Among other things, the commissioner, who reports to Parliament and can force companies to make changes to their privacy practices, asked Facebook to change the default privacy settings of photo albums to "Your Networks and Friends" instead of "Everybody," and to make sure that user profiles are inaccessible to search engines by default. Facebook is working on implementing these changes and with the per-object privacy settings that were recently introduced, most of these issues had been resolved already anyway.

Third-Party Apps

The area the commissioner focused on most, though, was third-party application and the amount of private information developers can access through these, and as of now, Facebook has not agreed to make any of the recommended changes. The commissioner recommends that Facebook should limit developers' access to only those pieces of information that are necessary to run an application, and that the company should also implement measures to prohibit the disclosure of personal information of users who aren't actually using an application themselves.

Deleting Accounts Will Remain Difficult

As for the retention of user information, Facebook apparently does not agree with the commission's recommendation to add information about account deletion to its privacy policy. For the time being, actually deleting a Facebook account will remain difficult. Under Canadian law, Facebook would have to have "appropriate purposes" to keep this information.

Facebook was also asked to add a section to its privacy policy about what happens to the accounts of deceased users (they are currently kept active), but here, too, Facebook refuses to make any changes because it considers "them unnecessary under the law."

Some Good News for Facebook

It's important to note that the original complaint that set off this investigation also alleged that Facebook should not ask users for their date of birth, name, and email address when registering for a Facebook account. Stoddard, however, argues that this is a reasonable request, even if Facebook didn't make the reasons for why it asks for this information very clear.

You can find more details about all the different allegations and the commissioner's recommendations, as well as Facebook's reaction, in the full report, as well as in this press release.

Overall, most of these recommendations seem quite reasonable, though especially with regards to third-party applications, it's a bit puzzling why Facebook doesn't want to do more to ensure its users' privacy.

As Facebook expands, its privacy settings have gotten more and more complicated, to the point where most users probably are just baffled by the number of choices and decide to just leave everything in the default setting.

1. Chrome Privacy Guard

Chrome Privacy Guard was the first tool to automatically delete the unique Client ID that Google assigns to your Chrome installation. With this tool, that ID is automatically deleted before each run of Chrome. To use Chrome Privacy Guard, you launch an executable file ChromePrivacyGuard.exe instead of launching the browser itself. The tool cans the "Local State" file inside the Chrome directory and removes all information regarding the Client ID. It then automatically starts Chrome.

2. UnChrome

Like Privacy Guard, UnChrome also removes your unique ID from the browser, instead replacing it with a null value. This is a bit more convenient because UnChrome only needs to be run once. After you download and run the tool, you will see a pop-up advertisement for the developer's other applications, but again, it's only a one-time thing. Afterwards, your browser will forever have the unique ID removed.

3. Iron

Iron is a fork of Chrome's Chromium core, the open source project behind Google Chrome. Developed by a German software company SRWare, Iron goes even further than the above tools to protect your privacy. Where the other tools simply remove the unique ID from Google's version of the Chrome browser, Iron is actually its own, separate browser. In addition to removing the unique ID, Iron also makes sure that no user-specific info is sent to Google, including crash reports. When you enter in a URL incorrectly, Iron does not present any alternative error messages like Chrome does. Finally, Iron does not come bundled with the Google Updater tool, which checks with Google to see if there are any new updates for the Google products you have installed.

Do you use any of these tools to protect your privacy? If so, share your experiences or your preferences in the comments.

I'm here at a small meeting of the Yahoo Product Advisory Council and while most of what's being discussed today has been put under Non Disclosure Agreement, the presentation by the Yahoo! Research Team can be blogged about and includes at least one really interesting visual about Flickr privacy levels around the world.

Now, with the new privacy settings for Facebook personal profiles, individuals have another, and perhaps better, option than those Public Profiles. On your privacy page, you can now choose to make one or all of the following profile elements more open: Profile, Status Updates, Links, Wall Posts, Basic Info, Personal Info, Education Info, Work Info, Photos of You and Videos of You.

By doing so, anyone who finds you in a search or sees you in a post or comment on their friend's profile can click through to see what parts of your profile you've chosen to reveal. In other words, you can selectively make whatever you want public while still hiding the rest.

It should be pointed out that this new option, while useful, does not allow for one-way friendships where one Facebook user could follow another without having a mutual friendship. For micro-celebrities, celebrities, and other persons of interest, this still does not resolve the issue of wanting to broadcast to a crowd through News Feed updates while keeping some things private. For that, the only recourse is still the separate and somewhat difficult to maintain "Public Profile" pages. Hopefully, Facebook will still consider implementing truly one-way friendships where individuals can both publicly share content and broadcast to those who wish to follow their news. This most recent update to the privacy settings would be a good first step in that direction.

Each of the top 25 applications on Facebook have at least 5.5 million monthly active users and 12 of these apps are labeled as "Facebook Verified," a designation which essentially means they have been given the Facebook seal of approval when it comes to their trustworthiness. But how trustworthy are these apps, really?

To determine the state of application privacy policies, "theharmonyguy" (the anonymous blogger who maintains the site Social Hacking) looked for links on the app's Info page referring to a privacy policy, looked for links within the app's TOS (Terms of Service) page, and looked within the help/support pages, too. Plaintext URLs were also counted as links, if present.

In nearly a third of the applications, there was no link to a privacy policy listed.

Among the apps with no privacy policy are the #3 app "How Well Do You Know Me," the #5 app "MyCalendar," and the #12 app "Farm Town," among others.

Two of the applications only provided a link to the privacy policy after installation, one on the first page after installation and the other buried within a linked support page. One of these apps was the Facebook Verified app "We're Related." Seven applications included links in their Info pages, but in five of the seven, you would have to first click the "About" link to go to the developer's web site to discover the privacy policy link.

Eight applications included privacy policy links from links found on both the Info page and the TOS page. But only one application actually served up the privacy policy link directly from the application's Info page itself: CourseFeed.

Surprisingly, the "Facebook Verified" application known as RockYou Live (formerly Super Wall) offered no privacy policy whatsoever within the application or via its links to other pages. The About link pointed to a section of the application which requires user installation and the install page offered no TOS link, either. (And this is supposedly one of the trustworthy apps?)

Application Privacy: Old News Perhaps, But Still an Issue

Today, Facebook is busy defending itself against accusations that they're using user data for advertising purposes, but it seems that the real danger on Facebook may be the access to this same user data from unknown companies outside of the social network. This is not really a new issue - nearly a year and a half ago, Facebook application privacy issues were heavily discussed in the blogosphere for some time. It's interesting to look again at the status of this problem and see how little has changed since then.

In fact, today Facebook's Application Terms of Service warns you (shouts at you in UPPERCASE, no less) that:

"ALL PLATFORM APPLICATIONS ARE PROVIDED AS IS" and that "YOU UNDERSTAND AND AGREE THAT YOU DOWNLOAD, INSTALL AND/OR USE ANY PLATFORM APPLICATIONS AT YOUR OWN DISCRETION AND RISK."

Within your Privacy settings, you're also informed that:

"When you authorize an application, it will be able to access any information associated with your account that it requires to work. The application can access information like your personal info and photos as well as your friends' personal info (depending on their settings)."

In other words, you've been warned.

Why Doesn't Facebook Make Apps Offer a Privacy Policy?

It appears there's absolutely no requirement for Facebook applications to provide links to their own privacy policies to application users. And there's certainly no requirement that these links are prominently displayed for easy access.

This would be a simple policy for Facebook to enact, although perhaps a hard one to enforce in terms of man hours needed to keep tabs on all the apps across the social network. Someone would need to make sure that the apps not only offered privacy policies but also didn't remove the links after time passed and devious developers thought they could get away with the removal. Plus, there would still be the issue of the external privacy policies being updated after you agreed to them. What may have been innocuous at first could easily be updated to be quite terrible later on. Unless you routinely checked the privacy policy (which no one does) you would never know the change occurred.

Managing the network of applications could be made easier, however, with a little crowd-sourcing. There's already a "report this app" link provided at the bottom of all application pages. The link currently allows users to report privacy violations, so why not let users report the lack of a privacy policy, too? That seems like a good first step Facebook could take in this situation.

Although the majority of users would still probably never look at privacy policies even if changes were made, having them consistently and prominently displayed would at least put pressure on application developers to think more carefully about how they would access Facebook user data as this would now be disclosed. And that may be the best we could hope for when it comes to these applications.

However, Google's experiment with its face blurring technology in New York shows that they are quite capable of employing this technology. Google already blurs all license plate numbers in Street View as well.

Your grandmother is on Facebook now and Facebook introduced today a new way to invite all your "friends" on the site to an event. The way the tool works is the best example yet of how Facebook is moving in exactly the wrong direction with its new privacy settings. Facebook continues to implement features in a way that presumes all our contacts are in one big bucket, instead of recognizing that we want to communicate different things to different groups of people.

Last week Facebook acknowledged in a call with press that it really does want more people to be sharing more content outside their immediate friends and family with the whole of Facebook users. Prior to that acknowledgment we wrote about how a more accurate understanding of privacy on the web would respect peoples' desire to limit access to messages to the appropriate people in appropriate circumstances. In real life we talk about different things with different people, we don't default to a public broadcast of everything we have to say. That would be the best approach for a social network that says it prioritizes user control over privacy. Facebook is taking the opposite approach - making context-specific communication a "custom option" that few people are likely to take the time to find.

Default options in social software have consequences for human behavior and social interaction. Inch by inch a new texture of privacy is being created on Facebook; soon the path of least resistence will be for all of our content to flow out to everyone. Many users believe that's what Twitter is for - but Facebook is for communicating with known friends and family.

There's no better example of how inappropriate that can be than giving people an easy way to offer event invitations without making it easy to target those invitations only to the people you really want to invite. Today's announcement is just the latest indication that Facebook, big on talk about privacy, is actually moving in a direction that its privacy-minded users are unlikely to appreciate.

1. Lack of control over activity streams

According to the paper, there are two primary ways in which lack of control over activity streams may compromise our privacy; the lack of control we have over events going into our activity streams (examples given are Facebook Beacon and coComment), and the lack of control we have when it comes to who can see our activity stream as is possible with Google Reader.

2. Unwelcome linkage

The authors define unwelcome linkage as occurring when links on the Internet reveal information about you that you had not intended to reveal, for instance trackbacks and accidental linkage.

3. De-anonymization through merging of social graphs

Given social networking sites extract a fair amount of personally identifiable information; the authors suggest it may be possible to uncover personal information by comparing data across social networking sites. In fact, this method of merging social graphs has already been used when researchers identified Netflix users by combining Netflix data with data from IMDb (PDF).

The Google paper suggests various solutions:

• Applications should be explicit about which user activities automatically generate events for their activity stream
• Users should be given control over which events make it into their activity stream and be able to remove events from the stream after they have been added by an application
• Users should be explicitly told who the audience is for their activity stream; users should also have control over who the audience is for their activity stream
• Application developers should build their applications such that the creation of activity stream events is more likely to be in sync with user expectation

The paper also proposes the building of tools that describe what information is available about you on the Internet; a warning system of sorts that includes an automatic link discovery tool which will quickly show you whether there is any privacy risks involved, so you can be better informed before creating new content.

As reported in New Scientist the Google paper, (Under)mining privacy in social networks (PDF), will be presented at the Web 2.0 Security and Privacy 2009 workshop in May.

Image credit: Darwin Bell

As MySpace develops, so develop the next generation of mainstream web users and thus the web at large. Whether you're a MySpace user or not, it's worthwhile to keep an eye on what the company is doing - especially in terms of user experience.

Fully aware that major changes often cause a major backlash, MySpace has made Profile 2.0 fully opt-in and is saving a copy of their Profile 1.0 of any users who switch, for 90 days. That's smart.

These changes are important. Granular privacy controls on MySpace can help raise the expectations of mainstream users for increasing sophistication regarding privacy in particular and control over their data in general. That means we can all hope for increased vendor support for user control over data - the excuse that mainstream users don't care may not hold up much longer.

W3C standards compliance is good news because a standards compliant web is a web where site rendering doesn't stand in the way of economies of scale for developers. If your code for displaying, rendering, searching or otherwise interacting with websites isn't going to work across all sites - that's a major disincentive for large-scale innovation. W3C compliance is nearly complete for the new MySpace profiles and that's great news.

Though MySpace doesn't get the respect that Facebook does, we still believe that from MySpace is the social networking leader in a number of important ways. Granular privacy controls, for example, Facebook? We'd like that.

Not to get your hopes up, but a recent update to the Google Chrome Privacy Policy makes us wonder. A few days ago, the first two opening paragraphs of the Chrome Privacy Policy were revised. The old and new versions are provided below with bold indicating the changes:

OLD:

The Privacy Policy below applies only to Google Chrome for Windows. For the Developer channel releases on other platforms see the privacy policies for Mac OS X and Linux . The Google Privacy Policy describes how we treat personal information when you use Google's products and services, including information provided when you use Google Chrome. In addition, the following describes our privacy practices that are specific to Google Chrome. Google will notify you of any material changes to this policy, and you will always have the option to use the browser in a way that does not send any personal information to Google or to discontinue using it.

Information Google receives when you use Google Chrome

You do not need to provide any personally identifying information in order to download and use Google Chrome. When you download Google Chrome or use it to contact Google's servers, Google receives only standard log information including your machine's IP address and one or more cookies. You can configure Google Chrome to not send cookies to Google or other sites as explained here.

NEW:

The Google Privacy Policy describes how we treat personal information when you use Google's products and services, including information provided when you use Google Chrome. In addition, the following describes our privacy practices that are specific to Google Chrome. Google will notify you of any material changes to this policy, and you will always have the option to use the browser in a way that does not send any personal information to Google or to discontinue using it.

Information Google receives when you use Google Chrome

You do not need to provide any personally identifying information in order to download and use Google Chrome. When you download Google Chrome or use it to contact Google's servers, Google receives only standard log information including your machine's IP address and one or more cookies. On Google Chrome for Windows, You can configure Google Chrome to not send cookies to Google or other sites as explained here. Google Chrome for Mac and Google Chrome for Linux currently do not allow this level of configuration.

What Do You Think?

Maybe we're grasping at straws here, after all, the change could be referring to the developer builds of the browser and they're simply cleaning up the language for simplification. Still, that would be odd considering that they removed the reference to the developer builds' privacy policy, wouldn't it? Or then again, maybe Google is just consolidating the privacy policies for both the developer and public builds. A third option is that Google could be getting a little of the administrative work out of the way before they make the Mac and Linux builds public.

Testers have been reporting that the developer builds have been seeing steady improvement and the Chromium builds (the open source project that serves as the testing ground for Google Chrome) have been shaping up on a daily basis, too. Maybe a public version of Chrome for Linux and Mac is almost here? We can only hope.

Earlier this year Ask.com implemented a new data retention policy in which search queries are disassociated from IP address and user IDs after 18 months. AskEraser, though, puts users in the driver's seat regarding whether their data is stored at all. AskEraser was first announced in July and goes live today in the US and the UK, and will be rolled out globally in 2008.

"Anonymized search data provides online companies with important information to optimize the overall search experience," said Doug Leeds, senior vice president at Ask.com, in a press release. "At Ask.com, that aggregate information is already guided by strong privacy standards and policies. But for those who place greater importance on protecting their search data and their online privacy, AskEraser takes care of their concerns by putting consumers in charge."

While AskEraser is active some of Ask.com's personalizations features that rely on user activity data or storing information in cookies are necessarily turned off. Users won't be able to set custom skins for the Ask.com homepage while the Eraser is turned on, nor will they be able to utilize the site's "MyStuff" personal bookmarking service.

Privacy: A Trend to Watch

Following recent high profile privacy dust-ups, like Facebook's run-in with MoveOn over its Beacon ad system, or Google's troubles with the EU over its proposed DoubleClick acquisition, it seems likely that users may start becoming more sensitive to their privacy online. How personal data (including implicit data like search history and clickstream data) is being collected and used will become a more important topic for web users over the coming year.

Ask.com has been trying to take a leadership role in the development of online privacy standards. In September, they joined with Microsoft in urging for the creation of a set of industry standard "global privacy principles for data collection, use and protection related to search and online advertising."

Don't be surprised to see privacy emerge as a big trend in 2008.

The Next Step

AskEraser is a great step in the right direction in terms of handing privacy controls to the user, but it is far from perfect. When it becomes an 'either or' proposition between privacy and the ability to use useful features like Ask.com's MyStuff, the user isn't necessarily the winner.

A logical next step might be to embrace the APML standard as their own Bloglines product is planning to do. By allowing users to capture their search data and add it to their APML profile it would let them control how that data is shared and used. Further, more granular privacy controls on how Ask.com is using captured data would be welcome -- i.e., so that personalization services could be active, but users could still opt-out from data being stored long term, could have access to tools allowing them to cleanse or remove specific data, or could control exactly how their attention data is being used to do things like target ads.

What do you think about AskEraser? What sorts of privacy controls would you like to see search engine institute? Sound off in the comments below.