The Washington PostDemocracy Dies in Darkness

Facebook could easily make privacy the default. It still hasn’t.

Mark Zuckerberg's testimony overlooked one very easy fix.

Facebook founder Mark Zuckerberg told Congress his site can do better on privacy. He’s right. (Matt McClain/The Washington Post)
Placeholder while article actions load

While Facebook chairman and chief executive Mark Zuckerberg was boasting to Congress on Tuesday and Wednesday about how much his network is doing to protect privacy for its billions of users, I set up a new account to test what he was saying.

I wish the result had come as a surprise.

Instead, here’s everything that was public or turned on by default: My friends list. My profile, which could be indexed by search engines. I could be tagged in any post, even if I hadn’t reviewed it first. The site would suggest that my friends tag me in images. Ad targeting would let Facebook sell marketers the ability to find me based on my relationship status, employer, job title, education and interests. And Facebook would use my app and browser activity to decide which ads to show me.

Those were just a few of the settings I allowed automatically by clicking “Create Account.” It could have been a lot worse, too: Instead of “public,” many defaults, such as who could see future posts or who could see posts I’m tagged in, were set to “friends.”

As a Facebook member since 2007 and a journalist covering tech and media, I know how to look for these settings and update them. But what did Facebook do to prepare me as a new 2018 user? Precious little.

Some of that onus for being prepared rests on the consumer. After all, Facebook warns: “By clicking Create Account, you agree to our Terms and that you have read our Data Policy, including our Cookie Use .” Unlike some sites, Facebook doesn’t even require you to click anything after scrolling through the terms and data policy.

It’s legal. But it’s not even close to enough.

Mark Zuckerberg is too successful to be naive about the dangers of Facebook, says tech CEO and activist Anil Dash, who wants the company to invest in a big fix. (Video: Kate Woodsome, Gillian Brockell/The Washington Post)

Despite what you find when you sign up for his service, Zuckerberg apparently agrees. Wednesday morning, he told the House Energy and Commerce Committee : “I think that a lot of people probably just accept terms of service without taking the time to read through it. I view our responsibility not as just legally complying with laying it out and getting that consent, but actually trying to make sure that people understand what’s happening throughout the product.” During questioning by Rep. Michael C. Burgess (R-Tex.), Zuckerberg added: “It’s contextual. You want to present people with the information about what they might be doing and give them the relevant controls in line at the time that they’re making those decisions, not just have it be in the background sometime or up front [to] make a one-time decision.”

Facebook users aren’t the reason Facebook is in trouble now

Yet that’s basically what Facebook asks new users to do. As a former publishing executive, I get it: Setting default permissions — making users opt out of settings instead of choose them — is the fastest way to bring a new member onboard and the most efficient way to create critical mass for advertisers. And Zuckerberg was right when he told the Senate hearing Tuesday that users want an environment that matches their interests and needs.

Opt-in, though, is the best way to ensure that people understand what they are choosing to share. Facebook deploys it frequently once a member is on the platform, as Zuckerberg repeated often during his testimony. For instance, the permission settings are next to the “Post” button when I’m ready to publish.

The Cambridge Analytica reveal that brought Zuckerberg to Capitol Hill this past week sent me on a dive into my own account, where I was reminded of how many apps or sites I had connected to with Facebook — 37 — and how much information I had agreed to share with The Washington Post and other third parties. (I chose Facebook over Google to log in at a lot of sites because it felt more private and containable. Ha.)

After some repair work — limiting permissions to the bare minimum in most cases, deleting some apps or connections completely — I signed into my dad’s more recent account to check the privacy landscape that resulted when someone who didn’t pay any attention joined Facebook. It wasn’t pretty. He might have agreed to it all, if asked, or gotten so irritated he wouldn’t have signed up, but instead, “Create Account” meant he consented to everything unless and until he told Facebook otherwise. So here is the information that my father, now deceased, allowed friends to share with third-party apps: his bio; his birthday; his family and relationships; whether he was online; his timeline; his home town and current city; his education and work histories; his activities, interests and likes; and his activity in apps.

What makes this even more frustrating is that Facebook’s privacy check does a decent job of walking users through the various ways they can protect their data, as Zuckerberg suggested on the Hill. (If you’re on Facebook and haven’t already done it, make the time. Now. Then repeat for Google and Oath — the Verizon subsidiary that owns Yahoo, HuffPost and AOL — and check for the option at other sites.) But it the default permissions could be transparent from the start, and any changes should be possible from Facebook’s app or its mobile site, not just on desktop.

As Rep. Joe Barton (R-Tex.) told Zuckerberg, “You can pretty well set up your Facebook account to be almost totally private, but you have to really work at it.”

Facebook is already updating and streamlining its terms of service , which haven’t been changed in three years, and promising more clarity on privacy. But the seven-day comment period for those updates ended Wednesday.

Sweeping retroactive fixes for existing members are difficult enough. There’s no excuse for baking in problems for newcomers. New users shouldn’t be required to make privacy repairs that could be avoided at sign-up. At the very least, the welcome email and screen message should include a privacy-check link.

Maybe when he’s done meeting and greeting in Washington, Zuckerberg should set up a test account, too.

Read more:

The Facebook-Cambridge Analytica scandal was years in the making

The real problem with Facebook is not a data leak

Russia’s Facebook ads show how microtargeting can be weaponized