Privacy advocates' criticism over recent moves by Facebook and Google Buzz begs the question: Is privacy possible in a social network? And, if so, which social-network service does it the best?
To answer this question, this month I donned my privacy goggles and pored over the two social networks that my professional peers seem to use the most: Facebook and LinkedIn. I also asked all my Facebook friends and LinkedIn connections to tell me which they thought did privacy better. (I didn't look at Buzz because I admittedly don't know anyone using it.) What did I find out?
Privacy certification: A draw
One way to easily determine whether a Web site takes privacy seriously is to check for a privacy seal. In North America, the two worthwhile options are Truste and WebTrust, while the German-based EuroPriSe seal is a nascent arrival in Europe. With all of these trust marks, a Web site generally pays a fee to have its privacy practices independently certified.
As it turns out, both Facebook and LinkedIn have earned the Truste EU Safe Harbor seal. This means they both officially made Truste their arbiter for consumer disputes over European privacy compliance.
Indeed, both companies have self-certified to the EU-U.S. Safe Harbor agreement that the Department of Commerce administers and the Federal Trade Commission enforces. (You can find the Facebook certification here and the LinkedIn submission here.) By taking this step, both companies have committed themselves to adhering to seven European privacy principles. Moreover, the privacy officers putting their names on the Safe Harbor submissions have personally attested, under penalty of the federal False Statements Act, that their submission is truthful. I've clicked that False Statements button before, and I can tell you it causes you to make sure a strong privacy program is backing you up.
So far, the comparison on this point is a draw.
Privacy policy: A draw
One of the least viewed pages on a Web site, the privacy policy, is nonetheless the centerpiece of a company's privacy posture. When it comes to the policies of these two social networks, Facebook has an edge for its format and readability. The content of both policies get a B grade from me, however.
When you hit the Privacy link in the Facebook footer, you land on an attractively designed tutorial page. This "guide to privacy on Facebook" very clearly explains the concept of sharing profile information at three levels -- friends, friends of friends, and everyone -- and describes the rationale behind its recommended privacy settings. This section links to the full Facebook privacy policy, a 5,531-word thesis that mercifully reads at grade 11.7. Meanwhile, the LinkedIn privacy policy is a 6,250-word tome that reads at grade 14.8. This variance in length and readability makes sense, though, because the LinkedIn audience is generally older and more educated.
To their credit, both policies provide an above-average level of detail of the data they collect and how they use and disclose it. That said, they're both weak in three areas: data security, data access and e-mail retention.
On security, neither provides any level of detail behind the standard commitment to use SSL on payment pages and also use network firewalls. On data access, both fall short of offering to provide users a full account of the data stored and disclosed about them. On e-mail retention, I've always wondered whether the messages I send via Facebook and the InMails I send via LinkedIn are retained indefinitely, but neither policy sheds light on this question. One Facebook friend of mine, a privacy attorney, has forsworn sending any messages via LinkedIn until a delete button is added, a feature that LinkedIn reports is being rolled out now.
For its part, the LinkedIn policy makes a bolder statement about third-party disclosure, stating: "We do not sell, rent, or otherwise provide your personal identifiable information to any third parties for marketing purposes." You can't get much better than that.
Facebook, meanwhile, makes a much clearer commitment to delete user information, stating: "You may deactivate your account on your account settings page or delete your account on this help page" and "Removed and deleted information may persist in backup copies for up to 90 days, but will not be available to others."
All in all, still a draw.
Staff commitment to privacy: A draw
A good indicator of whether a Web site can back up the privacy promises it makes online is if it actually employs certified privacy professionals. The main source available to me for making this determination is the membership directory of the International Association of Privacy Professionals. While IAPP members certainly aren't the only privacy professionals, the IAPP is by far the largest privacy association and it also administers the Certified Information Privacy Professional (CIPP) designation.
How did the social networks stack up? Facebook listed seven people in the IAPP directory, of which six were CIPPs. LinkedIn, a smaller company than Facebook, listed just one. By comparison, four Google staff appeared in the directory along with a small army of 93 from Microsoft.
That said, when I made inquiries to both Facebook and LinkedIn about this article, LinkedIn got back to me right away and was very conversant about all of the topics I was delving into. Facebook never responded.
I was originally giving Facebook an edge on this one, but the non-response led me to call this one a draw, too.
Privacy settings: Advantage LinkedIn
My privacy peers who are over 40 have been known to lament that people under 30 have lost their sense of personal privacy and post just about anything to Facebook. There is some truth to this, but a big factor in this openness could be that young users are confident in the privacy settings available to them on social-network sites.
How do the privacy settings of Facebook and LinkedIn compare?
Facebook offers a far greater level of control over what information you show and to what audience. For each of 11 data categories, Facebook enables you to choose whether Friends, Friends of Friends, Everyone or a custom group could see that category. Facebook also allows you to choose which of 16 data categories from your profile can be grabbed by your friends' Facebook applications.
Facebook also puts its policy changes up for a vote. This is really amazing. I can't think of any other company that offers this level of user-privacy management.
LinkedIn offers this level of granularity only on which data categories are included on your public profile. One feature where LinkedIn excels over Facebook, however, is Profile Views, where you can easily check to see who has viewed your profile and how many times you've shown up in search results.
LinkedIn also allows you to keep others from browsing your connections. I really like this feature, because my connections are my own business. When Facebook changed its policy recently to make your friends public, I nearly closed my account. If I didn't provide privacy consulting for corporate fan sites, I'd be a LinkedIn-only user right now. While I was writing this article, Facebook also came out with a new default setting to share some of my data with third-party Facebook applications. Facebook seems to be constantly pushing the envelope on changes to default settings that are privacy unfriendly. This is why I give LinkedIn the first thumbs up of the comparison.
Responses from my friends and connections: Advantage LinkedIn
What did my friends and connections say about this comparison? Their unanimous vote was in favor of LinkedIn. "You can't compare the two," wrote one, who explained that they serve different purposes. Facebook is for sharing private information with friends, she elaborated, while LinkedIn is for sharing professional information with acquaintances. Others complained about Facebook's regular changes in privacy settings that force them to spend time figuring out what just changed and how to set it back to the privacy-friendly position.
Track record: Advantage LinkedIn
The last time I was in Silicon Valley, I decided to get a visual on where all my data was. I was amazed at how close together everything was situated. Just down the street from Google's Mountain View headquarters is LinkedIn. I couldn't have swung a dead cat around my head without hitting a Yahoo building. And within another half hour I'd been to Apple in Cupertino and Facebook in Palo Alto. According to LinkedIn's company search, employees routinely job hop among these companies.
Facebook and LinkedIn have followed similar trajectories. Founded in 2004, Facebook reportedly employs about 1,000 who serve over 400 million users. LinkedIn, launched in 2003, has roughly 500 employees serving a reported 60 million users.
In spite of their similar Bay area culture and business models, the companies have markedly different privacy track records. LinkedIn has not messed up on privacy. A search of Computerworld and Epic.org archives drew blanks on this topic.
The same can't be said for Facebook, which has suffered a string of policy gaffes and investigations by the U.S., Canadian and British governments. At a January 2010 conference in San Francisco, Facebook founder and CEO Mark Zuckerberg explained the company's approach, saying that changing Facebook's privacy policies and settings is a strategy to keep the company fresh as social norms for privacy evolve.
So, the final vote: three advantages for LinkedIn, and three ties. Everything considered, one of the best privacy innovations these two firms have offered has been the concept of granular privacy controls. Their future growth into emerging markets -- where people may be more cautious about their online privacy -- may depend on it.
Jay Cline is president of Minnesota Privacy Consultants. You can reach him at cwprivacy@computerworld.com.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.