Facebook is often criticized over privacy. Just think of the launch of Beacon.

But listening to CTO Bret Taylor defend the company's privacy practices yesterday at a hearing before the U.S. Senate Committee on Commerce, Science, and Transportation, it's hard to fault the company's technology. Facebook is in many ways at the cutting edge of Internet security and privacy--and it has to be considering the large quantity of personal information that it stores.

Facebook's privacy woes have not been caused by technical bungling. It's hard to imagine, for example, the company suffering the sort of ongoing technical humiliation that Sony has recently experienced. Facebook's record so far has been much better than that. Rather, it's Facebook's tendency to suddenly change the rules that have landed it in hot water.

Taylor's discussion of how Facebook handles user privacy was thoughtful and impressive. "People will stop using Facebook if they lose trust in their services," he said, a line we also heard from Google in last week's hearing. He went on to outline the ways that Facebook allows users to control what happens to their data, in particular the fine-grained privacy controls that allow users to select who can see their posts. Users can set different policies for photos, status updates, and other kinds of content, and can even set special privacy policies for specific posts.

"We cannot satisfy people's privacy expectations by creating a one size fits all approach," Taylor argued.

Taylor highlighted that the company has worked with partners on new authentication technologies that allow users to share information with third parties safely, and noted, "We are one of the few Internet companies to extend our privacy controls to our mobile interfaces."

He added that the company also offers different default settings for minors, and is currently testing a new, more transparent privacy policy for all users.

What Taylor didn't talk about is Facebook's habit of changing its default privacy settings without giving users much notice. The last time this happened, for example, users logged into Facebook and were confronted with a long description of changes to how their would be shared. Few have the patience to sit down, understand the changes, and fix them.

This is where the company keeps going wrong. And no matter how sophisticated or thoughtful its privacy and security technology, Facebook can't fix its problems until it gets the human factor right.

Both Facebook and Google have had their share of embarrassing privacy blunders. Facebook had Beacon, and Google had Buzz. But the most recent privacy scandal to make headlines—surrounding a Gmail feature called Social Circles that pulls in data from users' friend connections—has become a scandal about botched PR. Facebook, apparently gunning for Google in an area where it doesn't look so hot itself, reportedly hired PR firm Burson-Marsteller to do its dirty work.

The effort failed when privacy blogger Christopher Soghoian publicly posted the sleazy e-mail pitch he received. In part, the pitch read:

Google is at it again - and this time they are not only violating the personal privacy rights of millions of Americans, they are also infringing on the privacy rules and rights of hundreds of companies ranging from Yelp to Facebook and Twitter to LinkedIn in what appears to be a first in web history: Google is collecting, storing and mining millions of people's personal information from a number of different online services and sharing it without the knowledge, consent or control of the people involved.

In an interview with Ben Popper at BetaBeat, Soghoian said that Google's Social Circle is far from his main privacy worry:

I'm a fairly outspoken privacy advocate and there are many things Google does that are really bad on privacy, but this isn't the thing that is keeping me up at night. It's something that I had never really worried about.

Soghoian told Popper that companies have recently realized that raising privacy issues is a way to score points against competitors. He continued:

The difference is Microsoft can do it publicly, because they don't have their own privacy problems. Facebook is no better than Google on these issues, so to make these attacks they have to hide behind these PR companies. If they tried it in public, under their own name, people would laugh in their faces.

Soghoian suggested that USA Today, which was the first news outlet to break the story, narrowly escaped being duped itself. The suggestion is plausible. The article, which leads with information about Burson-Marsteller, shifts to descriptions of users expressing shock about Social Circles:

Dion Moses, 25, a computer engineer in Ridgecrest, Calif., also wants out of Social Circle. "This is shocking," Moses says. "I had no idea that Google was doing this, and I pay close attention to most technology news sites."

The only way to disable Social Circle, [Google spokesman] Gaither says, is to stop using Gmail.

I'm not particularly shocked by revelations of the smear campaign, though the details are certainly fascinating. As The Register's Andrew Orlowski writes sarcastically:

Newspaper readers will be appalled to discover that a blushing, innocent maiden in Silicon Valley has had her reputation besmirched by wicked rival. Facebook's PR agency attempted to spin a blogger to write an unfavourable story about rival Google.

What's most important is that this story illustrates what a mess privacy is. Social Circles might indeed be something to worry about—if it weren't a minor infraction compared to the sorts of things that are happening all the time. Companies have access to huge amounts of users' personal data, and don't have to deal with much oversight about what they do with it.

Social-media researcher Danah Boyd summed the situation up well in a piece for TR last year:

Privacy is not simply about controlling access. It's about understanding a social context, having a sense of how our information is passed around by others, and sharing accordingly. As social media mature, we must rethink how we encode privacy into our systems.

Facebook has built up a formidable store of data on its five hundred million users, including billions of status updates, comments, photos and videos. Now the company is setting that data free, by allowing users to download a file that contains all of the information they've uploaded to the site. This change shows that the company is responding to the complaints of advocates concerned about how Facebook handles the data it collects. But it could also make easier for a new social network to get started.

This change was one of several announcements made yesterday to address common complaints about Facebook. Privacy advocates have criticized Facebook for making it difficult for users to retrieve their data, for how the company shares data with third parties, and for making it difficult for users to close an account. The company has also come under fire for making changes without fully educating users about what those changes mean, and for lacking ways for users to control who sees the information they post.

Facebook also announced changes to the way groups work on the site, which should make it easier for users to post information intended for certain people. When a user posts information and wants to restrict it to a group, Facebook's algorithms will guess at who should be in the group--partly drawn from groups that have been created by others--but the user has control over who to select. Facebook also launched a dashboard that lets users see what information third-party applications are using, and when those applications last requested data.

Letting users download all their data could be the most important change, and it could have unintended consequences. A new social network--such as a the one Google is rumored to be building--could use that data, with users' permission, to automatically add information to new users' profiles.

It may seem strange for Facebook to open up one of its most valuable resources this way, but the company is obviously working hard to repair its image. And other companies already offer similar services, for example Google's Data Liberation Front.