Few Privacy Regulations Inhibit Facebook

Technology Review


Now that it's a public company, Facebook needs to significantly boost its revenues to bring them in line with shareholders' expectations. That means finding new uses for the endless amounts of personal data the company collects from its users—but this prospect concerns privacy advocates, who say Facebook has outgrown existing privacy laws. Although regulators around the globe are increasing their scrutiny of Facebook, it might be years before they catch up.

Some legal scholars believe that Facebook should be subject to specific consumer protection regulations. As the largest social network, it faces little competitive pressure, and people have few options if they don't like how the company handles their information. Chris Hoofnagle, a scholar at the University of California, Berkeley, who studies the economics of privacy, says situations similarly stacked against the public have caused lawmakers to intervene in the past. Credit card providers, for example, must now make sure that all product literature spells out exactly which fees and debts a person will become liable for. Hoofnagle says Facebook could eventually be subject to similar rules, requiring it to notify users about the income it derives from their data and whether any of that data has been transferred to other companies.

Given how rapidly Facebook has reeled in new users, it seems people are not very concerned about protecting their privacy on the site. But they should be, says Alessandro Acquisti, a researcher at Carnegie Mellon University. He worries about not only what Facebook can do with personal information now, but what could be inferred from such data a few years down the road. For instance, in 2009 he showed that Social Security numbers can be guessed using public data, some of it from social networks.

Acquisti is particularly concerned that Facebook could combine external data with what it already knows about its users—a step that would be invisible to users. One potential solution, he says, would be to encrypt personal data in a way that prevents a social or ad network from identifying a person but still allows targeting of advertisements. However, such technology is still not fully developed and would also limit what can be done with a data storehouse, so legislation to require its use is unlikely anytime soon. 6/13/2012