Is your privacy secure online? There’s no way to tell


Long before Facebook got blamed for turning the concept of online privacy into a sick joke, I could tell that the Internet was going to make the control of one’s personal information a challenge.

That moment arrived in the late 1990s, when I realized that my listed phone number, previously accessible only to those who knew enough about me to know where I lived and therefore which local phone book to check or which 411 operator to call, had become available to anyone capable of typing my name — and that’s all — into an online database.

Well, it was a listed number, after all. No great loss there. But things have headed straight downhill since then.

Internet companies persuaded Congress to let them regulate themselves. They promised to develop explicit policies covering to whom and under what circumstances they would share users’ personal data, and stick to their promises. They awarded each other seals of good privacy housekeeping, so we’d trust them to safeguard our names, addresses, Social Security numbers and browsing habits.

What’s the harvest? Scandal after scandal in which some big Internet service admits to having collected more data than it promised to, distributed it to people who shouldn’t have seen it, or let it get hacked in ways that weren’t supposed to happen. All these failures expose innocent users to identity theft or other invasions of privacy.

Typically, the guilty company responds by sending forth a top executive to say “We screwed up” ( Google co-founder Sergey Brin) or “We just missed the mark” (Facebook’s Mark Zuckerberg).

Facebook is the face of this problem because it has been a serial violator of fair practice. The site purports to give its hundreds of millions of users “control” over how much of their personal information gets disclosed to strangers — name, birthday, likes and dislikes, gender, age, “friends” — but these controls are famous for being devilishly confusing and hard to use. Worse, several times over the last year or so, Facebook has unilaterally reset users’ preferences to make such information more public without their consent.

This behavior finally provoked the Electronic Privacy Information Center and other advocacy groups to file a complaint last month with the Federal Trade Commission, alleging that Facebook is deceiving its users. The FTC has the matter under consideration.

Facebook responded by promising to simplify its settings. Plainly it has a lot further to go. I recently spent the better part of an hour tweaking the settings on my Facebook page, and I think I’ve arranged it so that my personal information and that of my “friends” is open only to the extent I want it to be. But for all I know, I’ve actually exposed myself and the visitors to my page to wholesale identity theft by every resident of the Planet Zarg. There’s no easy way to tell.

Nor does that cover all the ways that information in Facebook accounts gets “leaked” to other sites, without any control by the users. Some of this happens through external applications Facebook allows users to access through their accounts. Some happens when outside websites collect user data from Facebook and compile it with the same users’ data from other social networks or e-commerce sites.

In other words, while you think you’re maintaining your privacy, your identity is leaking out to sites you don’t even know about in ways you can’t possibly imagine.

As Balachander Krishnamurthy of AT&T Labs and Craig Wills of Worcester Polytechnic Institute showed in a 2009 paper, networking sites such as Facebook, MySpace and LinkedIn have done a poor job of shielding user information that might be accessed from their accounts by third-party sites. This is the sort of “leakage” that can’t be commonly controlled by user settings, only by the websites themselves.

“People are led to believe that they can make privacy settings and things will happen,” Krishnamurthy told me. “But what happens underneath in the protocol exchange mechanism is something most people don’t even know about and so would not be able to block.”

Every time a popular online service rolls out a new feature, a new unforeseen potential opportunity for leakage arises. “We’re always one privacy fiasco behind,” says Ari Schwartz of the Center for Democracy and Technology, another privacy watchdog.

There’s a notion in cyberspace that we’re more comfortable sharing information about ourselves publicly today than we used to be, and that’s good. One of Facebook’s “core principles,” according to an op-ed Zuckerberg published last month in the Washington Post, is that “a world that’s more open and connected is a better world.”

It can’t be a coincidence that the leading promoters of such ideas are executives hoping to profiteer from snarfing up free-floating private information, like Zuckerberg. But there’s no evidence that people have become more comfortable about letting their personal information loose.

A recent study by the Pew Research Center found that 44% of young users of social networking sites (those 18 to 29) took pains to limit the personal information they disclose online, compared with 33% of users aged 30 to 49 and 20% of those aged 65 and older. They had also done more than older users to tighten their privacy settings.

I doubt most people regard an entirely “open and connected” world with unalloyed glee, as Zuckerberg contends. Think about your high school or college graduating class — do you really want to hear from everybody in it right now, much less share your current address with them? And by the way, how many “friends” on your Facebook page are really friends, as opposed to randomly interconnected strangers of no value or interest to you?

They are, however, extremely valuable to the proprietors of Facebook, LinkedIn, et al., and extremely interesting to those sites’ commercial partners.

That brings us to a facet of social networking that users often overlook: They are not the sites’ customers; they’re the merchandise. The real customers are the advertisers and the aggregators who suck up the data on the users and use it to target commercial come-ons more effectively.

When Mark Zuckerberg promises, as he did in his op-ed, that “We will always keep Facebook a free service for everyone,” he’s giving the game away. Of course it’s free for users — why would he want to discourage the cattle from walking into the abattoir?

Because Facebook earns money from business partners thirsting for knowledge about its users, “Facebook’s incentives will always be to expose as much personal information as it can,” says Marc Rotenberg, EPIC’s director. He says the answer is regulation to require that users opt in to every disclosure of personal information, rather than letting the sites expose the data unless the user opts out.

Remember the New Yorker cartoon of a dog at a computer remarking, “On the Internet, nobody knows you’re a dog”? That was in 1993. In 2010, lots of people would know he’s a dog, what breed he is, who his owners are, where they live, and what they bought each other for Christmas.

But he wouldn’t know they knew. And that’s where the danger lies.

Michael Hiltzik’s column appears Sundays and Wednesdays. Reach him at, see past columns at, check out, and follow @latimeshiltzik on Twitter.