[scotttobejoking]

You're right that if a friend shares personal information we would rather be kept generally private, our friend is responsible for the privacy breach. But the person they share with can also be guilty.

Using a binary distinction (private/non-private) for privacy is unhelpful; it is more complicated than that. Things can be semi-private. Privacy is, more than anything, a matter of expectation. This means, among other things, that it is a messy and complicated thing (which it is) because people have different expectations.

You seem to be working off a definition of privacy that is close to "can be accessed by someone else" where in common usage the word means quite a bit more than that.

For example, if I'm talking to a friend in a coffee shop and someone sits down with a mic to start recording us, most people would acknowledge that they are invading our privacy. Perhaps they are legally able to do so. Some people might mock me for trying to have a private conversation in a public place. That doesn't change the fact that if I caught someone trying to listen in, I would consider it a Jerk Thing to do. Not on the basis of legality or even on practicality but on the basis of social expectation. I do not intend to share the conversation with them, nor do I expect them to access it.

Security folks tend to say things like "Expectation isn't a real barrier. You don't have any right to expect people to voluntarily not access things that they physically can." But that's a naive perspective, because social expectation is a real thing and it makes human interactions work.

Now it is true that if we abandon expectation as a real constraint, we will plunge into a dark and cynical world where everything that is not nailed down is for the taking, without recourse. But what I don't get is why we would want to do that. There are some who would say we are in that world; I'm happy to disagree with them.

I'm very happy to stay in the world where other people in the coffee shop would look at the person with the recorder and brand them creepy, because they're snooping - they're trying to access information that (whether or not they can) they're not invited to. I'm happy to keep expectation as a real barrier.

So for example, if you tell your mother your girlfriend's name, it might be a breach of privacy, depending on whether or not she expects you to do so. Your mom might be her boss...

In this case, Facebook is definitely doing a Jerk Thing and violating privacy, because they're working out of sync with peoples expectations. They ask for information for a presumed purpose (to populate your Facebook account) and then use it for an additional secret one.

For instance, if I lent my physical address book to a friend for the purpose of sending out wedding invitations for me, and they made a copy of it so they could flog their pyramid business, you can bet that my friends would be mad, but they would also accept that I was betrayed and that the real privacy violation was on the part of someone who used information they had access to in a way that was not invited or expected.

The right language of what is happening here is that of betrayal and privacy violation.

[dreamdu5t]

I agree with you up to the point about Facebook violating privacy expectations. I've been a Facebook user for 4 or 5 years and have never felt they violated any expectation of what I set to be private.

The privacy "breach" in the article was a bug, not any sort of intentional exposure by Facebook.

Facebook even addresses specifically what they do with emails collected: https://www.facebook.com/help/241275309301947/

I guess I don't understand what you think Facebook should be doing, instead? Do you think they have to specifically disclose every internal use of the information they collect prior to collecting it?

[scotttobejoking]

Actually the bug 'breach' in the article is not the breach I was thinking about. It's a bad breach but it's a separate issue to me.

For me the issue lies in how Facebook communicates. (Fair disclosure, it's been a long time since I signed up and what they say to get you to share your e-mail contacts may have changed). The relevant section of the article for me is this one:

"When someone “connects” to Facebook using their Gmail, Yahoo, Twitter, Outlook or whatever account, Facebook will ask for permission to access your contacts to “find your friends on Facebook”. While Facebook may actually be trying to find their friend’s profiles on Facebook, Facebook is also harvesting all of that contact data and using it to create “shadow profiles” based on name and email address information. Ouch… And before you ask if Facebook notifies anyone about this process, apparently this page which is ambiguous at best is an attempt." [the "this page" referenced in the quote is the one you linked]

Fair disclosure: my reference for what Facebook should be doing comes from my own subjective personal expectations. These are probably different from yours. Fair enough :-)

I'm happy to agree that FB doesn't violate your privacy expectations :-)

"I guess I don't understand what you think Facebook should be doing, instead? Do you think they have to specifically disclose every internal use of the information they collect prior to collecting it?"

This is a great question, because it's genuinely complicated, and there's no one word answer that will suffice. That's the messiness of relationship...

Every use? No. Every significant use? Yes. For me, secret accounts are significant. What is happening here is an uncomplicated bait and switch. They promise one thing (friend population) and deliver another (friend population + creepy secret dossiers). Facebook has every ability to set the tone of the conversation and yet they oh-so-conveniently forget to ask to use the data for something that is really a big deal. Hiding something major in a help page is a scummy deceptive trick, and if any of my flesh and blood friends conveniently neglected to mention something major in this way I would be mad at them, too.

What Facebook should be doing is this:

FB: Can I import your contacts to populate your friend list?

Me: Sure, that'd be great! Thanks FB!

FB: Cool! Have a nice day!

FIN.

Or even this:

FB: Can I import your contacts to populate your friend list?

Me: Sure, that'd be great! Thanks FB!

FB: Great! Now that that's finished, can I use the same contacts to create shadow accounts for your friends in case they ever want to join?

Me: Umm... where's the link to delete my account?

What I want FB to do is either to not make secret profiles, or at the very least to ask me before they do. Here's the kicker: if they were honest and up front (honestly, who reads the help file?) about what they were doing, I would have said "NO", and they know it. And they went ahead and did it anyway, without asking.

Now, I can abandon my expectations as naive and just expect FB to do every single dastardly Jerk Thing they can possibly get away with, but I don't want to live in a world that cynical. I think this is why we were all so joyous when Google came out with "Don't be evil" and all so devastated when they broke that promise. I'd rather fight a little (even if it's just griping on HN) to recover a world where Jerk Things get called out as Jerk Things rather than give up entirely.

(edit) spacing on dialogue