party advertisers and applications is hidden.

Consumers, plain and simple, are too unsophisticated to realize what can be done with their data. Besides, users may have offered up information before even Facebook realized what it could do with the data, since the company only recently developed a coherent plan for making money through advertising. If advertisers (and biographers) were to research my profile archives, they would notice that it's not just my more sophisticated tastes in movies and men that transformed my profile over the years. It's also my more sophisticated understanding of how Facebook could sell me out. Unfortunately, for at least a "reasonable period of time," my wily revisions may prove worthless.

The writer is a member of the editorial page staff. Her e-mail address isrampellc@washpost.com.

View all comments that have been posted about this article.

© 2008 The Washington Post Company