YOU ARE HERE: LAT HomeCollections

Is your privacy secure online? There's no way to tell

While you think you're protecting your personal information, your identity is leaking out to sites you don't even know about in ways you can't possibly imagine.

June 06, 2010|Michael Hiltzik

Long before Facebook got blamed for turning the concept of online privacy into a sick joke, I could tell that the Internet was going to make the control of one's personal information a challenge.

That moment arrived in the late 1990s, when I realized that my listed phone number, previously accessible only to those who knew enough about me to know where I lived and therefore which local phone book to check or which 411 operator to call, had become available to anyone capable of typing my name — and that's all — into an online database.

Well, it was a listed number, after all. No great loss there. But things have headed straight downhill since then.

Internet companies persuaded Congress to let them regulate themselves. They promised to develop explicit policies covering to whom and under what circumstances they would share users' personal data, and stick to their promises. They awarded each other seals of good privacy housekeeping, so we'd trust them to safeguard our names, addresses, Social Security numbers and browsing habits.

What's the harvest? Scandal after scandal in which some big Internet service admits to having collected more data than it promised to, distributed it to people who shouldn't have seen it, or let it get hacked in ways that weren't supposed to happen. All these failures expose innocent users to identity theft or other invasions of privacy.

Typically, the guilty company responds by sending forth a top executive to say "We screwed up" ( Google co-founder Sergey Brin) or "We just missed the mark" (Facebook's Mark Zuckerberg).

Facebook is the face of this problem because it has been a serial violator of fair practice. The site purports to give its hundreds of millions of users "control" over how much of their personal information gets disclosed to strangers — name, birthday, likes and dislikes, gender, age, "friends" — but these controls are famous for being devilishly confusing and hard to use. Worse, several times over the last year or so, Facebook has unilaterally reset users' preferences to make such information more public without their consent.

This behavior finally provoked the Electronic Privacy Information Center and other advocacy groups to file a complaint last month with the Federal Trade Commission, alleging that Facebook is deceiving its users. The FTC has the matter under consideration.

Facebook responded by promising to simplify its settings. Plainly it has a lot further to go. I recently spent the better part of an hour tweaking the settings on my Facebook page, and I think I've arranged it so that my personal information and that of my "friends" is open only to the extent I want it to be. But for all I know, I've actually exposed myself and the visitors to my page to wholesale identity theft by every resident of the Planet Zarg. There's no easy way to tell.

Nor does that cover all the ways that information in Facebook accounts gets "leaked" to other sites, without any control by the users. Some of this happens through external applications Facebook allows users to access through their accounts. Some happens when outside websites collect user data from Facebook and compile it with the same users' data from other social networks or e-commerce sites.

In other words, while you think you're maintaining your privacy, your identity is leaking out to sites you don't even know about in ways you can't possibly imagine.

As Balachander Krishnamurthy of AT&T Labs and Craig Wills of Worcester Polytechnic Institute showed in a 2009 paper, networking sites such as Facebook, MySpace and LinkedIn have done a poor job of shielding user information that might be accessed from their accounts by third-party sites. This is the sort of "leakage" that can't be commonly controlled by user settings, only by the websites themselves.

"People are led to believe that they can make privacy settings and things will happen," Krishnamurthy told me. "But what happens underneath in the protocol exchange mechanism is something most people don't even know about and so would not be able to block."

Every time a popular online service rolls out a new feature, a new unforeseen potential opportunity for leakage arises. "We're always one privacy fiasco behind," says Ari Schwartz of the Center for Democracy and Technology, another privacy watchdog.

There's a notion in cyberspace that we're more comfortable sharing information about ourselves publicly today than we used to be, and that's good. One of Facebook's "core principles," according to an op-ed Zuckerberg published last month in the Washington Post, is that "a world that's more open and connected is a better world."

It can't be a coincidence that the leading promoters of such ideas are executives hoping to profiteer from snarfing up free-floating private information, like Zuckerberg. But there's no evidence that people have become more comfortable about letting their personal information loose.

Los Angeles Times Articles