Analysis: Facebook's default privacy settings are worse than Zuckerberg says
While Facebook Chairman and Chief Executive Mark Zuckerberg was boasting to Congress this week about how much Facebook is doing to protect privacy for its billions of users, I set up a new Facebook account to test what he was saying.
I wish the result were a welcome surprise.
Instead, here's everything that was public or turned on by default: my friends list. My profile, which could be indexed by search engines. I could be tagged in any post, even if I hadn't reviewed it first. The site would suggest that my friends tag me in images. Ad targeting would allow Facebook to sell marketers the ability to find me based on my relationship status, employer, job title, education and interests. And Facebook would use my app and browser activity to decide which ads to show me.
Those are just a few of the settings I allowed automatically by clicking "Create Account." It could be a lot worse: Many defaults, like who can see future posts or who can see posts I'm tagged in, are set to "friends."
As a Facebook member since 2007 and a journalist covering tech and media, I know how to look for these settings and update them. But what did Facebook do to prepare me as a new 2018 user? Precious little.
Some of that onus for being prepared rests on the consumer. After all, Facebook warns: "By clicking Create Account, you agree to our Terms and that you have read our Data Policy, including our Cookie Use." Unlike some developers, Facebook doesn't even require you to click a link after scrolling through the terms and data policy.
It's legal. But it's not even close to enough.
Despite what you find when you sign up for his service, Zuckerberg apparently agrees. Wednesday morning, he told the House committee: "I think that a lot of people probably just accept terms of service without taking the time to read through it. I view our responsibility not as just legally complying with laying it out and getting that consent but actually trying to make sure that people understand what's happening throughout the product." During questioning by Rep. Michael Burgess, R-Texas, Zuckerberg added: "It's contextual. You want to present people with the information about what they might be doing and give them the relevant controls in line at the time that they're making those decisions, not just have it be in the background sometime or up front to make a one-time decision."
Yet that's precisely what Facebook asks new users to do. As a former publishing executive, I get it: Setting default permissions -- making users opt out of settings instead of choosing them -- is the fastest way to bring a new member onboard and the most efficient way to create critical mass for advertisers. And Zuckerberg was right when he told the Senate hearing that users want an environment that matches their interests and needs.
Opt in, though, is the best way to ensure people understand what they are choosing to share. Facebook uses it frequently once a member is on the platform, as Zuckerberg repeated often during his testimony. For instance, the permission settings are next to the "post" button when I'm ready to publish.
The Cambridge Analytica reveal that brought Zuckerberg to Capitol Hill sent me on a dive into my own account, where I was reminded how many times I connected to a site or app with Facebook and how much information I agreed to share with The Washington Post and other third parties. (I chose Facebook over Google to log in at a lot of sites because it felt more private and containable. Ha.) The answer: 37.
After some repair work -- limiting permissions to the bare minimum in most cases, deleting some apps or connections completely -- I signed into my dad's more recent account to check the privacy landscape when someone who didn't pay any attention joined Facebook. It wasn't pretty. He might have agreed to it all if asked or gotten so irritated he wouldn't have signed up. Instead, "create account" meant he consented to it all unless and until he told them otherwise. So here is some the info my father, now deceased, allowed friends to share with third-party apps: his biography, birthday, family and relationships, posts, hometown, current city, education and work, activities and interests, and app activity.
What makes this even more frustrating is that Facebook's privacy check does a decent job of walking members through the various ways they can protect their data, as Zuckerberg suggested this week on the Hill. (If you're on Facebook and haven't already done it, make the time. Now. Then repeat for Google and Oath -- the Verizon subsidiary that owns Yahoo, HuffPost and AOL -- and check for the option at other sites.) It could be better.
Rep. Joe Barton, R-Texas, told Zuckerberg, "You can pretty well set up your Facebook account to be almost totally private, but you have to really work at it." Facebook is already updating and streamlining its Terms of Service, which haven't been changed in three years, and promising more clarity on privacy. But the brief comment period for those updates ends April 12.
Sweeping retroactive fixes for existing members are difficult enough. There's no excuse for baking problems in for newcomers. Requiring new users to make privacy repairs that could be avoided at signup shouldn't be the default. At the very least, the welcome email and screen message should include a privacy check link.
Maybe when he's done meeting and greeting in Washington, Mark Zuckerberg should set up a test account, too.
• Kramer, the former editor of paidContent, writes about media and technology from University City, Mo.