Is Facebook facing up to privacy and security concerns?

Facebook is moving to rebuild users’ trust, say two of its top privacy and security officers

Facebook founder and CEO Mark Zuckerberg. The company is moving to improve its privacy and security policies. Photograph: Andreu Dalmau
Facebook founder and CEO Mark Zuckerberg. The company is moving to improve its privacy and security policies. Photograph: Andreu Dalmau

Facebook users' rising interest in security and privacy concerns in the past 18 months has prompted the company into a more public discussion of these issues.

Facebook has come under scrutiny for its privacy and security policies after document leaks by whistleblower Edward Snowden indicated the company allowed the US National Security Agency to access user data via its PRISM covert surveillance programme.

Facebook founder and chief executive Mark Zuckerberg has denied the company’s involvement. But in response, the company now releases a regular report noting the requests it receives for data from national governments.

Visiting Ireland last week, Facebook's global deputy chief privacy officer Stephen Deadman and Facebook's director of security Jennifer Henley outlined a number of initiatives on the privacy and security side that they say benefit both Facebook users and the wider security community.

READ MORE

“We feel we have a very robust front door policy for governments to demand information from us,” says Henley. “We heavily scrutinise every request that comes in.” The company complies with every valid request that comes in, she adds.

Deadman insists that Facebook is “a business that is basically built on trust. We know we have to maintain that trust.”

Facebook “think[s] of privacy as a product”.

Managing fallout

Deadman, who stepped into the top privacy role at the company in January, is no stranger to managing fallout from Snowden disclosures, having “helped get Vodafone through the Snowden revelations” as that company’s chief privacy officer before moving to Facebook, he says.

Facebook has privacy teams in its product, research and engineering divisions, he says. Those divisions see privacy “first and foremost as a design challenge” because unless users can easily understand privacy options and settings, they can’t make clear choices. Options need to be “as intuitive and simple as possible”, avoiding pop-up boxes or a need to go look at another page for information, he adds.

To this end, in recent months, Facebook has moved to make it easier for users to see who they are sharing information with. Rather than using icons alone to represent the audience for a given post to the site, users now are told who is in that audience. Facebook also more clearly spells out what audience can see a post if the post is re-shared by friends.

The site also now has a Privacy Checkup feature users can utilise in their personal settings – “basically, a health check for privacy” – and a “Privacy Shortcuts” option now appears at the top of the drop down security menu items.

The Facebook site performs rapid security checks on every object posted. Every time a user reloads their news feed, the site performs 2,500 object privacy checks to make sure the right audience sees the right objects.

That adds up to 70 billion global privacy checks a minute, and 80 trillion a day, Deadman says.

However, Deadman also noted that different Facebook user populations around the world have different views on privacy.

“Europe is the most sensitive when it comes to sharing [photos and information] and privacy” on Facebook, he said. “Europe tends to share less and keep the community with whom they share tighter.”

The same internal study also showed people in India were more concerned with identity theft and security issues, while Africans liked sharing data and expanding their communities, he said.

Regulatory environment

Users all over the word benefit from having the company operating in Ireland under European standards, says Deadman. Its Irish headquarters are now responsible for Facebook’s entire international user base outside of the US and Canada.

Facebook set up its operations in Ireland in part because it felt the regulatory environment here “was seen as a good, high standard” internationally, he says, making an indirect rebuttal to recent public criticisms that Ireland might have an underfunded, more lax regulatory environment.

Facebook's privacy and data handling policies, and the adequacy of the Safe Harbour data handling agreement between the US and EU – and Ireland's enforcement of it – are highly topical at the moment. All are key issues in a pending case before the European Court of Justice, between Austrian law graduate Max Schrems and the Irish Data Protection Commissioner's Office.

Security is also a critical area for a company that manages the data for over one and a half billion users every month, says Henley, who previously headed up security for eBay and PayPal.

The company has just released a Security Check feature, similar to the Privacy Check, which will let users run through their security settings on Facebook, she says. At present it’s only available in Germany, the US and India while they gather feedback, but should be rolled out globally by the end of the summer.

The service will help users to change passwords, learn how to protect their account, and explain what to do if they see suspicious activity.

Henley encourages Facebook users to use the option that alerts them when their account has been logged into from a different device. While it may be the same user on a different device, it might be someone trying to access their account surreptitiously.

She also would like to see more people using two-part authentication to access their account, another option in security settings. People opting for this setting get either a text or email with a short six-character code that is entered by the user to log in to their account. Such two-factor authentication is one of the best forms of security, she says.

People can also use a dropdown menu to quickly report suspicious or questionable content, and there’s also now an option for users to engage directly with the poster of content – for example, if someone posts an embarrassing photo of another person, who would like it removed.

But such options and controls “are only useful if people are using them”, hence the attempt to make such options better known to more users, she says.

On broader security issues, Henley says Facebook sees encryption as a critical part of its service and has recently expanded the ways in which users can make use of it.

Users can choose to use Facebook entirely within an encrypted environment, she says.

Encrypted email

Facebook now has an option for its users to include their public key – a long, random-number “key” that enables people to receive and send encoded messages via encrypted email – in their profiles.

Users can also opt to have Facebook send them emails, such as password resets, via encrypted email.

She says Facebook users can also choose to access, and then remain within, Facebook’s platform entirely through Tor, an anonymising, encrypted internet gateway utilised by many human rights activists.

Last October, Facebook introduced design changes to make it easier to use the service over Tor, she said.

Many companies have faced pressure from national governments, including those in the US and UK, to limit the use of encryption and anonymising internet services, and provide “back door” access for law enforcement, due to security concerns.

But companies have said that they are more vulnerable to hackers and terrorists if encryption is deliberately weakened.

Henley says a balance is needed.