Privacy Advisor

What Do You Want To Know About Facebook?

May 1, 2013

By Sam Pfeifle
Publications Director

One of the best attended breakout sessions at this year’s IAPP Global Privacy Summit featured Jules Polonetsky, CIPP/US, director of the Future of Privacy Forum and former CPO at AOL and DoubleClick, in a one-on-two conversation with Facebook CPO Erin Egan and General Counsel Edward Palmieri, CIPP/US. In a wide-ranging, hour-long conversation, the three sought to provide clarity on the privacy implications of the ever-growing kinds of Facebook advertising and app development and just what you’re doing when you add a “like” button to your website.

Before anything else, though, Polonetsky asked the Facebook team to expound on how they create a culture of privacy awareness at a company that’s known for having a “hacker culture.”

“We have a real cross-functional team that meets weekly and looks at all the products we want to launch,” said Egan. “How do we ensure that we take all the global laws into account? Part of that is making sure we have experts looking at every product that comes out.”

In fact, noted Palmieri, there is a CPO just for Facebook products, Michael Richter, and Palmieri, himself, is constantly working on making sure the company is in alignment with the FTC agreement it reached in late 2011. Egan went into more detail about this relationship in the “Ask the CPO” section Facebook launched in January.

“A lot of folks wonder,” said Egan, “how do we reach our engineers in light of our culture? Well, you have to calibrate the program to the engineers. We have what we call office hours. If they have a hackathon and want to launch something in two days, we have folks on the ground. We tell them, ‘If you are working on something, we’re here.’”

Perhaps the murkiest privacy areas, however, are created by third-party app developers who work on the Facebook platform. How does Facebook regulate that?

“You should only be collecting information that’s necessary to operate your app,” Egan said. “You shouldn’t be asking for anything else.” Facebook works to police app developers and make sure they’re not going beyond their agreement.

What if, though, as one audience member asked in a question, the information the app is actually providing back to you is a privacy concern?

“What about the Girls Around Me app?” the audience member asked. “It used location shared publicly on Twitter, Facebook, Foursquare, etc., to show you the faces of pretty girls near you. It was a bit creepy. I think they got booted from IOS…”

“As a general matter, this is a really important point,” said Palmieri. “Our policies are in place to make the customer’s third-party experiences better. But we create rules that people have to conform to, so their use of our apps is done in a productive way with positive interactions that people understand … And we make them obtain consent. The platform policies outline that when you’re receiving data from Facebook that you’re using it to show it back to that particular user, and if you want to go beyond that, you have to get their permission. And on top of all of that, you can’t use Facebook or any of our services to harass anyone or to violate any laws.”

This is not just a good privacy policy, he noted, it’s good business. “If the platform is being used maliciously,” Palmieri noted, “people are just going to opt out. We have these controls in place, and we want them to feel that their privacy is protected, but we also want them to use Facebook because it’s a great product.”

Finally, there’s that “like” button. Just what are websites that post it exposing their users to?

“People think, ‘Oh, Facebook must be gathering all this data,’” said Egan. “But, essentially, it’s an iframe; it’s a little piece of Facebook on your site. We’re not collecting anything being inputted into the site. There is some standard web browser stuff passed to us, the URL, etc., and there might be some cookie information. So if you’ve been to Facebook and logged in,” she continued, “we’ll know who you are. If you’ve been to Facebook and are not logged in, there are some security-related cookies. And if you’ve never been there, you just get time-and-date stamp and the things that tell the plug-in where to load.”

Further, argued Palmieri, the burden for disclosure here is on the websites themselves. “They should be telling their visitors through their policies what’s being collected. You need to decide and tell them you’re installing third-party code, whether it’s a plug-in or analytics code, that they’re interacting with you and their partners.”

Nor is it just Facebook. All those “share this” type buttons, Polonetsky noted, are free for a reason: They’re collecting data, and “if you don’t have a contract with them, they might actually be selling your data.”

“Know what the code does on your site,” Egan advised.

That’s probably good policy in all cases.