Facebook privacy control analysis

We will analyze the Facebook privacy control presented in the section above with regards to the current Facebook privacy control in Section 4.2.3 and our Facebook privacy requirements outlined in Section 4.2.3, in turn.

Facebook privacy policy It seems that Facebook has, instead of keeping a general privacy policy saying for instance that a user should be able to control what is shared about that user, tailored their privacy policy state-ment to address information elestate-ments separately to suit all the cases where the user can not control what is shared. It is also a place to release all their responsibilities for security and privacy, and place it on the user. The fol-lowing citation from their privacy policy section about how they protect a user’s information embodies this point:

”Although we allow you to set privacy options that limit access to your information, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other

Figure 4.8: This figure is a screenshot of the Facebook interface for block list administration.

users with whom you share your information. We cannot guar-antee that only authorized persons will view your information.

We cannot ensure that information you share on Facebook will not become publicly available. We are not responsible for third party circumvention of any privacy settings or security measures on Facebook. You can reduce these risks by using common sense security practices such as choosing a strong password, using differ-ent passwords for differdiffer-ent services, and using up to date antivirus software.”

This means that Facebook promises little in their privacy policy statement, opening for less privacy in their systems, and less user control. Because of the lenient privacy policy, one can say that the implemented privacy con-trol, described in Section 4.2.4 is very compliant with their privacy policy statement.

Facebook as an example SNS 73

Our privacy requirements Analyzing the Facebook user privacy control with regards to our privacy requirements in Section 4.2.3 will reveal weaker privacy control. In that section we presented seven requirements for how a user should be able to control personal information. Out of the seven requirements, Facebook’s current privacy control only fully meet the first two requirements. Requirement 1, setting different access control rules for different types of objects, has been met through the function where users can, for Facebook’s previously defined object-access type couples, set which people can perform that type of access on the objects of that type. Requirement 2, regarding the granularity for which subjects can be allowed access to an object, stating that one should be able to allow or disallow certain users access to an object, is also met. This is not met through the drop-down menu choices ”Everyone”, ”Friends and Networks”, ”Friends of Friends”,

”Friends Only”, but through the ”Customize” option where one can specify certain individuals or group of individuals one wishes to allow or hide the object from.

The rest of the requirements, 3 through 7, are not fully met with current privacy control. Requirement 3, allowing or disallowing access to an object based on the relationship between the relevant user and the subject request-ing the access, is only partially met. The previously mentioned access control rule subject drop-down menu choices: ”Friends and Networks”, ”Friends of Friends” and ”Friends Only” will grant subjects access to the object based on the relationship between the user and subject. Still, the choices are, in our opinion, too limited. The relationships ”Friendship” and ”in the same Network” applies to such a coarse-grained grouping of people. Experience using Facebook tells us that most users have hundreds of friends, and these often include close friend, childhood friends, co-workers, business associates, classmates, family, acquaintances and other people one has encountered in all sorts of settings. Calling all these relationships ”friendships” can seem very coarse-grained and is not always adequate for making rules that reflect a person’s privacy preferences. Requirement 4 is closely tied to the demand for more fine-grained relationships, and is not met with current privacy con-trol. Being able to state access control rules based on which role a subject has towards the relevant user, is not possible, and like requirement 3 calls for a more fine-grained grouping of a user’s ”Friendships”. The three last requirements, being able to set access rules based on the user’s, the subject’s or external attributes, are by no means met with the existing control panel.

The control panel fully lacks the option to set conditions under which access to a specified object should be granted to the specified subject(s). To be able to fulfill requirement 5, 6 and 7, such options to specify conditions must be implemented.

It becomes clear that seen in the light of our privacy control requirements, Facebook’s current privacy control panel does not provide sufficiently fine-grained user privacy control through access control of personal information.

The panel lacks sufficiently fine grained subject specification and grouping of ”Friends”, plus does not provide the option to set conditions under which the access should be given.