21 Oct 2010

HBS Faculty offer perspectives on Facebook and privacy


BOSTON—Facebook was in the spotlight once again this week, but it had nothing to do with the movie about the company's founding. A Wall Street Journal story accused Facebook Inc. of violating the privacy of its millions of users, "transmitting identifying information" to advertising firms and Internet tracking companies. Was this business as usual for Mark Zuckerberg, a tempest in a tea pot, a fact of life in a world where privacy has become a rare commodity, or something that Facebook needs to address sooner rather than later?

Four Harvard Business School faculty members who are experts in social media—John A. Deighton, Benjamin G. Edelman, Sunil Gupta, and Mikolaj Jan Piskorski— offer their perspectives.

John A. Deighton, Harold M. Brierley Professor of Business Administration

People who live in glass houses probably shouldn't.

But if they do—and hundreds of millions of people live in Facebook's glass houses—then how upset should they be if their privacy is invaded? They choose to put their lives on display to their friends, with no certainty that their friends will respect the confidentiality of their disclosures, and in fact a fair degree of certainty that some of the disclosures will be passed along.

Let's not forget they are living rent-free in these glass houses.

They pay nothing to store their personal displays on Facebook's servers. They play social games like Farmville with friends on the other side of the globe without so much as a long distance phone bill.

Doesn't anyone wonder who's funding the largesse?

Perhaps Facebook has erred. If it made promises of privacy and violated them, and people suffered injury, no doubt the tort lawyers will take it to court, and then we could be talking real money. If so, maybe, it will be careful in the future not to make promises it can't keep.

But if consumers feel aggrieved, then perhaps they too have erred. They need to face up to the fact that although social media enable relationships, friendships, perhaps even love, to thrive, the media are underpinned and driven by personal information willingly and sometimes willfully submitted by the consumers themselves.

Web networks are businesses. They fund their existence by delivering relevant commercial communications to accurately profiled consumers. There is no such thing as a free lunch there or anywhere else.

Benjamin G. Edelman, Assistant Professor of Business Administration

Here they go again. According to the Wall Street Journal, Facebook has committed yet another privacy breach. Merely by opening applications on the site (anything from a game to a quiz or map), a user's Facebook username or user ID is revealed to advertisers and tracking companies that have placed code within the application. Thanks to Facebook's lax privacy defaults, these organizations can see a user's name, location, interests, friends, and more.

This week's privacy lapse follows my finding last May that when people click ads on Facebook, they're also revealing their user names and user IDs to advertisers. Facebook had repeatedly promised (12/9/2009, 4/6/2010, 7/1/2009) not to tell advertisers who clicked which ads, but my examination proved the site's promises to be untrue.

It's a discouraging series of problems. Users come to Facebook to share their information, trusting that the site will pass it on only to the friends users specify. Unfortunately, time and time again, Facebook's word just hasn't held true.

What now? Users dissatisfied with Facebook's privacy treatment could look elsewhere for social communication tools, but network effects give Facebook a big advantage. No other social network can match Facebook's 500 million users. Meanwhile, lawyers and regulators see Facebook with increasing distrust. Perhaps the company will end up paying a fine for its repeated design flaws. But the biggest penalty to date has come from the court of public opinion. Users are increasingly skeptical of Facebook's privacy promises. The next time Facebook says "Trust us," sensible users will likely say, "No way."

Sunil Gupta, Edward W. Carter Professor of Business Administration

This is not the first time Facebook has found itself in trouble over privacy issues. Remember Beacon, Facebook's first attempt at generating advertising revenue by puling data from external websites into Facebook? It was launched in November 2007 and later shut down after a class action suit was filed against Facebook. You would think that a company that is now the custodian of private information for over 500 million people across the world would be more diligent and careful about protecting its users' information. After all, that is the key asset of the company.

Therefore it is a surprise and disappointment that almost every six months you hear that Facebook has breached the trust of its users yet again. Is the company incompetent, ignorant, or simply arrogant?

Mark Zuckerberg has repeatedly played down this issue by suggesting that people want to share their private information with the world. The reality suggests otherwise. An increasing number of Facebook users are adults over 35 who are very concerned about privacy. In addition, the majority of Facebook users now come from abroad, where privacy concerns are even more critical than in the United States. A recent MIT study showed that when Facebook revised its privacy policy to give users greater control of their information, the click-through rate on its advertisements increased significantly.

So Mr. Zuckerberg needs to grow up a little and take this issue more seriously. It is no longer enough to say that it is a technical glitch that will be fixed next time. With size comes responsibility, and Facebook needs to adopt a policy like Google's of "doing no evil."

Mikolaj Jan Piskorski, Associate Professor of Business Administration and Marvin Bower Fellow

YAFPI is not PTRM!

In the last couple of days media have once again raised a YAFPI alarm (Yet Another Facebook Privacy Issue). With explicit user permission, Facebook gives certain user data to third-party application developers. Some of them are improperly sharing the data with advertisers and Web tracking companies.

In this case, however, the problem is not Facebook's policy, since the company prohibits such activity. Instead, it has to do with insufficient monitoring of third-party developers. Since Facebook does not control them, this gets complicated. But if prior history is anything to go by, this YAFPI will be fixed quickly.

Although these policy violations must be exposed, we must not forget about PTRM (Privacy That Really Matters). Most people could care less about what company knows their Facebook user ID or their friends' names. After all, applications built on top of Twitter can already read my private messages (with my permission), and no one seems to care.

But what people do care about is the ability to upload a picture on Facebook, restrict its visibility to a certain set of people, and then be assured that only these people will see it. Although Facebook excels at delivering on this promise, it could do even better. We should all hold them accountable for doing so. That would be PTRM!

About Harvard Business School

Founded in 1908 as part of Harvard University, Harvard Business School is located on a 40-acre campus in Boston. Its faculty of more than 250 offers full-time programs leading to the MBA and PhD degrees, as well as more than 175 Executive Education programs, and Harvard Business School Online, the School’s digital learning platform. For more than a century, faculty have drawn on their research, their experience in working with organizations worldwide, and their passion for teaching, to educate leaders who make a difference in the world. The School and its curriculum attract the boldest thinkers and the most collaborative learners who will go on to shape the practice of business and entrepreneurship around the globe.