Opinion: What Facebook should do next

Facebook is at a crossroads. If it continues to give the impression that its approach to consumer privacy is flexible or indifferent, it risks alienating its 400 million users.

The New York Times reported recently that Facebook's privacy policy is longer than the US Constitution, at more than 5,000 words. Now, with governments coming after Facebook, the social network site is overhauling its privacy policy. This situation is reminiscent of Rolling Stones' guitarist Keith Richards who said , "I've never had a problem with drugs. I've had problems with the police."

Let's start with the obvious: if you want to keep your information private, don't store it on a social network.

The essence of social networks is to provoke solicited, and unsolicited, interactions between individuals. If all I want is to share photos with my friends over Facebook, why do I need to have my religion, birthday, marital status, or political affiliation stored in Facebook?

Further, privacy is not coincident with the interests of Facebook creators or with the attitude of many Facebook users. If social networks were about keeping private information, and controlling it, then the default would have been not to share any new information, and have a "share" or "publish" button that you need to click explicitly to make it available to others.

A lot of private information can be deduced or inferred from friends' networks. This includes religion, sexual orientation, and age. You might also post a sensitive message to a friend's wall. If that friend later makes his wall public, your post goes into the public domain.

Cybercriminals, information freaks, police and others are know to trawl social networking sites to harvest exploitable information and to build dossiers on individuals and their social circles. These are just some of the security problems from simply surfing Facebook; there is also a laundry list of technical vulnerabilities.

But Facebook has its virtues. Staying in touch with family and friends is undeniably engaging. Or as one comedian joked, "I'm on Facebook to ensure my ex-girlfriends aren't doing better than I am."

Facebook is at a crossroads. If it continues to give the impression that its approach to consumer privacy is flexible or indifferent, it risks alienating its 400 million users.

Facebook should be worried for another reason. Edelman's Trust Barometer found that peers and friends are no longer credible sources for third party endorsements, dropping from 46% to 25% since 2008. This will have a huge impact on marketers' ability to convert social networks into revenue.

Consumers must believe that Facebook's intentions are in line with their best interests. In this case, Facebook, with overwhelming zeal, must show it's doing everything it can to maintain user privacy.

So what should Facebook do?

It has already announced that it will offer a one stop shop for privacy settings. Users will be able to see one privacy page with a list of all their applications and a choice of three settings for each. The redesigned privacy page allows users to see all their information in one grid and apply privacy settings to each. Facebook will suggest defaults.

It could do more.

First, Facebook should provide audit trails to help members adjust their security settings. An audit trail might look something like:

• Friend "Mom" has viewed "Wild party" pictures (Oh no! Should block her from that.)

• Application vendor "Yelp" has viewed your friend list (I didn't want that-block them.)

• Friend "Larry" looked at your wall (That's fine.)

• Stranger has viewed "Wild party" pictures (Oh no I forgot to share it only with my friends.)

Second, Facebook should default all privacy controls to the most conservative option, This means make the default for all items "private" and automatically reset all default settings to ensure only selected contacts can see user profiles.

Members' information should be inaccessible to search engines until an end user allows it to be public, and Facebook should automatically block applications from having full access to private data. It should introduce two level administration for children's accounts.

These measures will offer a de facto level of privacy. Better informed with audit trail results, members will have a better grasp on where to place their security settings.

Finally Facebook should provide three privacy options:

• Super-secret: With a click, consumers will be guaranteed ultimate privacy with no pictures or information posted anywhere, except to a designated circle of friends. Also, personal information should be impossible to share with application makers.

• Fully public: For those who thrive on voyeurism.

• Customised: Power users can set their options.

During the 1950s, Deming showed how quality in manufacturing became vital for profit and competitiveness, and coined the term "total quality management." Facebook is at an analogous point in its history; it should implement "total privacy management". Consumers will react with dollars, governments will placate regulators.


Amichai Shulman is CTO and Rob Rachwald is director of security strategy at Imperva

Read more on IT risk management