Nutshell: Avoid the Facebook Privacy Scanner because it doesn’t really work. If you’re going to use Facebook, resign yourself to a lifetime of looking over your shoulder, because there’s no easy answer to privacy settings with a company that’s actively hostile to your privacy. If that sounds like too much hassle, you should exercise the one privacy option that’s completely in your control and simply watch what you say on Facebook.
Update: I filed a bug about the issue raised below on their GitHub site. http://github.com/mjpizz/reclaimprivacy/issues#issue/8
So, yesterday I noticed a link to the Facebook Privacy Scanner. In a nutshell, you drag a bookmarklet into your browser’s bookmark toolbar, visit your Facebook profile, click the bookmarklet, and get back a customized report on your privacy settings, with buttons that link to any settings you should consider changing.
To recap Facebook’s privacy scheme, there are three basic privacy settings you can set if you click on “Privacy Settings” under “Account” on your Facebook home page:
Friends of Friends
and there’s a “Customize” option, which will allow you to create rules like “Only Friends Except …” that apply to individuals or whole lists you’ve created. That way, you can be “friends” with people but restrict how much of your information is available to them. For instance, if you’ve friended all your coworkers but really don’t like the idea of letting them poke around in your “Drunk Lapdances I Have Given” photo album, you can keep just your “Coworkers” list from being able to see those pictures.
When you run the Privacy Scanner, it looks over the many, many areas where you can set your privacy options and reports on your settings using descriptive language that’s supposed to help clarify what your settings mean. For instance, it might say of your contact information, “all of your contact information is at restricted to your friends or closer,” or it might warn of your personal information, “some of your personal information is exposed to the entire Internet.”
So far so good.
The problem is that the Privacy Scanner doesn’t tell you about settings you have at “Friends of Friends.” If you have contact information settings that involve allowing “Friends of Friends,” it still reports “all your contact information is at restricted to your friends or closer.”
You may recall that Google Buzz caused an immense of amount of trouble for at lease one domestic violence survivor because it blithely assumed that anyone your friends are friends with is o.k. with you, too. But that’s not always going to be the case:
Maybe a past abuser is Facebook “friends” with a coworker, who is also your friend.
Maybe your boss, whom you avoided friending, is friends with a coworker.
Maybe you’re simply “friends” with a number of people through your neighborhood association, PTA or gardening club who are, in turn, friends with people you simply don’t know.
These are all cases where a “friend of a friend” isn’t really a friend at all, but the Privacy Scanner doesn’t make that distinction. In fact, it’s worse than Facebook—which is terrible about privacy—because it ignores the distinction.
I wrote the developer about the bug and he responded pretty quickly with “I thought that it was checking for that,” which was an alarming answer because a. there are only three privacy states you can actually check, b. he missed one of them, and c. it’s not a subtle bug: One would, presumably, do what I did when writing this blog entry, which is spot check how the Privacy Scanner handled each of the three possible states.
When I posted a link to the Privacy Scanner on my Facebook page, I noted the discrepancy but said “Still a good way to touch on each of the areas where you can look over your settings,” but I’d like to retract that now: It’s hard to have any confidence in a single-purpose tool that misses such a basic distinction.
The Real Moral of the Story
But the problem here isn’t really the Privacy Scanner. That’s just an honest, flawed attempt to make Facebook’s growing quagmire of privacy options less difficult to pin down. The real problem is that Facebook is showing no signs of reducing its increasingly complex and over-clicky privacy settings. It’s been playing the same game for a number of years now, which is long enough to reasonably suspect that Facebook believes inundating you with options will cause you to give up trying to understand or use them all. That makes all the privacy choices worse than no choice at all, because every time the policies change a certain percentage of the users affected either won’t hear the news, or assume it doesn’t apply to them (“didn’t I just go through and change all those settings a week ago? I’m probably good”).
None of the settings Facebook presents you with can reliably be expected to be there in a month, let alone a year, and any tool designed to make those settings easier to cope with will require such extensive verification that you’re better off just trying to keep up with the changes Facebook is making, and periodically review your settings for yourself.
If that sounds like too much hassle, you should exercise the one privacy option that’s completely in your control and simply watch what you say on Facebook.