Why Facebook employees are profiling users
What happens when you put twentysomethings in charge of a company with vast amounts of private information? Sheer madcap chaos, of course. Not to mention abuses of power. And that's what seems to be happening at Facebook. Valleywag kept hearing reports that Facebook employees had violated their users' privacy in a number of ways. The claimed abuses varied: Looking at restricted profiles to check out dates. Seeing which profiles a user had viewed. And, in one case, allegedly logging onto a user's account, changing her profile picture to a graphic image, and sending faked messages. Oh, and don't dare ask a Facebooker about any claims of misbehavior — they'll report you to customer service for "harassment." Facebook may have sophisticated privacy controls. But they don't appear to be deployed at headquarters.
Facebook's lawyers, at the least, seem aware of this state of affairs. Look at this language they wrote into Facebook's privacy policy:
We are not responsible for circumvention of any privacy settings or security measures contained on the site.
Read through the policy, and you'll note that while there's plenty of language about not sharing information with third parties, there's hardly anything about how information about what you do on Facebook is used within the company. Facebook has covered its ass, in other words, while exposing yours.
The letter of the policy is one thing. The spirit is another. High up in the policy, Facebook tells users, "You should have control over your personal information." You. Not a precocious, overcurious programmer.
The company's official official statement on the matter raises more questions than it answers:
We absolutely respect user privacy and access to site usage and profile information is restricted at the company. Any Facebook employees found to be engaged in improper access to user data will be disciplined or terminated.
The first part is simply risible. Facebook, as a company, may have a policy that employees should respect user privacy. But some Facebook employees obviously do not follow that policy, and Facebook appears to have no effective way of stopping them.
The second part, that access to sensitive data is "restricted" is meaninglessly vague. Restricted how? And to whom? Customer service employees, for example, obviously must have access to profiles and activity on the site in order to investigate complaints. What's to stop them from idly viewing other profiles while they're passing the time? And programmers and system administrators need to have deep access to the company's software. Even if access is restricted, has Facebook restricted it to people who deserve that trust? Has Facebook, say, conducted background checks on those employees? Does it log their every access to the system, and examine those logs? These are not idle questions: Retailer TJ Maxx is getting sued for taking a lax attitude to data security.
The third part, that Facebook employees caught breaking rules are terminated, seems obvious. But the question here is not what happens to employees who are caught. It's how Facebook catches them. And if it even has the ability to catch them.
Facebook's young employees have given the company much of the boisterous energy that has propelled it to a $15 billion valuation. That same youthful vigor has its downside. Today's twentysomethings have grown up on the Internet, in an environment where no information is safe from prying eyes. They know all too well that their privacy is an illusion. Why should they care about yours?
The grownups at Facebook may make noises about respecting users' privacy. The scant clan of thirtysomethings know that paying lip service to privacy controls is essential for Facebook's business. But, I wonder if a 20-year-old employee would even know what they're going on about.