My first instinct was not to write about Mark Zuckerberg’s two days of testimony before Senate and House committees. Why bother adding to the chorus of wall-to-wall coverage? But, now that the hearings are over, I’ve had a chance to reflect on some of the issues that emerged during those two days.
One nearly obvious observation is that many of the lawmakers who spoke have a hard time understanding how social media, or for that matter the internet, works or the difference between a service’s responsibility to protect private information and a user’s right to disclose anything they want. Another observation is that Zuckerberg, despite being one of the smartest people I’ve ever met, still hasn’t figured out how to truly give users control over their information in a way that’s obvious, easy to implement and fully transparent.
It takes more than a yes or no answer
Let’s start with the fundamentals of social media. During Wednesday’s hearing Rep. Frank Pallone (D-N.J.) asked Zuckerberg “Yes or no? Will you commit to changing all the user default settings to minimize to the greatest extent possible the collection and use of users’ data?” adding “I don’t think that’s hard for you to say yes to, unless I’m missing something.” Zuckerberg responded, “This is a complex issue that I think deserves more than a one-word answer.” But Pallone cut him off and expressed his disappointment, perhaps in part because he and other representatives had only four minutes for their entire exchange with Zuckerberg. I would have preferred fewer questions, longer answers and thoughtful conversations.
What disappointed me was that Pallone’s insistence of a one-word answer prevented me from hearing how Zuckerberg would have responded to this important and complex issue.
Had he responded in full, I suspect he would have explained that the whole purpose of social media is to allow people to share information. If not, why bother calling it “social.” He might have explained that “minimize to the greatest extent possible,” is a rather vague concept. In fact, Facebook could engineer its service to collect nearly no information by default, but it wouldn’t be social media. It would be an information site, like a newspaper or blog. The whole idea of social media is to allow people to express themselves.
The congressman could have responded, “OK, let people express themselves, but don’t collect any personal information,” but that would have violated what Facebook calls its “real name culture,” a principle that Facebook established early on. As an organizational principle, Facebook insists that people identify themselves (with some safety related exceptions) and take responsibility for what they post. I’m not against sites that allow for anonymity — there are legitimate reasons why some people might not want to identify themselves, but such sites are often criticized for making it too easy for people to harass, bully and defame without having to take responsibility. By collecting and sharing each user’s identity, Facebook has done a better job than most at cutting back on these types of offensive posts.
I’m not sure what else Zuckerberg might have said in response to Pallone’s question, but I would have loved to have heard an intelligent discussion about what information collection should be opt-in only and what should be opt-out. I would also like to have heard a conversation about information that a social media company should collect and what tools it should use to protect user data. It’s a well-known fact that Facebook makes its money by presenting highly targeted ads based on who people are and what interests them. That’s fundamental to its business model and not likely to change as long as the service remains free. It’s also true for Google and even partially true for Amazon, which markets products based on user habits and data.
Some members of Congress and some in law enforcement have complained about how some apps, including Facebook-owned WhatsApp, encrypt user data and posts, making it much harder for law enforcement to access that data when solving crimes or fighting terrorism. Encryption is a very good privacy practice, but there are public officials demanding greater privacy and also an end to encryption or a back door to encrypted data. You can’t have it both ways.
Yet there are some things Facebook can and should do to protect user privacy, including changing some of its default settings to require users to opt-in rather than opt-out. For example, by default the “Public,” can see your friends list. That should be more restricted by default, perhaps to “Only me,” which is an option. Another default, “Do you want search engines outside of Facebook to link to your profile,” should default to no instead of yes.
Facebook could also make privacy settings easier to configure and, of course, needs to follow-up on its commitment to prevent third-party apps from disclosing user data. And it should make controls over data collected for advertising a lot more obvious. The controls are there, but people can’t find them.
Well-meaning but confusing in-line privacy settings
There is one well-meaning privacy setting that I want tweaked. Zuckerberg repeatedly told members of Congress that users have “in-line” controls over the audience for each post. Every time you post, you have the option to specify whether it can be seen by “Public,” or restricted to “Friends,” “Friends except…,” or “Only me.” You can also specify specific friends or create a custom list for this post such as co-workers, family, close friends or any other group.
I love that these settings are available for each post because there are times when you want to share with a small audience and other times when you might want to share with everyone. But one problem, which I suspect very few Congress members know, is that these settings are “sticky,” so, if you usually post to friends only and then decide to make one public post, your default will have changed to public until you change it again. It’s very easy to forget to change back so I can easily see how people might accidentally direct their posts to the wrong audience. There is a place in privacy settings where you can set “Who can see your future posts,” but that setting is automatically changed every time you use the in-line tool to change the audience of a single post. A better solution would be for that setting to remain sticky and for the in-line change to apply only to that one post.
Of course, I would have brought up this issue had I been at the hearing and allowed to speak. But, aside from Zuckerberg, there weren’t any apparent Facebook experts at the hearing nor would the four-minute-per-representative limit have allowed for such an explanation if one had been there. Yes, Facebook needs to be fixed. But so do Congressional hearings.
Disclosure: Larry Magid is CEO of ConnectSafely.org, a non-profit internet safety organization that receives financial support from Facebook and other companies.