A transparent approach to privacy policies

Transparent definition

Richard Beaumont’s article “Transparency Should Be the New Privacy” echoes a point I’ve also been making recently: data protection or privacy is mostly about transparency and trust. Sure, compliance is essential but from a data subject or consumer’s perspective, how transparent you are about how your process the data subject’s personal information and whether your activities engender trust are arguably as important. Achieving that requires a varied approach to data protection and one of the key elements is the document you publish about this, namely the privacy policy (also known as a “data protection policy”, “privacy statement” and other titles).

As Beaumont points out:

The website privacy policy is the basis on which organisations can claim they have received consent from customers/visitors to collect whatever data they want and do what they like with it. In a data-driven world, they are important documents. Expensive lawyers are often paid large sums of money to write them in the full knowledge that they will rarely be read. Of necessity, it is written in legalese that most people won’t fully understand, and it is long because it has to cover all eventualities.

Of course, hardly anybody reads them. In the vast majority of cases, it would be a colossal waste of time.

I don’t agree with an approach that obscures privacy policy wording by using legalese and complex language but privacy policies are typically not read and understood before data subjects share their personal information. On the other hand, Beaumont makes a number of good points about the purpose of most privacy policies:

However, the problem is not really with the privacy policy itself as a document; it is the fact that it has been mis-sold to us. We are led to believe its purpose is to inform. We are told this because consent relies on us being informed about what we are consenting to. It is the basis of almost all privacy law throughout the world.

However, if that were true, it wouldn’t be buried in a link at the bottom of the page and written in dense text that is often also in a smaller font than the rest of the site. Website designers and copywriters know how to inform people online. The privacy policy is the document on any website least likely to inform the visitor in any meaningful way.

The reality is that the privacy policy is designed to protect the owners in the case of a dispute—which is what most legal documents are designed to do. There is nothing wrong with this—these documents are necessary in certain circumstances. It’s just that they don’t fulfil the more common need for accessible information about privacy practices at the company.

He goes on to propose a “transparency policy” as an alternative to a conventional privacy policy. I don’t think we need a new term for the document except where using a new name shifts our perception of the document’s role. I’ve been reading a lot more about more visual legal documents and I like Beaumont’s suggested approach, at least in part:

The transparency statement will be short, clear and simple to understand. It might borrow from the “layered” privacy policy model and would almost certainly involve a strong visual element. It will be easily accessible and you will be encouraged to look at it, especially on a first visit. It will be the basis on which the website will set your expectations for how you and your data will be treated.

His model involves a transparency statement operating alongside a privacy policy which would give the transparency statement important “legal weight”. I don’t think this is necessary, though. I prefer some lawyers’ approach of publishing a “privacy statement” rather than a privacy policy. Although privacy policies are frequently framed as documents you, as a data subject, agree to, they can function just as well as statements of what personal information is being collected; how it is being processed and under what circumstances that personal information may be disclosed and to whom.

When I prepare privacy policies, I usually pair them with a website’s terms and conditions which invoke the privacy policy as an explanation of what personal information is processed and how. The terms and conditions then reference the privacy policy and provide the “legal weight” Beaumont refers to. In that model, a privacy policy could be reframed as a streamlined privacy statement along similar lines to Beaumont’s suggested transparency statement and lawyers. Inferring agreement with a privacy statement becomes largely unnecessary and it would only really be important to establish that data subjects agreed to the terms and conditions themselves which, in turn, would point to the privacy statement for information about personal information processing.

A streamlined privacy statement would also be better suited to more visual representations of its contents which makes them far more intelligible and, by extension, a company’s data processing activities more transparent. With more transparency comes more accountability and trust. In addition –

Because the transparency statement is also more likely to be read, commented on and engaged with, it will likely improve over time, and accepted standards might emerge. This would potentially create a virtuous circle that further improves clarity for consumers.

Emerging standards have further benefits which I find really exciting. The bottom line, though, is Beaumont’s conclusion:

Transparency statements could be the vehicle to enable the majority of people to make better-informed choices than they currently do and use a truly market-driven approach to online privacy practice.

SnapChat privacy is not what you think

SnapChat’s privacy controls are what made it both enormously popular and troubling to its young users’ parents. When SnapChat launched, it gave users the ability to share photos and videos which promptly vanished into the ether. This appealed to its typically young and privacy conscious users because they finally had a way to share stuff with each other with impunity. This obviously bothered parents and teachers as it potentially gave their children a way to share content they shouldn’t share.

An Federal Trade Commission investigation has led to acknowledgements that content posted on SnapChat isn’t nearly as temporary as everyone may have thought. The New York Times published an article titled “Off the Record in a Chat App? Don’t Be Sure” which began with the following:

What happens on the Internet stays on the Internet.

That truth was laid bare on Thursday, when Snapchat, the popular mobile messaging service, agreed to settle charges by the Federal Trade Commission that messages sent through the company’s app did not disappear as easily as promised.

Snapchat has built its service on a pitch that has always seemed almost too good to be true: that people can send any photo or video to friends and have it vanish without a trace. That promise has appealed to millions of people, particularly younger Internet users seeking refuge from nosy parents, school administrators and potential employers.

Oversight or lie?

The FTC’s release includes the following background to its investigation and its stance:

Snapchat, the developer of a popular mobile messaging app, has agreed to settle Federal Trade Commission charges that it deceived consumers with promises about the disappearing nature of messages sent through the service. The FTC case also alleged that the company deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure. In fact, the case alleges, Snapchat’s failure to secure its Find Friends feature resulted in a security breach that enabled attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.

According to the FTC’s complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.

“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” said FTC Chairwoman Edith Ramirez. “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

Touting the “ephemeral” nature of “snaps,” the term used to describe photo and video messages sent via the app, Snapchat marketed the app’s central feature as the user’s ability to send snaps that would “disappear forever” after the sender-designated time period expired. Despite Snapchat’s claims, the complaint describes several simple ways that recipients could save snaps indefinitely.

Consumers can, for example, use third-party apps to log into the Snapchat service, according to the complaint. Because the service’s deletion feature only functions in the official Snapchat app, recipients can use these widely available third-party apps to view and save snaps indefinitely. Indeed, such third-party apps have been downloaded millions of times. Despite a security researcher warning the company about this possibility, the complaint alleges, Snapchat continued to misrepresent that the sender controls how long a recipient can view a snap.

SnapChat published a brief statement about its agreement with the FTC on its blog which includes the following statement which is fairly worrying:

While we were focused on building, some things didn’t get the attention they could have. One of those was being more precise with how we communicated with the Snapchat community. This morning we entered into a consent decree with the FTC that addresses concerns raised by the commission. Even before today’s consent decree was announced, we had resolved most of those concerns over the past year by improving the wording of our privacy policy, app description, and in-app just-in-time notifications.

On the one hand, the FTC essentially found that SnapChat has been misleading its users about its service’s privacy practices and, on the other hand, SnapChat pointed to a communications lapse, almost as an oversight. Considering that SnapChat has always been focused on the fleeting nature of content posted on the service and the privacy benefits for its users, this doesn’t seem very plausible.

“Improved” privacy policy wording

SnapChat updated its privacy policy on 1 May. The section “Information You Provide To Us” is revealing because it qualifies “Snaps'” transient nature so much, transience seems to be the exception, rather than default behaviour:

We collect information you provide directly to us. For example, we collect information when you create an account, use the Services to send or receive messages, including photos or videos taken via our Services (“Snaps”) and content sent via the chat screen (“Chats”), request customer support or otherwise communicate with us. The types of information we may collect include your username, password, email address, phone number, age and any other information you choose to provide.

When you send or receive messages, we also temporarily collect, process and store the contents of those messages (such as photos, videos, captions and/or Chats) on our servers. The contents of those messages are also temporarily stored on the devices of recipients. Once all recipients have viewed a Snap, we automatically delete the Snap from our servers and our Services are programmed to delete the Snap from the Snapchat app on the recipients’ devices. Similarly, our Services are programmed to automatically delete a Chat after you and the recipient have seen it and swiped out of the chat screen, unless either one of you taps to save it. Please note that users with access to the Replay feature are able to view a Snap additional times before it is deleted from their device and if you add a Snap to your Story it will be viewable for 24 hours. Additionally, we cannot guarantee that deletion of any message always occurs within a particular timeframe. We also cannot prevent others from making copies of your messages (e.g., by taking a screenshot). If we are able to detect that the recipient has captured a screenshot of a Snap that you send, we will attempt to notify you. In addition, as for any other digital information, there may be ways to access messages while still in temporary storage on recipients’ devices or, forensically, even after they are deleted. You should not use Snapchat to send messages if you want to be certain that the recipient cannot keep a copy.

If you read the second paragraph carefully, you’ll notice the following exceptions to what most users assumed was the service’s default behaviour: permanently deleting Snaps after specified time intervals. I have highlighted the exceptions in the quotes below.

  1. “Similarly, our Services are programmed to automatically delete a Chat after you and the recipient have seen it and swiped out of the chat screen, unless either one of you taps to save it
  2. “… users with access to the Replay feature are able to view a Snap additional times before it is deleted from their device”
  3. “… if you add a Snap to your Story it will be viewable for 24 hours
  4. “Additionally, we cannot guarantee that deletion of any message always occurs within a particular timeframe
  5. “We also cannot prevent others from making copies of your messages …”
  6. “In addition, as for any other digital information, there may be ways to access messages while still in temporary storage on recipients’ devices or, forensically, even after they are deleted

The last sentence emphasises how much its users should rely on the service for meaningful privacy:

You should not use Snapchat to send messages if you want to be certain that the recipient cannot keep a copy.

Where does this leave SnapChat users?

The problem with these revelations is not that Snaps are actually accessible and may endure in some form or another. The problem is that SnapChat pitched a service that doesn’t retain its users’ content. SnapChat rose to prominence at a time when the world was reeling from revelations about unprecedented government surveillance which seemed to reach deep into a variety of online services we assumed were secure. It’s promise was to protect its users’ privacy and their content from unwanted scrutiny. In many respects, SnapChat seemed to be the first of a new wave of services that placed control in users’ hands.

In the process, SnapChat misled its users fairly dramatically and that is the most troubling aspect of this story. SnapChat users relied on an assumption that their content is transient and this has turned out not to be the case at all. Putting this into context, though, this doesn’t mean SnapChat is inherently less private than any other chat service. Short of poor security practices, this isn’t necessarily the case. It means that SnapChat is fairly comparable to other chat services which haven’t made similar claims about the privacy of their users’ communications.

That said, a significant challenge is that a significant proportion of SnapChat’s users are probably under the age of 18. Although US services are more concerned about children under the age of 13 using their services due to certain laws protecting children in the United States, our law doesn’t draw this distinction. In South Africa, a person under the age of 18 is a child and subject to special protections which SnapChat has had almost no regard for. Not only has SnapChat arguably processed children’s personal information in a manner which would not be acceptable in our law, it is misled those children about the extent to which it protects their privacy. At the very least, they and their parents should be very concerned and circumspect about continuing to use the service.

On a related note, it is worth reading Information Week’s article titled “5 Ways SnapChat Violated Your Privacy, Security“.

Your email providers don’t require a warrant to read your email

Our email providers give themselves much more convenient access to your data through their terms of service or privacy policies. On one hand, this is level of access may be necessary to prevent disruptions and limit liability but, on the other hand, these permissions we, as users, grant providers like Microsoft, Google, Yahoo and others pretty broad access to our data without requiring them to obtain court orders or satisfy any external legal requirement.

The Verge recently published disturbing news about Microsoft’s respect for its users’ privacy:

It came out yesterday that the company had read through a user’s inbox as part of an internal leak investigation. Microsoft has spent today in damage-control mode, changing its internal policies and rushing to point out that they could have gotten a warrant if they’d needed one. By all indications, the fallout is just beginning.

Your provider is watching you

As disturbing as this is, there is a bigger picture. As The Verge’s Russell Brandom goes on to point out –

But while Microsoft is certainly having a bad week, the problem is much bigger than any single company. For the vast majority of people, our email system is based on third-party access, whether it’s Microsoft, Google, Apple or whoever else you decide to trust. Our data is held on their servers, routed by their protocols, and they hold the keys to any encryption that protects it. The deal works because they’re providing important services, paying our server bills, and for the most part, we trust them. But this week’s Microsoft news has chipped away at that trust, and for many, it’s made us realize just how frightening the system is without it.

People following the Oscar Pistorius trial in the last week would have discovered that private chats can become very public if law enforcement authorities believe they are relevant to an investigation.

Although law enforcement authorities are required to follow various procedures to gain access to messaging and social media users’ communications, the companies operating the chat and email services we use daily don’t have this hurdle in their way if they deem it necessary to access their users’ communications.

The right to privacy in the South African Bill of rights includes the right not to have the “privacy [your] communications infringed”. This right is not absolute and can be (and is) limited by various laws including the Regulation of Interception of Communications and Provision of Communication-related Information Act which is how local law enforcement can obtain access to your communications. What this means is that, for law enforcement at least, there are checks and balances in place to protect our communications both thanks to laws as well as service providers’ requirements.

Unfortunately, those same providers give themselves much more convenient access to your data through their terms of service or privacy policies. On one hand, this is level of access may be necessary to prevent disruptions and limit liability but, on the other hand, these permissions we, as users, grant providers like Microsoft, Google, Yahoo and others pretty broad access to our data without requiring them to obtain court orders or satisfy any external legal requirement.

Microsoft

As The Verge pointed out, if you use Hotmail/Outlook.com, you have granted Microsoft permission to access your data. Microsoft’s Privacy Statement includes these permissions:

We may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers or the public.

Because you agree to the Privacy Statement as a condition of your use of Microsoft’s services, you have consented to these uses of your personal information. These consent enable Microsoft to circumvent any questions about privacy infringement because your legitimate expectation of privacy does not extend to these particular activities. This is the key rationale for a privacy policy and it is the same principle applies to the permissions you grant to other providers (I’ve referred to a couple more below).

Google

Google operates an enormously popular email service, Gmail, which is also probably one of the most secure from the perspective of external surveillance and attacks. While Google holds itself out as its users’ protector from external threats, it also has the option of accessing your data because you have agreed to this when you agreed to its Privacy Policy which includes these provisions:

We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users.

We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know.

We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation, legal process or enforceable governmental request.
  • enforce applicable Terms of Service, including investigation of potential violations.
  • detect, prevent, or otherwise address fraud, security or technical issues.
  • protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.

These three sections are drawn from different parts of Google’s Privacy Policy and, between them, they give Google permission to share fairly comprehensive information it has about you with law enforcement authorities as well as to use that information itself to, among other things, “protect” its services, itself and its users. This is a fairly broad term and this is likely intentional. When you write these sorts of policy documents, you don’t want to be too prescriptive if you anticipate requiring fairly broad consents for a wide range of foreseeable risks and to cater for unforeseen risks.

Yahoo

Yahoo’s webmail service is still very popular. While Yahoo’s privacy policy tends to be pretty good about handling users’ personal information, it also retains fairly broad permissions in its Privacy Policy (I added some emphasis):

Yahoo does not rent, sell, or share personal information about you with other people or non-affiliated companies except to provide products or services you’ve requested, when we have your permission, or under the following circumstances:

  • We believe it is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Yahoo’s terms of use, or as otherwise required by law.

Apple

Although not as popular as the other providers, Apple’s tight service and software integration makes its iCloud email service a convenient option, especially because its possible to create an email account on iCloud without requiring another email account first (which is increasingly rare). When you use Apple’s products and services, your consents include the following:

How we use your personal information

  • We also use personal information to help us create, develop, operate, deliver, and improve our products, services, content and advertising, and for loss prevention and anti-fraud purposes.

  • We may also use personal information for internal purposes such as auditing, data analysis, and research to improve Apple’s products, services, and customer communications.

Where this leaves you

<

p>Public events like the Oscar Pistorius trial and, before it, the ongoing revelations about state surveillance programs over the last year or so, have reminded us that our private communications are not quite as private as we may have hoped. Our privacy is protected more by obscurity and because our communications, for the most part, are not the sorts of things others would be terribly concerned about.

Our trust and the possibility of severe reputational harm keep the likes of Google, Yahoo, Microsoft, Facebook and others generally honest although, as we have seen with Microsoft, they may be prepared to break that trust if the reason is compelling enough to them. They will invariably point to the permissions we give them in our contracts with them and they’ll be quite right. We have agreed to this and we’ll continue being in agreement with them having this level of access to our data because the alternatives are not nearly as convenient.

You are a soldier in Google’s Cold War with Facebook for social dominance

The underlying dynamic that likely drives Facebook’s and Google’s amendments to their policy and terms frameworks is that we users tend to place more value on recommendations from our friends and family. Facebook and Google’s advertising and promotional models (as well as a number of other services that personalise ads) are increasingly designed to manufacture these recommendations using our activities on the various services without the need for us to actively apply our minds to what we are recommending and what we choose not to. At the moment, the dominant model is one in which we choose to signify our approval of a brand, product or service by Liking or +1’ing it. These changes start to make those actions less important as a recommendation signal and are made possible through contractual models which include privacy policy frameworks and terms and conditions.

Shifting Publicity Policies

Between Facebook and Google, these two companies have voluntold[1] us that we are now part of their sales teams. It started with Facebook’s announcement on 29 August 2013 that it intends amending it’s Statement of Rights and Responsibilities (I’ll call it the “Statement” below) and the Data Use Policy which included an expanded section describing what personal information it intends using to, essentially, sell products and services using you to make that happen. Before I go into more detail, it’s important to note something about how these policy changes bind you.

Whenever services like Google and Facebook explain changes to policy frameworks and their terms and conditions, they explain that they won’t use your personal information in certain ways unless you give them permission to do so. They don’t but this is really just a ruse. You have already given them permission when you signed up to use the service and your permission takes the form of privacy policies that include your agreement that they can amend the policies and other terms and conditions pretty much at will. If they are going to be truly transparent, they should say something along the lines of –

unless you give us your permission to do so (which you have already, so thanks for that)

The underlying dynamic that likely drives Facebook’s and Google’s amendments to their policy and terms frameworks is that we users tend to place more value on recommendations from our friends and family. Facebook and Google’s advertising and promotional models (as well as a number of other services that personalise ads) are increasingly designed to manufacture these recommendations using our activities on the various services without the need for us to actively apply our minds to what we are recommending and what we choose not to. At the moment, the dominant model is one in which we choose to signify our approval of a brand, product or service by Liking or +1’ing it. These changes start to make those actions less important as a recommendation signal and are made possible through contractual models which include privacy policy frameworks and terms and conditions.

How You Are Selling for Facebook

The current Statement currently includes the following clauses dealing “About Advertisements and Other Commercial Content Served or Enhanced by Facebook” –

Our goal is to deliver ads and commercial content that are valuable to our users and advertisers. In order to help us do that, you agree to the following:

  1. You can use your privacy settings to limit how your name and profile picture may be associated with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. You give us permission to use your name and profile picture in connection with that content, subject to the limits you place.
  2. We do not give your content or information to advertisers without your consent.
  3. You understand that we may not always identify paid services and communications as such.

Note that you have already given your permission for Facebook to use “your name and profile picture” in connection with ads and sponsored content. The new, proposed version, goes even further and may (it hasn’t been finalised yet) state the following:

Our goal is to deliver advertisings and other commercial or sponsored content that are is valuable to our users and advertisers. In order to help us do that, you agree to the following[2]:

  1. You can use your privacy settings to limit how your name and profile picture may be associated with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. You give us permission to use your name, and profile picture, content, and information in connection with commercial, sponsored, or relatedthat content (such as a brand you like) served or enhanced by us, subject to the limits you place[3]. This means, for example, that you permit a business or other entity to pay us to display your name and/or profile picture with your content or information, without any compensation to you. If you have selected a specific audience for your content or information, we will respect your choice when we use it.

If you are under the age of eighteen (18), or under any other applicable age of majority, you represent that at least one of your parents or legal guardians has also agreed to the terms of this section (and the use of your name, profile picture, content, and information) on your behalf.[4]

  1. We do not give your content or information to advertisers without your consent.

  2. You understand that we may not always identify paid services and communications as such.

The other changes to the Statement addressed issues such as software installation, dispute resolution and a reminder that using mobile data could incur charges. The proposed changes to the Data Use Policy are pretty extensive and you have to read through the whole document to get a sense of the overall picture. For example, one of the edited clauses states the following:

As described in “How we use the information we receive,” We we also put together data from the information we already have about you,and your friends, and others, so we can offer and suggest a variety of services and features. For example, we may put together data about you to determine make friend suggestions, pick storieswhich for friends we should show you in your News Feed, or suggest people you to tag in the photos you post. We may put together your current city with GPS and other location information we have about you to, for example, tell you and your friends about people or events nearby, or offer deals to you in which that you might be interested in. We may also put together data about you to serve you ads or other content that might be more relevant to you.

Further down the marked up Data Use Policy, under part IV, one of the paragraphs begins with the following:

When we deliver ads, we do not share your information (information that personally identifies you, such as your name or contact information) with advertisers unless you give us permission.

It then goes on to describe how Facebook personalises ads. It is a very interesting read because it describes, in a fair amount of detail, how Facebook uses your personal information to sell relevant ads. It is a powerful model and the proposed changes to allow Facebook to incorporate more of your personal information into what are effectively personal endorsements is likely to be even more lucrative for Facebook.

The comment period for these changes closed on the 7th of September and we will have to wait and see to what extent these proposed changes will be applied. Of course these changes are not isolated. Facebook made a number of additional announcements recently which reinforce this trend.

The first change was fairly innocuous. On 30 September, Facebook published a post titled “Graph Search Now Includes Posts and Status Updates” which is fairly self-explanatory –

Starting today, Graph Search will include posts and status updates. Now you will be able to search for status updates, photo captions, check-ins and comments to find things shared with you.

Search for the topics you’re interested in and see what your friends are saying, like “Dancing with the Stars“ or ”Posts about Dancing with the Stars by my friends.”

The next announcement which attracted more interest was the announcement on 10 October which was styled as a reminder and is titled “Reminder: Finishing the Removal of an Old Search Setting” –

Last year we announced the removal of an old setting called “Who can look up your Timeline by name?” along with new controls for managing content on Facebook.

The search setting was removed last year for people who weren’t using it. For the small percentage of people still using the setting, they will see reminders about it being removed in the coming weeks.

Whether you’ve been using the setting or not, the best way to control what people can find about you on Facebook is to choose who can see the individual things you share.

More publicly shared profile data coupled with all that profile data being indexed by Facebook’s powerful Graph Search means that even more users’ personal information becomes accessible for use in personalised ads with the only limitation being selective sharing by choosing whether to share updates publicly or friends (this can be further delineated using friends lists if you use them). Assuming Facebook’s proposed changes to its Statement and Data Use Policy are implemented (and they likely will be, in some form or another), you can expect even more personalised ads that include what appear to be more personal recommendations from your Facebook connections. It is both very sneaking and, at the same time, very clever and you have agreed to this (whatever this turns out to be) already.

Yes, You Work for Google Too

Google’s approach is far more nuanced than Facebook’s and users do appear to have an option to opt-out of its personalisation model (and it is an opt-out, you are opted-in by default). The changes were announced on 11 October in a document that summarises the changes that Google will implement on 11 November 2013. In contrast to Facebook’s governance model which still allows for some degree of community involvement, Google tends to announce changes and implement them without much public consultation. Google explains its “Shared Endorsements” model as follows:

We want to give you – and your friends and connections – the most useful information. Recommendations from people you know can really help. So your friends, family and others may see your Profile name and photo, and content like the reviews you share or the ads you +1’d. This only happens when you take an action (things like +1’ing, commenting or following) – and the only people who see it are the people you’ve chosen to share that content with. On Google, you’re in control of what you share. This update to our Terms of Service doesn’t change in any way who you’ve shared things with in the past or your ability to control who you want to share things with in the future.

Feedback from people you know can save you time and improve results for you and your friends across all Google services, including Search, Maps, Play and in advertising. For example, your friends might see that you rated an album 4 stars on the band’s Google Play page. And the +1 you gave your favorite local bakery could be included in an ad that the bakery runs through Google. We call these recommendations shared endorsements and you can learn more about them here.

When it comes to shared endorsements in ads, you can control the use of your Profile name and photo via the Shared Endorsements setting. If you turn the setting to “off,” your Profile name and photo will not show up on that ad for your favorite bakery or any other ads. This setting only applies to use in ads, and doesn’t change whether your Profile name or photo may be used in other places such as Google Play.

If you previously told Google that you did not want your +1’s to appear in ads, then of course we’ll continue to respect that choice as a part of this updated setting. For users under 18, their actions won’t appear in shared endorsements in ads and certain other contexts.

For greater control over your experience with ads on Google, you can also use Google’s Ads Settings tool to manage ads you see. Learn more.

The main change to Google’s Terms of Service is this insertion under the heading “Your Content in our Services”:

If you have a Google Account, we may display your Profile name, Profile photo, and actions you take on Google or on third-party applications connected to your Google Account (such as +1’s, reviews you write and comments you post) in our Services, including displaying in ads and other commercial contexts. We will respect the choices you make to limit sharing or visibility settings in your Google Account. For example, you can choose your settings so your name and photo do not appear in an ad.

Google users can opt-out of this option and a help page explains the process. An interesting part of the process is the following (I highlighted the interesting bit):

Go to the Shared Endorsements setting page. If you are not already a Google+ user, you will be asked to upgrade your account.

Why is this interesting? Because it is a pretty devious way to persuade more Google services users to “upgrade” their Google accounts to Google+ accounts and integrate deeper into the broader Google platform. Driving Google+ user adoption (in other words, persuading users to activate Google+ integration) is how Google is going to make meaningful inroads into Facebook’s dominance on the social Web. It is Google’s metaphorical arms build up in its battle with Facebook for dominance on the social Web and for a larger stake in the social marketing space.

I imagine that even if you opt-out of the Shared Endorsements program, you will still see personalised ad suggestions. Reducing the likelihood of your personal information being used to personalise ads will probably require browsing the Web anonymously or, at the very least, reviewing your privacy settings very carefully and customising them to suit your preferences.

Caught in the Cross-Fire

When the media covers these sorts of changes, the implication tends to be that personalisation is bad and should be resisted at all costs. That isn’t necessarily the case. If you accept that you will be faced with ads in a service you find truly useful and don’t pay for, being presented with more relevant ads is probably going to enhance your experience of those ads. The real question is whether users have meaningful control over their personal information and can opt-out of personalised ads and still have use of these services. I think that answer will increasingly become “no” as more and more functionality becomes dependent on your participation, willing or not.

Facebook frequently talks about features it is removing and which were only used by a small percentage of users. Most recently one of those features is the option of not being included in Graph Search. The fact that so few users have enabled that option says more about how aware users are of these sorts of “features” and whether they are adequately informed about their value. The answer is overwhelmingly “very few” and “definitely not”. For the most part, users just want to post fun photos and videos and share stuff. They don’t think about how their rights are affected and that only changes when there is significant attention on major changes. To combat this, services like Google and Facebook have adopted the legal equivalent of stealth weapons and make use of nuanced language, misdirection and selective emphasis to deflect attention from the problematic changes.

What we see is a sort of war by proxy between the major social services and in which users could find themselves fuelling various services’ efforts to gain market share without being aware of much more than more personalised ads and begin prodded to “upgrade” their accounts to take advantage of the new flashy options. For so long as users feel they benefit more than they are prejudiced, this deal works for them but the challenge has always been whether users are aware of the extent to which their options are being limited and they are being traded for bigger weapons in this digital battlefield? The answer for the most part is “no” and that is not likely to change any time soon.


  1. It’s a made-up word for what happens when you sort of volunteer and are also told that you are signing up for something, especially when you don’t usually have much choice.  ↩
  2. I have marked up the proposed edits with strikethrough for deletions and bold for insertions.  ↩
  3. Isn’t this an interesting deletion?  ↩
  4. This is a challenging one. If you are under the age of 18 in South African law you may lack the legal capacity to agree to this so the consent Facebook takes may still amount to a violation of children’s rights to privacy.  ↩

LinkedIn’s expanded and more intelligible privacy policy

LinkedIn recently announced an update to its privacy policy and user agreement in a blog post titled Updating LinkedIn’s Privacy Policy. Although LinkedIn updated the user agreement too, the emphasis was more on updates to its privacy policy. The new policy expands on a number of issues and reinforces the extent to which users needs to take responsibility for their actions when using the service.

LinkedIn recently announced an update to its privacy policy and user agreement in a blog post titled “Updating LinkedIn’s Privacy Policy”. Although LinkedIn updated the user agreement too, the emphasis was more on updates to its privacy policy

Updated user agreement

The user agreement remained substantially the same as the previous version. The big change is more about layout and accessibility improvements. The new version makes use of summaries in a side panel which highlight the key points in the somewhat denser text in the main body of the document.

Other helpful features of the new version are a reminder about the contractually binding nature of the user agreement as well as a summary of the changes to this version (LinkedIn published a changes summary with its previous version in October 2012).

Updated privacy policy

The privacy policy received the same visual overhaul as the user agreement. An appealing change to the privacy policy which wasn’t applied to the user agreement is the use of a series of icons that remind me of the Mozilla-originated Privacy Icons project which was established to bring more clarity to privacy policies using descriptive icons. Although the icons in the LinkedIn privacy policy don’t go quite in the same direction or as far as the Privacy Icons project, they are helpful in ascertaining, at a glance, what the various sections are about.

One of the fundamental clauses in the privacy policy is the clause titled “Consent to LinkedIn Processing Information About You” which reminds users about the effect of the policy:

The personal information you provide to us may reveal or allow others to identify aspects of your life that are not expressly stated on your profile (for example, your picture or your name may reveal your gender). By providing personal information to us when you create or update your account and profile, you are expressly and voluntarily accepting the terms and conditions of LinkedIn’s User Agreement and freely accepting and agreeing to our processing of your personal information in ways set out by this Privacy Policy. Supplying information to us, including any information deemed “sensitive” by applicable law, is entirely voluntary on your part. You have the right to withdraw or modify your consent to LinkedIn’s collection and processing of the information you provide at any time, in accordance with the terms of this Privacy Policy and the User Agreement, by changing your Settings or by closing your account.

The new privacy policy goes onto quite a bit more detail about what personal information it collects from you and what it does with that personal information. For example, in the 2012 version, the privacy policy says the following about registration information:

When you register an account to become a LinkedIn user (“User”), such as your name, e-mail, employer, country, and a password.

In the new privacy policy, LinkedIn uses a more detailed clause:

To create an account on LinkedIn, you must provide us with at least your name, email address, and a password. You can choose to provide further information about yourself during the registration process (for example, your gender and location). We use this additional information to provide you with more customized services like language-specific profile pages and updates, more relevant ads, and more valuable career opportunities, and it may appear on your LInkedIn profile that is viewable by others. You understand that, by creating an account, LinkedIn and others will be able to identify you by your LinkedIn profile, and you allow LinkedIn to use this information in accordance with this Privacy Policy and our User Agreement. We may also ask for your credit card details if you purchase certain LinkedIn services.

Some clauses are entirely new and relate to LinkedIn’s expanded service offering. The clause dealing with “Address book, LinkedIn Contacts, and other services that sync with LinkedIn” deals largely with LinkedIn’s contacts import feature and its new LinkedIn Contacts app which combines contacts on your device with interactions on LinkedIn and select 3rd party services like Evernote and Tripit. This functionality introduces an interesting challenge, especially given LinkedIn’s professional focus. Users can add their contacts’ contact details and that information potentially has considerable value (imagine the value of, say, Richard Branson’s mobile number if you are fortunate to have it?).

LinkedIn allows users to remove data they have introduced to LinkedIn, to a degree. The following clause is part of the Address book clause:

Any information that you upload or sync with LinkedIn is covered by the User Agreement and this Privacy Policy. You can remove your information at your convenience using the features LinkedIn makes available or in accordance with Section 3. We collect information when you sync non-LinkedIn content—like your email address book, mobile device contacts, or calendar—with your account. We use this information to improve your experience. You can remove your address book and any other synced information at any time.

The user agreement’s relevance is largely that it contains license provisions which apply to content users submit to LinkedIn (for example, an image of Richard Branson’s business card submitted with LinkedIn’s CardMunch app). These provisions state the following (I highlighted some of the more interesting words and phrases):

You own the information you provide LinkedIn under this Agreement, and may request its deletion at any time, unless you have shared information or content with others and they have not deleted it, or it was copied or stored by other users. Additionally, you grant LinkedIn a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royalty-free right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize, in any way now known or in the future discovered, any information you provide, directly or indirectly to LinkedIn, including, but not limited to, any user generated content, ideas, concepts, techniques and/or data to the services, you submit to LinkedIn, without any further consent, notice and/or compensation to you or to any third parties. Any information you submit to us is at your own risk of loss. By providing information to us, you represent and warrant that you are entitled to submit the information and that the information is accurate, not confidential, and not in violation of any contractual restrictions or other third party rights. It is your responsibility to keep your LinkedIn profile information accurate and updated.

Submitting information to LinkedIn requires users to take responsibility for what they are submitting. Bearing in mind that LinkedIn has extended its platform to 3rd party websites and services in a manner that is not all that different to Facebook’s Platform extensions (although Facebook seems to have taken more care to give its users options for removing information they submit to Facebook), sharing sensitive information with LinkedIn can have problematic consequences.

This is especially important bearing in mind LinkedIn’s “Indemnification” clause in the user agreement which provides as follows:

You agree to indemnify us and hold us harmless for all damages, losses and costs (including, but not limited to, reasonable attorneys’ fees and costs) related to all third party claims, charges, and investigations, caused by (1) your failure to comply with this Agreement, including, without limitation, your submission of content that violates third party rights or applicable laws, (2) any content you submit to the Services, and (3) any activity in which you engage on or through LinkedIn.

Although LinkedIn references your ability to close your account and remove your data from the service repeatedly, it may not be quite so simple. LinkedIn reserves the right to retain data after you have closed your account. This is not unusual but you should factor this into your planning when you share information:

We retain the personal information you provide while your account is active or as needed to provide you services. LinkedIn may retain your personal information even after you have closed your account if retention is reasonably necessary to comply with our legal obligations, meet regulatory requirements, resolve disputes between Members, prevent fraud and abuse, or enforce this Privacy Policy and our User Agreement. We may retain personal information, for a limited period of time, if requested by law enforcement. LinkedIn Customer Service may retain information for as long as is necessary to provide support-related reporting and trend analysis only, but we generally delete closed account data consistent with Section 3.A., except in the case of our plugin impression data, which we de-personalize after 12 months unless you opt out.

This policy operates on the basis of consents users give to LinkedIn through the privacy policy itself. As this warning, below, points out, you agree to the user agreement and privacy policy (and subsequent changes) when you use the service. It is your responsibility to read the user agreement and privacy policy carefully and make sure you both understand the documents and are comfortable that your intended use of the service falls within the scope of that governing contractual framework and your comfort levels.

Instagram’s revised 2013 Terms of Use and Privacy Policy may not be better

Heavy Chef with Don Packett-6

Two steps back and to the side

Instagram revised its controversial Terms of Use after reviewing feedback on and criticisms about its proposed changes due to take effect in January 2013. Kevin Systrom published a blog post a few hours ago in which he included the following:

Earlier this week, we introduced a set of updates to our privacy policy and terms of service to help our users better understand our service. In the days since, it became clear that we failed to fulfill what I consider one of our most important responsibilities – to communicate our intentions clearly. I am sorry for that, and I am focused on making it right.

The concerns we heard about from you the most focused on advertising, and what our changes might mean for you and your photos. There was confusion and real concern about what our possible advertising products could look like and how they would work.

Because of the feedback we have heard from you, we are reverting this advertising section to the original version that has been in effect since we launched the service in October 2010. You can see the updated terms here.

Going forward, rather than obtain permission from you to introduce possible advertising products we have not yet developed, we are going to take the time to complete our plans, and then come back to our users and explain how we would like for our advertising business to work.

You also had deep concerns about whether under our new terms, Instagram had any plans to sell your content. I want to be really clear: Instagram has no intention of selling your photos, and we never did. We don’t own your photos – you do.

The bottom line (if you don’t want to get into some of the details below): if you were comfortable using Instagram before Instagram presented its new Terms of Use and Privacy Policy, you’ll probably be comfortable continuing to use the service.

Reverting to the current wording, sort of

The paragraph in the new Terms of Use which caused the outrage has been removed and substituted with the original paragraph from the current terms. It reads:

Some of the Service is supported by advertising revenue and may display advertisements and promotions, and you hereby agree that Instagram may place such advertising and promotions on the Service or on, about, or in conjunction with your Content. The manner, mode and extent of such advertising and promotions are subject to change without specific notice to you.

Instagram changed the preceding paragraph by shifting some emphasis to the new Privacy Policy. The amended paragraph states the following:

Instagram does not claim ownership of any Content that you post on or through the Service. Instead, you hereby grant to Instagram a non-exclusive, fully paid and royalty-free, transferable, sub-licensable, worldwide license to use the Content that you post on or through the Service, subject to the Service’s Privacy Policy, available here http://instagram.com/legal/privacy/, including but not limited to sections 3 (“Sharing of Your Information”), 4 (“How We Store Your Information”), and 5 (“Your Choices About Your Information”). You can choose who can view your Content and activities, including your photos, as described in the Privacy Policy.

The changes are highlighted.

Not necessarily better

This doesn’t mean that Instagram has capitulated and won’t ever use your personal information and content as part of an advertising model. It means that it will do so as you currently agree it may and that it may change the model later “without specific notice to you”. In some respects, this is a little more problematic because the current/revised clause is broad enough to allow Instagram to do what it described in the controversial clause which was just more explicit about the changes.

Aside from the third paragraph which remains in place (and which we repeated below), the changes appear to have addressed the main concerns about the update:

You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such.

This residual paragraph opens the door for Instagram to still associate ads with your Content and not clarify whether this association is part of a paid service, sponsored content or commercial communication. This may a concern for people who are being paid to sponsor specific brands and products and who are prohibited from being publicly associated with competiting brands and products as the advertising Instagram could use could intefere with those sorts of restrictions.

An example of this could be a sports personality who is sponsored by, say, Adidas and who may be prohibited from any association with, say, Nike in public. If Instagram creates a Nike ad and places in on the person’s profile page or otherwise places it in such a way that its placement implies an endorsement by the sports personality because of something the sports personality posted or uploaded, that could create an issue with Adidas.

If you bear in mind that “Content” is defined as follows, you get a sense of how broad these paragraphs are:

any data, text, files, information, usernames, images, graphics, photos, profiles, audio and video clips, sounds, musical works, works of authorship, applications, links and other content or materials

Below is a comparison between the original 2013 version and the revised 2013 version. The marked up edits are changes from the original 2013 version to the revised 2013 version:

Other edits

Instagram also removed the odd insertion of the current terms after the Territorial Restrictions clause which was pretty odd. It also changed the revised Terms of Use’s implementation date to 19 January 2013.

The new Privacy Policy

Privacy Policies are really important documents. They are the means by which your consent to process your personal information is obtained and you agree to them when you start using a service or register for a service. You should read these privacy policies and adjust your privacy settings to suit your sharing preferences. We can’t emphasise this enough. As with most of the social services you use on the Web today, paying attention to your privacy settings and these sorts of documents is your only real tool for safeguarding your content and your personal information.

The new Instagram privacy policy which will be published in January 2013 highlights the linkages between Instagram and Facebook and how some of your personal information may be shared with Facebook and other “Affiliates”. The changes to the Privacy Policy are not quite as extensive as the changes from the current Terms of Use to the 2013 Terms of Use but there are a number of important edits.

For starters, the parties with whom Instagram may share your personal information have been somewhat expanded. This paragraph was added to the 2013 Privacy Policy:

We may share User Content and your information (including but not limited to, information from cookies, log files, device identifiers, location data, and usage data) with businesses that are legally part of the same group of companies that Instagram is part of, or that become part of that group (“Affiliates”). Affiliates may use this information to help provide, understand, and improve the Service (including by providing analytics) and Affiliates’ own services (including by providing you with better and more relevant experiences). But these Affiliates will honor the choices you make about who can see your photos.

Notice the highlighted section? This is the permission you give Instagram to share your “User Content” and your personal information with Facebook and any other companies which become part of Facebook’s group of companies. In some respects, this is similar to Google’s recent move to consolidate its legal frameworks across various products and services. The term “User Content” is defined as follows:

content, including photos, comments and other materials

Another substantive change is the following paragraph which expands on a previous paragraph stating that Instagram would disclose personal information to law enforcement officials or otherwise where required by legal authority:

We may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so. This may include responding to legal requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law in that jurisdiction, affects users in that jurisdiction, and is consistent with internationally recognized standards.
We may also access, preserve and share information when we have a good faith belief it is necessary to: detect, prevent and address fraud and other illegal activity; to protect ourselves, you and others, including as part of investigations; and to prevent death or imminent bodily harm. Information we receive about you may be accessed, processed and retained for an extended period of time when it is the subject of a legal request or obligation, governmental investigation, or investigations concerning possible violations of
our terms or policies, or otherwise to prevent harm.

When it comes to storing your personal information, the amended Privacy Policy includes its Affiliates and, in some instances, Service Providers in the list of parties who may transfer and store your personal information. In practical terms this may mean Instagram can handle data somewhat more efficiently, such as taking advantage of Facebook’s new datacentres for storage.

Other than these more substantive changes, there aren’t many changes to the Privacy Policy. Below is a document highlighting changes from the current, 2012, Privacy Policy to the proposed 2013 version:

What changes to Facebook’s governance structure mean for users

An Overview of the Proposed Changes

Introduction

Facebook post about proposed changes to Data Use Policy and Statement of Rights and Responsibilities-2Facebook’s changes to its Statement of Rights and Responsibilities and its Data Used Policy generally attract a fair amount of attention and consternation. It’s latest changes are no exception and while there is reason for some concern, the proposed changes won’t have the radical impact many fear it will. In a post titled “Proposed Updates To Our Governing Documents”, Facebook’s Vice President for Communications Public Policy and Marketing, Elliott Schrage, introduce the changes as follows:

Today we are proposing some updates to two documents which govern our site: our Data Use Policy, which explains how we collect and use data when people use Facebook, and our Statement of Rights and Responsibilities (SRR), which explains the terms governing the use of our services. These updates provide more detailed information about our practices, reflect changes to our products, and improve how we conduct our site governance process.

Changes to the Statement of Rights and Responsibilities

The most significant change to the Statement of Rights and Responsibilities (this is what Facebook calls its service terms of use) is the proposed removal of a participatory which it introduced in 2009 which notionally gave users the opportunity to vote on proposed changes to Facebook’s governing legal frameworks. This voting mechanism provided that if more than 7000 users –

… post a substantive comment on a particular proposed change, we will also give you the opportunity to participate in a vote in which you will be provided alternatives. The vote shall be binding on us if more than 30% of all active registered users as of the date of the notice vote.

The proposed changes are being put to a vote in terms of this existing voting mechanism and this will be the 3rd, and quite possibly the last, vote under this particular framework. In a sense, it’s not surprising that Facebook has made the decision to remove this mechanism (although it is unfortunate given that Facebook has not made a substantive effort to publicise votes in the past). The 1st vote introduced this voting mechanism and the 2nd vote took place in June 2012. According to Ars Technica, both votes “had a turnout of well under one percent of Facebook’s user base”. Facebook only announced the votes on its blog and on its site governance page so that poor turnout was not unexpected. In addition, it’s probably fair to say that most users don’t take an interest in Facebook’s governance except where there is a flareup in the media.

Granted, Facebook’s threshold for the votes was fairly high when the mechanism was initially introduced and, with roughly 1,000,000,000 users, a 30% vote represents a substantial number of Facebook users taking an interest in the changes being voted on and voting in one or another direction. That said, the mechanism represented a degree of participation in Facebook’s governance which was, and remains, largely unprecedented on the Web. In its place, Facebook proposes a 7 day notice period for substantive changes to its governance frameworks although Facebook will not notify users of changes “for legal or administrative reasons, or to correct an inaccurate statement”. The “legal or administrative reasons” category is somewhat vague and it remains to be seen just what sorts of changes this includes.

Other changes to the Statement of Rights and Responsibilities include a clarification of the prohibition on using your personal timeline for your own commercial gain by qualifying that with an allowance for some commercial gain as long as your use is not “primarily” for your own commercial gain. Facebook requires you to use a Facebook Page for commercial use.

The proposed changes to the Statement of Rights and Responsibilities has prompted a hoax on Facebook where Facebook users are encouraged to publish certain notices including the following one:

In response to the new Facebook guidelines I hereby declare that my copyright is attached to all of my personal details, illustrations, comics, paintings, professional photos and videos, etc. (as a result of the Berner Convention). For commercial use of the above my written consent is needed at all times!

(Anyone reading this can copy this text and paste it on their Facebook Wall. This will place them under protection of copyright laws By the present communiqué, I notify Facebook that it is strictly forbidden to disclose, copy, distribute, disseminate, or take any other action against me on the basis of this profile and/or its contents. The aforementioned prohibited actions also apply to employees, students, agents and/or any staff under Facebook’s direction or control. The content of this profile is private and confidential information. The violation of my privacy is punished by law (UCC 1 1-308-308 1-103 and the Rome Statute).

Facebook is now an open capital entity. All members are recommended to publish a notice like this, or if you prefer, you may copy and paste this version. If you do not publish a statement at least once, you will be tacitly allowing the use of elements such as your photos as well as the information contained in your profile status updates

The proposed changes to not affect the licensing provisions in these terms and conditions and this notice which some Facebook users are publishing in the hopes that this will restrict how their content is used on Facebook will not have any impact on the licence which they have already granted to the service and which is recorded in the Statement of Rights and Responsibilities –

For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings : you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.

Changes to the Data Use Policy

Facebook’s Data Use Policy is a substantial document of 16 pages. It describes what personal information Facebook collect from its users and what it does with their personal information. It is a particularly important document which most users have probably not read and the proposed changes are interesting to say the least. In some respects, the changes clarify the existing wording and, in others, they will expand the range of uses that Facebook already has in respect of users’ personal information. Although the proposed changes don’t specifically refer to Instagram, the proposed changes reference Facebook’s affiliates and include the following addition:

We may share information we receive with businesses that are legally part of the same group of companies that Facebook is part of, or that become part of that group (often these companies are called affiliates). Likewise, our affiliates may share information with us as well. We and our affiliates may use shared information to help provide, understand, and improve our services and their own services.

The implications of this proposed change of that Facebook may make use of personal information which it collects through services like Instagram, which it owns, and make use of that personal information within the Facebook service itself.

Facebook also proposes removing a similar voting mechanism in the Data Used Policy and replacing it with a 7 day comment period and simple notice of changes being made to the Policy.

Generally speaking, the Data Used Policy highlights just how much personal information Facebook collects, how it collects all of that personal information and just how important it is that users take an active interest in the privacy controls which Facebook makes available to them in order to better control how much of their personal and profile information can be shared across the service. These proposed changes have inspired another preformatted status update which users are publishing in the timelines –

To all my FB family and friends: I want to stay PRIVATELY connected with you. However, with the recent changes in FB, the “public” can now see activities in ANY wall. This happens when our friend hits “like” or “comment” ~ automatically, their friends would see our posts too. Unfortunately, we cannot change this setting by ourselves because Facebook has configured it this way.

PLEASE place your mouse over my name above (DO NOT CLICK), a window will appear, now move the mouse on “FRIENDS” (also without clicking), then down to “Settings”, click here and a list will appear. REMOVE the CHECK on “COMMENTS & LIKE” and also “PHOTOS”. By doing this, my activity amongst my friends and family will no longer become public.

Now copy and paste this on your wall. Once I see this posted on your page I will do the same for you.

As with the bogus copyright notice which I mentioned above, this privacy notice has no impact on the permissions a user grants Facebook through the Data Use Policy. It also reveals an ignorance about how many of Facebook’s privacy controls actually work. This particular notice attempts to address one of the truisms about sharing information through Facebook. When you read the Data Use Policy one of the things that stands out is that a user’s ability to control personal information and updates shared on Facebook is hardly absolute. The only way to relatively effectively control which of your updates and personal information other users may see and share is to make judicious use of the privacy and sharing controls in your profile settings. One of the cautions Facebook includes in the Data Used Policy (and this is an addition to the Policy) is the following –

When you hide things on your timeline, like posts or connections, it means those things will not appear on your timeline. But, remember, anyone in the audience of those posts or who can see a connection may still see it elsewhere, like on someone else’s timeline or in search results.

The Policy also points out that information shared with 3rd party applications and services through Facebook is not automatically removed when you start making use of those applications or services and, further, even if you request those applications or services to remove your personal information, they may retain your personal information in order to comply with some or other compliance requirement of their own. The service also shares a considerable amount of your personal information with a variety of parties including other users and your Facebook friends for various reasons which are variations of “improvements” to your experience of the service.

The proposed changes to the Data Use Policy will not radically change the Facebook privacy model. It is fairly permissive and broad already. What it highlights is the cliche that if you are not paying for a service then you are the product. This has, however, almost always been the case with Facebook.