EPIC vs Facebook: Privacy through obscurity

Update: In addition to the privacy through obscurity angle, there's another issue. EPIC: Facebook Timeline changes users' privacy settings.

The Electronic Privacy Information Center (EPIC) is asking the Federal Trade Commission (FTC) to further investigate Facebook's practices, specifically taking a look at how the company handles privacy through obscurity. EPIC wants the organization to look into various privacy objections it has, as it is unhappy with the FTC's November 2011 settlement with Facebook.

Security through obscurity is the idea that content can be kept safe by making it difficult to discover, rather than inaccessible without authorization. Your content is not anymore secure, but attackers can be discouraged by the effort required to steal it. For example, programmers sometimes deliberately obfuscate code to conceal its purpose to prevent tampering, deter reverse engineering, or to simply challenge someone reading the source code.

Privacy through obscurity refers to the same idea, except that we're talking about who can access your content. Your content is not anymore private, but attackers interested in it can be discouraged by the effort required to view it. For example, the Twitter website does not easily show you a discussion between two or more users: you have to navigate back and forth to each person's page; the content is all there, but it's just difficult to consume.

Before Facebook launched Timeline, if you wanted to browse a given friend's old Facebook content, you had to hit on the "Older Posts" link on his or her profile until you reached the correct date for the post. With Timeline, all this content has the potential to be exposed.

EPIC argues this is unacceptable and last month sent a four-page letter to the FTC, asking for an investigation. Facebook denies the claims that the new feature does not meet the terms of its FTC settlement, saying that "Timeline doesn't change the privacy of any content."

"We did see the response from Facebook," an EPIC spokesperson said in a statement. "It's not convincing.

Facebook argues that everything is accessible to the same people who could or likely had seen it already in their News Feed sometime in the past. When Timeline started to roll out globally (desktop and mobile), Facebook gave users seven days to add or remove anything they wanted from their Timeline before it went live. If the user did not make any changes, however, content they may not want visible (which was previously buried in the past) could be accessed much more easily, since Timeline does not discriminate based on date.

"And why do people now have to go through Timeline postings? Because Facebook posted stuff that most people assumed had vanished," an EPIC spokesperson said in a statement. "Facebook transitions are always like this. Each change is an opportunity for Facebook to nudge the settings toward greater disclosure. Privacy through obscurity has always been a key part of privacy safeguards with Facebook. That's why users pushed so hard on the right to delete accounts. I know Facebook says that the information was previously posted but users knew it took a lot of work to really dig back through a user's posts to find stuff that was no longer on the wall. It's ridiculous for Facebook to say that there is no impact on privacy."

In short, the public interest research center says Timeline nudges users to show more content they have already shared on the social network while Facebook argues that Timeline gives users more control over what is visible. That's just the privacy through obscurity part though.

In addition to the four-page letter sent to the FTC, EPIC also sent a much more detailed 30-page letter to the government body (PDF). In it, the group hopes the FTC will require Facebook to make the following five changes:

• Restore the privacy settings that users had in 2009, before the unfair and deceptive practices addressed by the Complaint began;
• Allow users to access all of the data that Facebook keeps about them;
• Cease creating facial recognition profiles without users' affirmative consent;
• Make Facebook's privacy audits publicly available to the greatest extent possible;
• Cease secret post-log out tracking of users across web sites.

While the shorter letter specifically takes issue with Timeline, the longer one essentially outlines all the reasons EPIC is not satisfied with the FTC-Facebook settlement. Considering the settlement requires Facebook to obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years, the FTC will likely be looking into these demands soon.

See also:

• Facebook: Timeline has nothing to do with privacy
• EPIC criticizes Facebook over Timeline launch
• 70% of Facebook users are comfortable with what they share
• Facebook CEO Mark Zuckerberg makes a commitment to privacy
• Facebook settles with FTC over default privacy settings
• Facebook CTO: most people have modified their privacy settings