Tuesday, May 18, 2010

What's it like to create a new Facebook account?

I've deleted my personal Facebook account, but since most of my friends still post on Facebook regularly, I wanted a way to keep up with what they're doing.  So I created an empty shell account with a disposable e-mail address that I can use to view what they post (at least until they ditch it as well).

What struck me during this process was just how privacy-invading Facebook's default settings have become.  I found myself thinking "What if my mother-in-law or some other non-net-savvy person was doing this?  Would they understand what was actually being shared?"  So, in this post I'll summarize what Facebook's sign-up process looks like to a new user, focusing on how privacy is presented.

To sign up, users are asked for their name, e-mail, sex, and birthday.  Pretty easy.

Facebook's signup page

After clicking "Sign Up", users are immediately asked to enter their e-mail address's password so that Facebook can import contacts1.  If they skip that, they're asked to upload a profile picture, and after that they're asked to find people by typing in their name.  Moving past these steps brings a user to their homepage for the first time, which displays a "Welcome to Facebook" page2.

Welcome Steps
Homepage of a new Facebook user.

This homepage has a list of steps on it; one presumes that Facebook is suggesting that users complete the steps in numerical order.  In the first step, Facebook again asks the user to enter their e-mail address's password.  The second step asks the user to fill out their profile information; clicking on the link brings up the user's basic profile information.

Profile editing 1: Personal information
Facebook's "Basic information" profile page; users are taken to this page when clicking on "Edit Profile"

On the first profile editing page the user is asked to enter their location, sexual orientation, what they're "looking for", political views, religious views, bio, and favorite quotes.  Nowhere on the page does it say that these items can all be left blank (except sex and birthday, which are not stated as being required).  Nowhere on the page does it clearly say that many of these items will be shared with everyone on the internet if they're entered. 

Colorful icons and links on the left side of the page take the user to the rest of their profile, where users are asked to enter a tremendous amount of other information (profile picture, relationships, likes and interests, educational history, and contact information).   

Profile editing 3: Family and relationships Profile editing 4: Likes and interests Profile editing 5: Education and work Profile editing 6: Contact information
The other profile information pages (click for larger versions).

Users are directed to their privacy settings only as a plain text link underneath all these other colorful links; my guess is that most new users would ignore that little link and happily enter all of the information requested (and the link only takes users to the start of the privacy settings area; it doesn't take them to the privacy guide described below).

Once the user is done filling out their profile, they presumably move on to steps three and four of the starter homepage: linking their account to a mobile phone, and finding even more friends.  Only if a user is dedicated enough to reach step five of the starter homepage does Facebook give prominent attention to their privacy pages.  The link in that step takes users to a privacy guide.

Facebook's privacy guide
An excerpt from Facebook's "A guide to privacy on Facebook".

Here Facebook explains what their privacy terms mean3.  This is the first time it's been clearly stated that information entered into a Facebook profile could be seen by everyone on the web, and this has only been explained after the user has been prompted to enter all of their profile information.  And the user still hasn't even seen what the actual privacy settings are (though they see a summary of them in the "recommended settings" portion of the guide). 

Heading over to the privacy settings, the user finds that not only do they have to navigate a maze of pages and setting terminology, but also that the default settings are extremely open. 

Privacy settings: Personal information
Default privacy settings: Personal information and posts

Privacy settings: Friends, tags, and connections page
Default privacy settings: Friends, tags, and connections

Privacy settings: Apps and website information sharing
Default privacy settings: What friends can share about you through applications and websites

Privacy settings: Contact informatin page  Privacy settings: instant personalization Privacy settings: Apps and websites pages Privacy settings: Search
Other default privacy settings pages (contact information, instant personalization, applications and websites, search settings)

Here we see that a tremendous amount of information (all a user's posts and pictures, friends, family, relationships, likes, interests, activities, location, education, sexual orientation, favorite quotes, and bio) is, by default, set to be available to everyone on the web.  And, of course, this information is also available to Facebook, its partner websites, and any Facebook applications for use as they wish (e.g., to target advertising to the user). 

A lot of other information (political views, birthday, pictures of you taken by other people, etc.) is available to "friends of friends" by default.  While the "friends of friends" setting may seem private, it's not really.  Given that the average Facebook user has 130 friends, this means that once a user's account matures, anything that is visible to "friends of friends" will, on average, be visible to around 16,900 people.  And among these 16,900 people are probably the ones the user cares the most about hiding information (like, say, sexual orientation, political views, or religion) from: coworkers, bosses, estranged friends, exes, family, nosy neighbors, etc. 

The default settings are even set so that search engines like Google can crawl the user's page, making anything the user sets to "everyone" functionally accessible to all people for a very long time, regardless of how the user changes their settings in the future.  Doing something as simple as unchecking the "Public Search Results" box to prevent this gets the user a nasty warning message, making it sound like they're going to make it impossible for people to find them:

Privacy settings: warning when unclicking the "search" box
Warning message gotten when unchecking the "Public Search Results" box.

Oh, and don't forget that hidden in the user's "Account Settings" tab is a little setting that makes much of the user's information fodder for Facebook to use in ads they serve to the user's friends:

My Account: ad settings
The "Facebook Ads" tab of the "Account settings" page.

While it is impressive that Facebook has such configurable privacy settings, it's clear that many of their users are confused.  For example, a recent Consumer Reports survey found that while 73% of Facebook users report that they only share information with their friends, only 42% of Facebook users report customizing their privacy settings (meaning that 31% of users think they're sharing only with friends, but are actually sharing more broadly; via Jill/txt).

Given the volume of personal information Facebook acquires, this is worlds apart from how it should be.  Users should be presented with succinctly summarized privacy information (including that their information may be visible to anyone on the web) before being asked to enter any information, and all users' information should be private by default, unless the user explicitly chooses otherwise4.

[Edited to add: And don't forget that it's not good enough for Facebook to ask for private information once.  If a user doesn't enter their information the first time, the user sees this big yellow message (including a mostly empty "progress" bar) asking them to enter more information when they visit their own profile.]

Facebook nagging new users to enter profile information
Facebook nags new users to enter profile information, even if they've intentionally left it blank.

1 Asking for a user's e-mail password seems incredibly invasive, as it gives Facebook the ability to read all of that user's e-mail. 

2 This welcome homepage stays as the user's default page until they add some friends, at which point it reverts to the  standard "news feed" homepage regular Facebook users are familiar with. 

3 When items are visible to "Friends", then only those people you directly add as friends can see the information.  When items are visible to "Friends of friends", anyone who's a friend of a person you've added as a friend can see your information.  When items are visible to "Everyone", then everyone on the web can see your information. 

4 And these settings shouldn't change every few months; in just the last year Facebook changed my privacy settings at least three times, each time exposing information that was previously not visible to others. 


Liz Ditz said...

Thanks for doing this. I haven't yet deleted my facebook account, but I think I will by the end of the month.

It's tough, though, because my children use it a lot for family communication.

Radagast said...

I hear you; deciding to delete my own account was a difficult decision too. So far I'm happy with creating an empty shell that I'll never post anything to, but I don't yet know how family and friends feel about it.

If you do decide to delete your account, this Facebook group (http://www.facebook.com/group.php?gid=16929680703) maintains a link to the Facebook help page that lets you actually delete your account (rather than just deactivating it).