Just when you think Facebook is done shooting itself in the foot, it wings itself in the hand and takes off a couple of fingers.
First, the Yelp hack. Computer security researcher George Deglin proved it was possible to scrape a Facebook user’s name, email address, their friends’ email addresses, and other information shared with “everyone” off of Yelp by using a cross-site scripting hack that took advantage of those “instant personalization” features Facebook installed on the recommendations site.
Facebook’s response? Ooops. That was “a bug,” now squashed. How comforting.
Second, the PR push. In a misguided effort to manage the roiling discontent about Facebook’s privacy bait and switch tactics, Vice President for Public Policy Elliot Schrage volunteered to take questions from New York Times readers. The Times published his responses to 14 of them (out of some 300 questions) a few hours ago. And no, my question about creating a one-click opt out was not among them.
If you needed another reason not to trust Facebook, Schrage provided several. Here’s bald-faced lie #1. A reader asked why not make everything on Facebook “opt in” – in other words, it’s private unless the user decides to make it public. Here’s Schrage’s answer:
“Everything is opt-in on Facebook. Participating in the service is a choice. We want people to continue to choose Facebook every day. Adding information — uploading photos or posting status updates or “like” a Page — are also all opt-in. Please don’t share if you’re not comfortable.”
It’s true that nobody’s putting a gun to your head to join Facebook or post your naked cell photos pics (not yet, anyway). But once you do, most of your personal information – your biography, interests, posts, friends, families, relationships, location, education, and more -- are shared with “everyone” by default. You have to go in and change the settings to make them private.
That’s not opt-in model, that’s an opt-out model. Either Schrage doesn’t understand the difference (which would be bad) or understands it but hopes you don’t (which is worse).
Bald faced lie #2: A reader asked what happens when users delete their Facebook profiles. Here’s how Schrage answered:
“If you never want to use Facebook again, you can delete your account. Deletion is permanent, and the account can’t be reactivated. When we process your deletion request, we immediately delete all personal information associated with your account. Messages and Wall posts remain, but are attributed to an anonymous Facebook user. Content you’ve added is deleted over time, but isn’t accessible on Facebook, and isn’t linked with any personal information about you.”
This is, in fact, wrong. Again, this means either that Schrage genuinely doesn’t know how Facebook operates (which would be bad), or he’s lying through his pearly whites (which is worse).
I know this is not what happens when you try to delete your Facebook profile, because I just had to jump through hoops to delete my son’s profile (more details about that on a later date).
So let's start by talking about how hard it is to delete your Facebook account. There is no option under your account settings to permanently delete, so don’t even bother looking there. The best you can do is “deactivate” so your posts, friends list, etc are all preserved for the day when you come to your senses and reactivate.
No, to find the delete button you have to go into the Help Center and search for “delete account.” (Don’t use the normal Facebook search window – you won’t find it.) That brings you to the Facebook FAQ page; question #5 is “I want to permanently delete my account. How do I delete my account?” Inside the answer to that one is a link to a page where you can delete your account.
But wait, you’re not out of the woods yet. In the Delete My Account window, you click Submit. This brings up another window with big red letters warning you that you’re about to permanently delete your account, asking to provide your password and solve a CAPTCHA puzzle.
At that point, Facebook presents you with the following window:
In other words, your account has not been “immediately deleted,” it’s been deactivated for two weeks. If you suddenly decide to log in, all of your posts, updates, friends etc are instantly restored.
Worse, Facebook also generates an email to your log-on address giving you a simple, one-click option to restore your account. Here’s what that looks like:
I suppose if someone had stolen your password and decided to do you a dirty by deleting your Facebook account, this could be considered a safeguard. On the other hand, when you’re trying to delete your child’s Facebook account, and you don’t realize that this email is coming to him (because Facebook doesn’t tell you), it gives your child the perfect opportunity to restore his/her Facebook settings without ever telling you. Fortunately for me, I was logged into my son’s email account at the same time I was deleting his Facebook, so I caught the message in time.
Which leads me to three conclusions: 1. Facebook really wants to make it hard for you to leave. 2. They don’t want the world to know just how hard they make it for you to leave. 3. I wouldn’t trust Elliot Schrage to clean up after my dog.