Blog

Everyone has heard a story about a lost job, broken relationship or other disaster brought about by ignorance of privacy settings on various social networking sites.  Recently Facebook decided to make some changes to their privacy policies that in effect urged users to share everything with everyone despite the prevalence of these kinds of stories.

Displaying a tone-deaf attitude to the issues surrounding user privacy is not unique to Facebook. They did, however, up the ante with a deceptive “transition tool” that every member had to click through. The confusing tool asked users if they’d like to open up their personal information (pictures, friends lists, wall posts and more) to everyone.  If users were less inclined to live in a glass house they were given the option of maintaining their old settings.  The fact that Facebook actually removed some settings altogether and fundamentally changed others is thoughtfully absent.

The hew and cry of the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC) among others has now caught the ear of the FTC.  According to an official complaint filed with the FTC by EPIC, Facebook exponentially increased the amount of user information collected when the settings changed.  This data is also being exposed to 3rd party developers due to the elimination of a setting that universally blocked all personal information sharing with 3rd parties.

At the heart of the complaint EPIC alleges that the changes to the privacy settings are confusing and poorly understood by a majority of the Facebook userbase, including advanced users.  Facebook, for its part, has claimed to have consulted many regulators (among them the FTC) in making these changes.

Other High Profile Security Issues

All of this points to a much greater issue concerning privacy and data security and it is not isolated to Facebook. With the likes of NetFlix, Google, and Yahoo dealing with high-profile privacy issues and myriad data breaches exposing the personal information of millions, the implications are as wide as the web itself.  These companies are trusted with increasingly critical data which, through policy, they are try to monetize without thought to security, privacy or their user’s/client’s best interest.

Without a regulating body and in the face of Byzantine regulations (PCI, HIPPA) some businesses are turning to cloud services and hosted solutions for their data needs, leaving compliance and accountability to their service provider and at the mercy of their policies.

This has brought into new light the stability and security of a well-run internal IT infrastructure.  A business doesn’t need to worry about Google sniffing the contents of the company’s gmail when they run an internally-administered Kerio or Exchange server instead.  Just like an embarrassing Facebook post made public, the Microsoft and T-Mobile Sidekick data loss laid bare some of the risks of cloud services.

What does Google say about all this?

Google’s Eric Schmidt recently turned heads by saying;

“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place, but if you really need that kind of privacy, the reality is that search engines including Google do retain this information for some time, and it’s important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities.”

While someday we may all be doing business from tiny smart devices wirelessly attached to omniscient cloud services redundantly hosted around the world with 100% uptime, we are not there yet.  Whether it’s the Facebook user exercising a greater awareness of their privacy rights or the small business owner investing in their own IT infrastructure, the lesson to be learned is without a pro-active stance towards privacy and data security, not even the clouds are safe.