Facebook recently launched their new Facebook Connect API, which extends some impressive Facebook functionality into websites who opt to use the Facebook Connect system. Websites that implement Facebook Connect will be able to offer their users an easy way of connecting to their Facebook friends from Facebook Connected website, and actions the user takes on the third-party website can be published to the user’s Facebook newsfeed.
Essentially, Facebook Connect allows entire websites to work with the Facebook API, as if they were standalone Facebook applications.
Some industry bloggers feel that using Facebook Connect on blog sites will bring more authenticity to the web, as blog owners and fellow blog commenters will be able to see the actual identity of the person writing the comment, as opposed to the sometimes enigmatic nicknames that blog commenters have chosen to use in the past. I have mixed feelings.
To give you a simple example, Joe run a site called Joe’s Widget Community, where registered website members who are interested in making widgets can read and comment on blog posts about widgets and add their favorite widgets to their Widget Community profile.
If Joe implements Facebook Connect on his website, the following is possible:
- New users with Facebook accounts don’t have to register on Joe’s Widget website – they can single-click login using the Facebook Connect system.
- When users post, their real name is displayed next to their blog comments, since the blog system is using Facebook Connect.
- When users add a new widget to their Widget Community profile, they can allow a newsfeed to be posted to their Facebook account announcing the action
- Users can instantly connect to their Facebook friends from Joe’s Widget Community website, allowing them to easily invite their Facebook friends to participate in the site in the same way user’s invite friends through Facebook applications
While I am definitely looking forward to implementing Facebook Connect on some of my websites, and can see some fantastic places where it would be appropriate, I can also see some fairly significant privacy issues here.
Industry website Inside Facebook, one of the first 50 websites to implement Facebook Connect for their blog commenting system, recently posted an article claiming that Facebook Connect will make the web more “authentic”. What exactly does that mean? According to Inside Facebook blogger Justin Smith:
In the few days since Facebook Connect launched, we’ve noticed something: blog commenting is becoming more authentic. The presence of trusted Facebook identity is creating a context for more meaningful conversation on the web.
For example, when Facebook Connect launched on Inside Facebook, Mark Zuckerberg, several people at Facebook, and dozens of people in the industry commented on Inside Facebook for the first time. Why? Because for the first time, Facebook Connect has enabled real identity on the web. In other words, everyone knows who’s actually talking.
At face value, what Justin is saying isn’t wrong. Exposing the real identities of people who comment on blogs would very likely lead to more accountability and a better signal-to-noise ratio. But at what cost?
In August 2008, Facebook made some pretty radical changes to improve privacy controls for their users. Third-party applications could no longer automatically add application boxes to the user’s profile, but instead must be manually added by the user. Application developers were given new ways to ask the user for permission for just about every one of the social actions they can take, including (and perhaps especially) sending newsfeeds to the user’s profile. Where an application would have just automatically added a newsfeed item when a user took an action within the application, they are now told to ask permission first. A “Would you like to publish this story to your newsfeed?” prompt is given for just about every user-initiated action that will generate any notification or newsfeed item.
In short, just about everything an application does now requires the user’s implicit, not implied, consent. This is a Good ThingTM, as it puts full control over what the rest of the world can see or not see about the actions the user is taking. As social networks like Facebook continue to make the world a smaller and smaller place, and continue to make it exponentially easier to find information on people, privacy becomes an increasingly important issue to address.
With Facebook’s Aug 2008 changes, they actually do a pretty good job of letting the user decide who can see what about them. Users can split their friends up into custom groups, and only allow specific groups access to more personal features like photos and video (after all, do you really want your boss to see the photos of you at the strip joint?), and so on. But I’m not seeing this level of control over Facebook Connect implementations, and part of that is because the level of privacy is currently controlled by the developer of the Connected website, not the Facebook user.
Blogs that force me to register for the site before I can comment are aggravating, but I will still sometimes register if I feel what I say is relevant to the topic. Not having the option to comment anonymously is even less attractive to me than being forced to register for a new site.
I am not a troll, scammer or spammer – but my privacy is important to me. Associating every action you take online with your real identity is problematic even for people who are less concerned about their privacy. Certainly, the most obvious concern relates to people’s personal safety. It’s already reasonably easy to find out information on most people online, especially if the person is not ‘net savvy enough to take extra steps to make that information harder to find. Stalkers don’t need any more help.
But there are less obvious issues here, too. I run a non-profit organization, and because my name is associated with that organization, anything I say online could easily come back and bite my organization in the ass. I make the deliberate effort to distance my personal projects and thoughts from the organization’s projects and positions, because I don’t want my smartass remarks, my personal opinions, or my comments that have been taken out of context to give any more fodder to the fringe-dwellers that would seek to tarnish a flawless reputation. Putting distance between my personal, professional and philanthropic affairs is critical to the organization, my career, my personal safety and my ability to use and enjoy the internet for fun.
Another real-life scenario: Say I work for a marketing agency or other B2B market. Unrelated to that, I have a bad experience with an online travel site. The tickets they sold me were wrong, they overcharged me, whatever. I’m pissed, and I let them know in no uncertain terms exactly how pissed I am, by way of their discussion forums. I don’t violate any of their terms of service, but I give them a piece of my mind as any angry customer would. Since the travel site is using Facebook Connect, the entire company (and all of the users) can see exactly who I am, even where I work, if I didn’t lock down the privacy on my profile. Six months later, my company is trying to pitch the travel site as a potential client, and all of a sudden there is a moment of awkward silence in that pitch meeting as they realize that one of the employees (me) of the company pitching them is the very same person who reamed them out six months prior. And thanks to Facebook Connect displaying my profile picture, they even know what I look like, so there’s no getting out of it. Needless to say, my company doesn’t get the contract. So my perfectly acceptable expression of unhappiness over the customer service I received has now cost my company half a million dollars – and my company wasn’t even aware there were potential problems.
Something else to consider… the blog comment model reached a sort of unofficial standard over the years. The user fills out a few form fields to post a comment – usually display name, e-mail and website url, in addition to the space to add the actual comment. One thing that I find both enjoyable and productive when reading blogs is visiting the websites of commenters that have something good to say. If I read a compelling comment, I’m very likely to click on that person’s website url if one is given. I want to learn more about that person for whatever reason – and likewise I’ve ended up with people visiting my site because of comments I’ve posted on other sites. In the Facebook Connect model, my name and photo link only to my Facebook profile – and if I’ve got my privacy controls locked down, you’ll have to friend me (and I’ll have to accept your friend request) before you can see *anything* about me, including my website url. I don’t know about you, but I don’t really *want* a hundred new friend requests in Facebook every week just so people can check out my website.
Also, some people, like myself, have had their online “aliases” for quite some time. I am more well known in the PHP/web development community as “snipe” than I am by my real name, even after writing two books under my real name. at the risk of using nauseating marketing-lingo, its a sort of brand that I have worked hard on, and frankly, I don’t want to lose the ability to keep that branding.
Ultimately, the only solution available right now is for the developers of the websites using Facebook Connect to carefully plan their system to offer me the ability to protect my privacy. They should be sure to offer the ability for people to comment anonymously, not display my photo, not show my photo in the “recently visited” listed, not link directly to my Facebook profile, perhaps only display my first name and last initial, etc. But really, Facebook has taken an aggressive stance on putting control back into the user’s hands, so it just doesn’t make sense to put that onus on the website developers. If you yourself are not concerned with privacy, you are less likely to consider privacy issues in your website planning. These controls should be provided by Facebook, so that through a coding error or even nefarious intent, my privacy wishes cannot be overriden for ANY reason.
Facebook cannot kill the anonymity of the web – anonymity is what made the web succeed. What I anticipate happening, as Facebook Connect grows (assuming Facebook doesn’t put more control in the hands of the users) is that people who wish to remain anonymous for nefarious reasons (trolling, scamming, spamming, whatever) will continue to do so, by way of creating multiple bogus Facebook accounts, while legitimate users who simply wish to keep their name off the Google radar will simply stop talking. Or a middle-ground, legitimate users will start altering their Facebook profiles to conceal more information about themselves, which is counter to what Facebook is trying to accomplish. Either way, the end result is *not* more authentic. Perhaps while Facebook Connect is new and shiny, people will be excited and unworried about the implications of their actions, but as soon as it bites a few people in the ass, you can bet that attitude will change unless Facebook implements user-based privacy controls.
