Facebook Faces Congressional Privacy Interrogation

When Facebook in January announced plans to enable developers, with permission, to access users' addresses and phone numbers, the company took it on the chin. Facebook users, perhaps recalling revelations late last year that Facebook user ID numbers were being shared by third-party applications, complained and the company backtracked, stating that it agreed with some of the concerns raised and that it would delay access until some changes have been made.

The incident got the attention of two members of Congress, Edward Markey (D-Mass) and Joe Barton (R-Texas), co-chairmen of the House Bi-Partisan Privacy Caucus. On Wednesday, the two U.S. Representatives sent a letter to Facebook CEO Mark Zuckerberg seeking answers about the company's plans.

"Facebook needs to protect the personal information of its users to ensure that Facebook doesn’t become Phonebook," said Rep. Markey, in a statement. "That's why I am requesting responses to these questions to better understand Facebook's practices regarding possible access to users’ personal information by third parties. This is sensitive data and needs to be protected."

Markey's worst case scenario -- that Facebook could become Phonebook -- is an odd one. Phone numbers and addresses are already widely available through phone books, not to mention on the Internet, for better or worse. Information that's far more sensitive is also readily available to Facebook developers, with user permission, through the Facebook Graph API. From consenting users, Facebook API queries can access a user's Facebook ID number, first and last name, Facebook profile URL, "About" blurb, birthday, work history, education, e-mail, Web site URL, hometown, location, biography, favorite quotes, gender, interests, significant other (if any), religion, politics, friends' names, and a few other factoids.

Facebook for its part is stressing that users themselves are the ones authorizing the release of this information.

"As an innovative company that is responsive to its users, we believe there is tremendous value in giving people the freedom and control to take information they put on Facebook with them to other Web sites," the company said in an e-mailed statement. "We enable people to share this information only after they explicitly authorize individual applications to access it. This system of user permissions was designed in collaboration with a number of privacy experts. Following the rollout of this new feature, we heard some feedback and agree that there may be additional improvements we could make. Great people at the company are working on that and we look forward to sharing their progress soon."

What Markey and Barton should have questioned -- but didn't -- is the extent to which seemingly innocuous information, made accessible with permission, can be used to construct a cookie-like tracking mechanism that spans the Web. Cookies, the source of much privacy angst, are simply identification numbers. And a few Facebook data points -- say, name plus location plus birthday -- can serve as a unique identifier just as easily as a long string of numbers.

They should also have delved into whether data permission requests from Facebook, not to mention other Web sites, truly meet the standard of informed consent.

Chances are the bulk of the data made available through Facebook flows from misinformed consent: Most users don't understand, or just don't care about, the ramifications of clicking "I Agree," whether for software licenses or data sharing notifications.

The question that should be asked is whether regulation is necessary to protect Internet users from themselves.