Here’s a kōan for the information age: Why do so many privacy activists have Facebook pages?
Originally conceived as a place for Harvard undergraduates to post their photos and cell-phone numbers–information that Harvard, because of privacy concerns, wasn’t putting online back in 2003–Facebook has grown to be the fourth-most-popular “website” in the world, according to the Web services firm Alexa. But Facebook is really a collection of applications powered by private information: a smart address book that friends and business contacts update themselves; a (mostly) spam-free messaging system; a photo-sharing site. And on Facebook, developers write seamlessly integrated applications.
These applications are troubling from a privacy perspective. Say you want to complete one of those cool Facebook surveys. Click a button and you’ll be taken to a page with the headline “Allow Access?” Then you’ll be told that using the application allows it to “pull your profile information, photos, your friends’ info, and other content that it requires to work.” How much information? There’s no way to be sure, really–perhaps everything you’ve put into Facebook.
The roughly one in five Internet users who spend an average of 25 minutes each day on Facebook implicitly face a question every time they type into a Facebook page: Do they trust the site’s security and privacy controls? The answer is inevitably yes.
That’s the reason privacy activists are on Facebook: it’s where the action is. It’s easy to imagine a future where most personal messaging is done on such platforms. Activists and organizations that refuse to take part might find themselves irrelevant.
It was in a similar context that Scott McNealy, then CEO of Sun Microsystems, famously said, “You have zero privacy anyway. Get over it.” In January 1999, McNealy was trying to promote a new technology for distributed computing that Sun had cooked up–an early version of what we might call “cloud computing” today–and reporters were pestering him about how the system would protect privacy. Four and a half years later, he told the San Francisco Chronicle, “The point I was making was someone already has your medical records. Someone has my dental records. Someone has my financial records. Someone knows just about everything about me.”
Today it’s not just medical and financial records that are stored on remote servers–it’s everything. Consider e-mail. If you download it from Post Office Protocol (POP) accounts, as most Internet users still did in 1999, the mail is copied to your computer and then deleted from your ISP’s servers. These days, however, most people use Web mail or the Internet Message Access Protocol (IMAP), which leaves a copy on the server until it is explicitly deleted. Most people don’t know where that server is–it’s just somewhere “in the cloud” of the Internet. [Editor’s note: see our Briefing on cloud computing.]
Services like Facebook, Gmail, and Google Docs are becoming wildly popular because they give users the freedom to access their data from home and from work without having to carry it back and forth. But leaving your data on some organization’s servers creates all sorts of opportunities for mishap. The organization might have a bad employee who siphons out data for personal profit. Cyberthieves might break into its servers and try to steal lots of people’s data at the same time. Or a hacker might specifically target yourdata and contact the organization, claiming to be you. All these are security threats–security threats that become privacy threats because it’s your data.