Define privacy. If I tell my mother what my girlfriend's name is, that's not an invasion of privacy. If my friend tells Facebook what my phone number is, that's not an invasion if privacy either.
If I share my phone number with my friend, under the agreement that my friend will not share it with others, and he shares it with Facebook, then my friend has violated my privacy... not facebook.
> "... and he shares it with Facebook, then my friend has violated my privacy... not facebook."
I disagree. Your argument assumes that everyday people are aware of all the things going on with the multiple apps they install and the permissions they ask for. I'd argue that they're largely ignorant of what it means to grant something like Facebook access to your phone (contacts etc). This is because apps from companies like FB/Path/etc make it silky smooth to hand over ongoing access to such data sources and never think about it again.
People don't really understand how 'the machine' works and I'd argue that FB and it's ilk have learned how to exploit that to great effect.
You're right that if a friend shares personal information we would rather be kept generally private, our friend is responsible for the privacy breach. But the person they share with can also be guilty.
Using a binary distinction (private/non-private) for privacy is unhelpful; it is more complicated than that. Things can be semi-private. Privacy is, more than anything, a matter of expectation. This means, among other things, that it is a messy and complicated thing (which it is) because people have different expectations.
You seem to be working off a definition of privacy that is close to "can be accessed by someone else" where in common usage the word means quite a bit more than that.
For example, if I'm talking to a friend in a coffee shop and someone sits down with a mic to start recording us, most people would acknowledge that they are invading our privacy. Perhaps they are legally able to do so. Some people might mock me for trying to have a private conversation in a public place. That doesn't change the fact that if I caught someone trying to listen in, I would consider it a Jerk Thing to do. Not on the basis of legality or even on practicality but on the basis of social expectation. I do not intend to share the conversation with them, nor do I expect them to access it.
Security folks tend to say things like "Expectation isn't a real barrier. You don't have any right to expect people to voluntarily not access things that they physically can." But that's a naive perspective, because social expectation is a real thing and it makes human interactions work.
Now it is true that if we abandon expectation as a real constraint, we will plunge into a dark and cynical world where everything that is not nailed down is for the taking, without recourse. But what I don't get is why we would want to do that. There are some who would say we are in that world; I'm happy to disagree with them.
I'm very happy to stay in the world where other people in the coffee shop would look at the person with the recorder and brand them creepy, because they're snooping - they're trying to access information that (whether or not they can) they're not invited to. I'm happy to keep expectation as a real barrier.
So for example, if you tell your mother your girlfriend's name, it might be a breach of privacy, depending on whether or not she expects you to do so. Your mom might be her boss...
In this case, Facebook is definitely doing a Jerk Thing and violating privacy, because they're working out of sync with peoples expectations. They ask for information for a presumed purpose (to populate your Facebook account) and then use it for an additional secret one.
For instance, if I lent my physical address book to a friend for the purpose of sending out wedding invitations for me, and they made a copy of it so they could flog their pyramid business, you can bet that my friends would be mad, but they would also accept that I was betrayed and that the real privacy violation was on the part of someone who used information they had access to in a way that was not invited or expected.
The right language of what is happening here is that of betrayal and privacy violation.
I agree with you up to the point about Facebook violating privacy expectations. I've been a Facebook user for 4 or 5 years and have never felt they violated any expectation of what I set to be private.
The privacy "breach" in the article was a bug, not any sort of intentional exposure by Facebook.
I guess I don't understand what you think Facebook should be doing, instead? Do you think they have to specifically disclose every internal use of the information they collect prior to collecting it?
Actually the bug 'breach' in the article is not the breach I was thinking about. It's a bad breach but it's a separate issue to me.
For me the issue lies in how Facebook communicates. (Fair disclosure, it's been a long time since I signed up and what they say to get you to share your e-mail contacts may have changed). The relevant section of the article for me is this one:
"When someone “connects” to Facebook using their Gmail, Yahoo, Twitter, Outlook or whatever account, Facebook will ask for permission to access your contacts to “find your friends on Facebook”. While Facebook may actually be trying to find their friend’s profiles on Facebook, Facebook is also harvesting all of that contact data and using it to create “shadow profiles” based on name and email address information. Ouch… And before you ask if Facebook notifies anyone about this process, apparently this page which is ambiguous at best is an attempt." [the "this page" referenced in the quote is the one you linked]
Fair disclosure: my reference for what Facebook should be doing comes from my own subjective personal expectations. These are probably different from yours. Fair enough :-)
I'm happy to agree that FB doesn't violate your privacy expectations :-)
"I guess I don't understand what you think Facebook should be doing, instead? Do you think they have to specifically disclose every internal use of the information they collect prior to collecting it?"
This is a great question, because it's genuinely complicated, and there's no one word answer that will suffice. That's the messiness of relationship...
Every use? No. Every significant use? Yes. For me, secret accounts are significant. What is happening here is an uncomplicated bait and switch. They promise one thing (friend population) and deliver another (friend population + creepy secret dossiers). Facebook has every ability to set the tone of the conversation and yet they oh-so-conveniently forget to ask to use the data for something that is really a big deal. Hiding something major in a help page is a scummy deceptive trick, and if any of my flesh and blood friends conveniently neglected to mention something major in this way I would be mad at them, too.
What Facebook should be doing is this:
FB: Can I import your contacts to populate your friend list?
Me: Sure, that'd be great! Thanks FB!
FB: Cool! Have a nice day!
FIN.
Or even this:
FB: Can I import your contacts to populate your friend list?
Me: Sure, that'd be great! Thanks FB!
FB: Great! Now that that's finished, can I use the same contacts to create shadow accounts for your friends in case they ever want to join?
Me: Umm... where's the link to delete my account?
What I want FB to do is either to not make secret profiles, or at the very least to ask me before they do. Here's the kicker: if they were honest and up front (honestly, who reads the help file?) about what they were doing, I would have said "NO", and they know it. And they went ahead and did it anyway, without asking.
Now, I can abandon my expectations as naive and just expect FB to do every single dastardly Jerk Thing they can possibly get away with, but I don't want to live in a world that cynical. I think this is why we were all so joyous when Google came out with "Don't be evil" and all so devastated when they broke that promise. I'd rather fight a little (even if it's just griping on HN) to recover a world where Jerk Things get called out as Jerk Things rather than give up entirely.
Isn't the issue that people aren't really aware of how much they are sharing of their own or other peoples data and that UI doesn't really reenforce this.
It's normally considered somewhat rude to give another persons phone number out without a reasonable reason.
And you're going to be in for a shock if you ever decide to do some research and find out that you can request your name and number to not be listed in a phone book.
It's a relatively new idea, the modern expectation of 'privacy', and one that's completely out of touch with reality. It's only within the past hundred years that most people did not know everyone in their town - Even in cities, you probably shopped at a small set of stores and were known by name by the clerks. Technology has caught up, and now it's possible for shopkeeps to know your name again.
I'm still known by the clerks of the stores in my neighborhood. That's completely orthogonal to this.
The reason this type of discussion of privacy wasn't being had 30 years ago is because 99.9% of the things we did 30 years ago were private, outside of getting arrested as an adult and, eventually, drivers' license info. If I didn't want to be recognized while buying birth control or hemorrhoid medication, I would just have to go to a store that I didn't usually go to.
Technology has caught up, and now it's possible for shopkeeps to know your name again.
And people you don't even know from nowhere near where you live, and who definitely don't have your best interests at heart (remind me, why exactly is this data being collected?). Even with the "local" knowledge you espouse, I say privacy is necessary. Until society can put aside it's childish prejudices (say, against non-heteronormative sexuality), then privacy will be necessary. As many noted thinkers have seen fit to enshrine (eg, the US constitution).
This is somewhat different though, rather than having various small communities where everyone knows each others you have a handful of large companies who know everyone.
Google probably knows more about me than my local shopkeeper for example.
After Facebook scanned Jane's phonebook, and made the invites Jane asked, Facebook should have deleted your phone number.