April 24, 2014

avatar

Lessons from Facebook's Beacon Misstep

Facebook recently beat a humiliating retreat from Beacon, its new system for peer-based advertising, in the face of users’ outrage about the system’s privacy implications. (When you bought or browsed products on certain third-party sites, Beacon would show your Facebook friends what you had done.)

Beacon was a clever use of technology and might have brought Facebook significant ad revenue, but it seemed a pretty obvious nonstarter from users’ point of view. Trying to deploy it, especially without a strong opt-out capability, was a mistake. On the theory that mistakes are often instructive, let’s take a few minutes to work through possible lessons from the Beacon incident.

To start, note that this wasn’t a privacy accident, where user data is leaked because of a bug, procedural breakdown, or treacherous employee. Facebook knew exactly what it was doing, and thought it was making a good business decision. Facebook obviously didn’t foresee their users’ response to Beacon. Though the money – not to mention the chance to demonstrate business model innovation – must have been a powerful enticement, the decision to proceed with Beacon could only have made sense if the company thought a strong user backlash was unlikely.

Organizations often have trouble predicting what will cause privacy outrage. The classic example is the U.S. government’s now-infamous Total Information Awareness program. TIA’s advocates in the government were honestly surprised when the program’s revelation caused a public furor. This wasn’t just public posturing. I still remember a private conversation I had with a TIA official who ridiculed my suggestion that the program might turn out to be controversial. This blindness contributed to the program’s counterproductive branding such as the creepy all-seeing-eye logo. Facebook’s error was similar, though of much smaller magnitude.

Of course, privacy is not the only area where organizations misjudge their clients’ preferences. But there does seem to be something about privacy that makes these sorts of errors more common.

What makes privacy different? I’m not entirely certain, but since I owe you at least a strawman answer, let me suggest some possibilities.

(1) Overlawyerization: Organizations see privacy as a legal compliance problem. They’re happy as long as what they’re doing doesn’t break the law; so they do something that is lawful but foolish.

(2) Institutional structure: Privacy is spun off to a special office or officer so the rest of the organization doesn’t have to worry about it; and the privacy office doesn’t have the power to head off mistakes.

(3) Treating privacy as only a PR problem: Rather than asking whether its practices are really acceptable to clients, the organization does what it wants and then tries to sell its actions to clients. The strategy works, until angry clients seize control of the conversation.

(4) Undervaluing emotional factors: The organization sees a potential privacy backlash as “only” an emotional response, which must take a backseat to more important business factors. But clients might be angry for a reason; and in any case they will act on their anger.

(5) Irrational desire for control: Decisionmakers like to feel that they’re in control of client interactions. Sometimes they insist on control even when it would be rational to follow the client’s lead. Where privacy is concerned, they want to decide what clients should want, rather than listening to what clients actually do want.

Perhaps the underlying cause is the complex and subtle nature of privacy. We agree that privacy matters, but we don’t all agree on its contours. It’s hard to offer precise rules for recognizing a privacy problem, but we know one when we see it. Or t least we know it after we’ve seen it.

Comments

  1. Xcott Craver says:

    “Institutional structure: Privacy is spun off to a special office or officer so the rest of the organization doesn’t have to worry about it; and the privacy office doesn’t have the power to head off mistakes.”

    Alas, this is often true for security in general. It is one feature of many, and some compartmentalized group, if not a single developer, is put in charge of looking into it before a product ships.

    It’s hard to believe that 10 years ago even OS vendors had a widespread attitude that security was this minor thing that could be slapped on later if some paranoid consumers really wanted it for some obscure reason.

  2. Michael Ash says:

    I think this happens in part because privacy is asymmetrical. It is rare for the violator to really appreciate the effect he has on the victim. Picture listening in on someone’s phone conversation, a harmless prank, versus the outrage you would experience if you discovered someone were listening in on yours. This then causes these companies to overestimate the benefits of their service as compared to the privacy violation, so they go forward with something that people don’t think is worth it, and are then shocked when people get upset.

    Another problem is that people have a tough time understanding that privacy is not a binary property. They reason that, since this data is already being tracked and recorded and monitored, there’s no difference if it’s tracked and recorded and monitored more. This is false, but it can be tough to explain why, and tough for people to grasp.

    I have been following the Facebook controversy only distantly but it seems to me to be a very similar experience to what has been happening with IRSeeK.com, an IRC search engine which has been secretly logging public chat channels for months and making them publicly searchable. In both cases, the companies in question implemented what they thought was a valuable service. They both downplayed the privacy aspects of what they were doing and, at least IRSeeK has used the excuse that this information was already recordable anyway so what they were doing was really no different. And, predictably, they were both caught by surprise when there was a great outcry about what they were doing.

  3. Steve R. says:

    I have been grappling with what “privacy” means for a while now. I don’t have much expectation of privacy. Nevertheless, I resent the constant barrage of advertising/proprietary software because of the liability it creates for me in terms system unreliability, identity theft, and trespassing on my personal space.

    On point #1 “Overlawyerization”. There is a real disconnect here. True, we have significant overlawyerization but it is at the corporate level and between corporations. The consumer simply has no rights in today’s environment. If this quote were true => “Organizations see privacy as a legal compliance problem. ” we would see organizations actually protecting/hiding our private information. Instead we find that corporations will buy/sell/trade “private” information to anyone who pays as if there were no legal repercussion. Simply put corporations do not respect the rights of consumers, but if the consumer looks at a corporations so-called “intellectual property” in the wrong way, overlawyerization will rain-down to drown the consumer.

  4. Xcott Craver says:

    Maybe another factor in these mistakes is developers thinking in single-user mode. When you make a product for a single user, e.g. Photoshop, you want to give it as many cool features and capabilities as possible, because people like cool features, and always want more power. Who doesn’t want the ability to roll back every revision of their file? Who doesn’t want the ability to find every image file on their computer instantly?

    Many of those features amount to the ability to sort, sift and see through all their files and usage history. As a single user, I basically want X-ray vision and photographic memory. But as a member of a social network, I suddenly find that level of transparency embarrassing, and there are some capabilities I don’t want people to have.

    You can also have these embarrassing privacy leaks in single-user situations, for example sending off a Word document with its entire revision history by accident, or letting someone else use your computer and facing your URL autocompletion. But the potential embarrassing consequences are less immediately obvious to the user, and in any case the utility is worth it.

    As a single user I love the idea of OSX’s “Time Machine,” which lets me wind back to earlier versions of my file system. It’s the ultimate undelete utility, so much that I just delete files with impunity knowing that I can just find them in the past. On the other hand, it finally changes my computer so that you never really achieve privacy even by deleting files.

    On the other hand, I’m sure Apple thought of that, since everything is saved on a well-defined external firewire drive that can be unplugged and/or wiped.

  5. dmc says:

    “(1) Overlawyerization: Organizations see privacy as a legal compliance problem. They’re happy as long as what they’re doing doesn’t break the law; so they do something that is lawful but foolish.”

    The obvious fix here, is to adopt EU type controls on data privacy. Such revelation of data should NOT be lawful, even if foolish.

  6. paul says:

    I think that Xcott Craver’s single-user notion might better be though of as another example of the good-guy fallacy. If you’re the good guys, then it’s no problem for you to have access to otherwise-hidden data, because you won’t do anything irresponsible with it. (Or to be able to detail people indefinitely without trial, because you’ll only detain people who deserve it, but that’s another discussion.)

    It’s often very difficult for people who consider themselves the good guys (and who may even have objectively “good” motives at heart) to realize that everyone else won’t take their self-assessment at face value.

  7. Xcott Craver says:

    “I think that Xcott Craver’s single-user notion might better be though of as another example of the good-guy fallacy. ”

    Except, I think it’s a fallacy to think of these things in terms of good guys and bad guys. Often people want privacy (and are outraged by privacy leaks) even when there is no conceivable “bad guy.”

    We close the door when using the restroom, and it’s not because we are worried about a peeping tom. We seek private spaces for private conversation—we are mortified when a private email is sent to a mailing list accidentally—but often our desire for privacy has nothing to do with any risk the info being exploited. You might want to keep a piece of personal information private even if you can’t name a single specific person you need to keep it from, or any concrete bad consequence of it becoming public, beyond general embarrassment and a violation of social mores.

    Often the need for privacy isn’t a matter of protection from other people or specific threats, but just general expectation that some aspect of our personal lives should remain inviolate.

    If developers try to predict what a “bad guy” can do with the latest feature, they may completely miss a major aspect of privacy: often people seek privacy for purely sociological reasons rather than any concrete risk.

  8. Users beware says:

    Shouldn’t the users of these “Web 2.0″ services learn from Facebook’s Beacon Misstep, too? How about DO NOT TRUST THESE WEB SITES?

  9. Luke says:

    Xcott Craver,

    I recently took a course on computer-forensics. We spent the entire class learning how to recover deleted files and generate a timeline of what was deleted/when and when.

    No, these techniques don’t require any cooperation from the underlying operating system. No, they can’t recover every file and there are no guarantees — but the techniques can probably recover that grocery-list that you deleted last week.

    You can’t achieve privacy by merely deleting files – you have to figure out some way to instruct the system to overwrite every file you delete. Or you could run FileVault. On-disk and on-network encryption is about the only way to really achieve any privacy. Otherwise, a goon and a geek working together can learn exactly what was on your mind when you talked to your mom the other day.

  10. paul says:

    @Xcott Craver:

    I didn’t mean “good guys” in the sense of good-vs-bad so much as “the people you trust”. (Something of a tautology, I know.) You’re right that most people have privacy boundaries even for those whom they trust, but there are also plenty of people — we’ve all met them — for whom boundaries of personal space and privacy are an incomprehensible thing.

  11. Dan Simon says:

    Another reason why companies often fail to anticipate “privacy outrage”: they tend to think of privacy issues in terms of their effects on customers, whose overall behavior indicates little concern for privacy and considerable trust in the companies that do business with them.

    What the companies don’t understand is that “privacy outrage” is driven primarily by the privacy activist community, a group with its own complex, quirky and not-entirely-selfless agenda. That agenda includes (1) fostering a continuous drumbeat of “privacy outrage”, to maintain its own importance; (2) ensuring that its own privacy requirements are ill-defined and constantly shifting , to prevent its power from being undermined by objective standards; and (3) maintaining and constantly revising lengthy and somewhat arbitrary lists of privacy “good guys” and “bad guys”, in junior high school fashion, to ensure that all parties have to kowtow to it for fear of being targeted.

    How many complaints did Facebook actually get from customers about its feature? How many of those customers actually stopped using Facebook? (The only reference I could find to actual customer complaints stated that overstock.com received “about three dozen” complaints from customers.) Now that opt-out is possible, what fraction of users have actually opted out? Skimming the press coverage of this story hasn’t given me the answers to these questions, because it’s all focused on the actions of privacy activists (such as the petition organized by moveon.org).

    As long as “privacy outrage” remains fundamentally a political phenomenon, rather than a commercial one, companies that focus on their and their customers’ commercial interests will continue to be blindsided by outbreaks of purely political “privacy outrage”.

  12. Spudz says:

    What’s with comments that just compliment the site, but don’t say anything related to the specific blog article?

    Perhaps the site should have a “site feedback” form for comments (and bug reports!) so people have a place to say this sort of stuff where it won’t clutter up the discussion of any specific topic. Of course, another thing the site needs is for “webmaster@freedom-to-tinker.com” to not bounce, a serious RFC violation I’ve noticed around here. If the site’s completely nonresponsive, obviously a form on a Web page on the site won’t be a viable way for anyone to notifty Ed about the problem. Right now, though, neither is the email address that’s supposed to be used in such an eventuality. As a result, on the rare occasion when the site has severe problems it takes days for them to get fixed because Ed doesn’t hear about them right away.

  13. Tel says:

    You forgot:

    (6) Astounding arrogance and lack of respect for their customers.

    To a very large extent, corporate culture encourages this. The guy who can take big risks wins, until the risks don’t pay off and then the guy who can make excuses and cover his backside wins. Long term strategy is irrelevant. Making a big scene, getting your name in lights and scooting to some other position is the way to get ahead.

    As a single user I love the idea of OSX’s “Time Machine,” which lets me wind back to earlier versions of my file system. It’s the ultimate undelete utility, so much that I just delete files with impunity knowing that I can just find them in the past. On the other hand, it finally changes my computer so that you never really achieve privacy even by deleting files.

    Amazing the stuff that Apple invents…

    I’ve been using a similar feature for many years now, but I call it by the very old name, “Taking Backups”. It’s been a boon for hard drive failures and system rebuilds too :-)

  14. Tel says:

    What’s with comments that just compliment the site, but don’t say anything related to the specific blog article?

    Link farming spam?

    Of course, another thing the site needs is for “webmaster@freedom-to-tinker.com” to not bounce, a serious RFC violation I’ve noticed around here.

    Good old RFC2142: proof that wishful thinking, and dreamy utopian fantasy still haven’t been killed, despite the new and amazing power of google, wikipedia and hoards of spammers, all providing rock solid counterexamples. That, above all other things, is the true spirit of humanity. Defiance in the face of adversity.

  15. cm says:

    Dan Simon: Any stink is almost always generated (or brought to light) by minority “activists”. (One could say this is the defining feature of activists.)

    You are committing a fallacy over the “minority” aspect. Activists tend to be a minority in actually acting or speaking up, but they are often not minority groups by any other criteria. That is, I contend the about only thing activists have in common is a propensity to go out of their way to act in their own and/or common interests, which most people should do.

  16. cm says:

    And the expression of the fallacy I’m referring to is taking the lack of mass complaints as evidence that the issue is a problem of some minority prissies.

  17. Dan Simon says:

    “Lack of mass complaints” is, without question, strong evidence of lack of customer dissatisfaction. Although only a fraction of unhappy customers will complain, those complaints, properly extrapolated, tend to be a far better measure of actual customer concern than the level of activist outrage. The latter, as I pointed out, may have more to do with the activists’ agenda than with customers’ actual preferences.

    Now, I’m not arguing that businesses should ignore activists altogether–after all, effective activists can *instigate* customer concern, through fear-mongering via the media. Nor do I have any idea whether Overstock.com’s “several dozen” complaints were sufficient reason for alarm–depending on the nature of the complaints and the historical relationship between complaint rates and customer opinion, Overstock.com’s immediate reaction might well have been completely justified. But it is certainly not the case that activist outrage always indicates easily foreseeable customer dissatisfaction.

  18. David Harmon says:

    but there are also plenty of people — we’ve all met them — for whom boundaries of personal space and privacy are an incomprehensible thing.

    Autistic and Asperger’s types are particularly prone to this — and a lot of those go into computer programming!

    Dan Simon: Without the activists publicizing them, that “fraction of unhappy customers” tends to get written off as “rare exceptions”. “Hey, the other 90% don’t have any problems!” I’ve personally been told “well, nobody else has ever complained about that”, and later discovered otherwise on my own….

  19. Michael Roe says:

    Overlawyerization

  20. Michael Roe says:

    Overlawyerisation:

    In the EU, privacy is pretty heavily regulated. There are laws like the Data Protection Act, which are ostensibly there to protect consumers privacy. We also have money laundering regulations, so the banks are forbidden from providing anonymous bank accounts even if there was a market for them; this is a government-mandated lack of privacy. And sure, if you ask a lawyer they will tell you what is lawful, which is very different from what you can do without upsetting your customers.

  21. Tel says:

    but there are also plenty of people — we’ve all met them — for whom boundaries of personal space and privacy are an incomprehensible thing.

    I would argue quite the opposite. If you actually ask people whether something makes them feel uncomfortable (and ask them BEFORE you take the action) you find that they will give you a completely comprehensible YES / NO answer. On the other hand, by not asking, you can remain ignorant. There’s an amazing array of fascinating things in this world that you can not see, merely by not looking. Imagine that.

    Autistic and Asperger’s types are particularly prone to this — and a lot of those go into computer programming!

    Also completely untrue. People who consider themselves “normal” are prone to the silly presumption that everyone thinks exactly the same as they do. Thus, anyone different is obviously “incomprehensible”.

  22. Spudz says:

    Tel insults me in a post above. I feel the need to point out that none of the nasty things that he has said or implied about me are at all true.

    At the same time, he defends a dangerous and trouble-causing RFC violation at this site, one the site’s operator has thus far neglected to address I might add.

    The trouble being that when the site becomes entirely unreachable, the most serious of situations, it becomes impossible to notify him so that he knows of the problem at the earliest possible time and promptly fixes it. That is simply unacceptable. There MUST be a way to notify the webmaster of any serious problems, and a comment form somewhere does not suffice on its own because during the most severe and urgent situations the comment form will be unusable due to the very problem that is in need of urgent attention.

  23. Tel says:

    I wasn’t trying to be nasty, merely pointing out that RFC2142 is rather unrealistic. It’s not exactly a bad thing to have dreams of a better world, but it is a bit pointless to get upset when reality doesn’t live up to the dreams.

    Agreed, it is fairly easy to comply with the RFC — just create a bunch of mailboxes. Nothing difficult in that. However, most likely people will expect someone to actually READ those mailboxes. They probably also expect someone to think about the content of the messages and maybe take action. And do this again for every protocol provided on the system. And sift through spam on all of those mailboxes, just in case someone might point out a small but important flaw in their service. In other words, you are asking for every service on every server to be fully maintained and deliver a quality service at all times.

    I mean really, websites cost nothing to visit. If you don’t like what you get then visit someplace else. Sure it would be nice to have all systems maintained to an excellent standard and all done for free. World peace would be even nicer. One of those things might lead to the other, who knows. Have you considered researching human rights violations? There are certainly some very severe problems in need of urgent attention right there…

  24. dmc says:

    @Dan Simon:

    “How many complaints did Facebook actually get from customers about its feature? How many of those customers actually stopped using Facebook?”

    Ah…but how many people like me are out there who just won’t sign up for a Facebook account out of fear that something like this might happen (again)?

  25. Spudz says:

    Being able to actually notify a web master by email of severe problems that it is their responsibility to fix and that render any means of contact dependent on their web server unusable is NOT “unrealistic”, it is “necessary”.

    “In other words, you are asking for every service on every server to be fully maintained and deliver a quality service at all times.”

    Exactly, within reason. I ask that the server be maintained instead of kept in a state of benign neglect. I ask that there be a best effort made to provide quality service. Most of all, I ask that those responsible be willing to stand by their work, enough to actually open themselves up to receiving feedback about the quality of said work. And I ask no more than that.

    Spam, which you keep bringing up, is an irrelevant aside here. Bayesian filters will suffice to nix the bulk of it with nary a false positive.

    As for your even more irrelevant tangent about human rights violations … ridiculous. Those need addressing in their appropriate forum. Problems with this web site need addressing in this forum. The one is separate from the other.

  26. Tel says:

    In simple terms, different people have different priorities, and time and effort are finite for all of us. A webmaster providing a free public service has a responsibility not to put anyone in danger, anything beyond that is purely optional.

    The comment about human rights was an attempt to provide perspective.

  27. Spudz says:

    A webmaster is responsible, whether you like it or not, for adhering to a) certain technical standards and b) certain social standards of, among other things, responsibility.

  28. DJ Boba Fett says:

    I propose an electronic Jihad against this evil fascistic dictatorship run by a child. Please read my blog at http://www.myspace.com/djbobafett to see my running trials and tribulations with this site. At this point, they up and cancelled me, with over 200 hours of work on my site, pages, events, profiles and advertisements. They are billing my card even though I no longer have an account. I called the Palo Alto offices at 650-543-4800 to dispute the bill (as it’s ads for a deleted site they’re billing me for) and had to call 3 times before a human picked up. I talked to a female Sam (supposedly the only Sam that works there, yeah right) and she said they do NOT offer voice billing support. i told her that by refusing to work with me, she is okaying my choice to dispute the charges with my credit card company. We’ll see. If you have ANY problems with the site or infrastructure, please call them, ask to talk to SAM, and tell them “DJ Boba Fett sent you.”