One thing that strikes me as interesting is that Facebook repeatedly states that they do not sell personal information to third parties. Yet, I've never read or heard it stated plainly that this behavior is forbidden by applications running on the Facebook platform. In fact, at one point I remember that friends applications had access to my personal information, even if I did not authorize said application. I dont' know whether that is still the case, but the idea behind it is troubling.
I would also like to follow-up that people are dissimilar enough that de-anonymizing is not that difficult. I do not know why, yet, an advertiser would want to explicitly de-anonymize its data, but it is certainly possible.
6. You will not directly or indirectly transfer any data you receive from us, including user data or Facebook User IDs, to (or use such data in connection with) any ad network, ad exchange, data broker, or other advertising or monetization related toolset, even if a user consents to such transfer or use. By indirectly we mean you cannot, for example, transfer data to a third party who then transfers the data to an ad network. By any data we mean all data obtained through use of the Facebook Platform (API, Social Plugins, etc.), including aggregate, anonymous or derivative data.
Saying their "entire business model is under fire" seems too extreme. From the article:
The EC is planning to ban such activity unless users themselves specifically agree to it.
Okay, so, at worst Facebook just has to make users specifically agree to this before they can continue using Facebook. I'm sure some people wouldn't agree, but it's not a big enough deal that Facebook would change their business model.
The current data sales business model doesn't support their sky-high valuation. Most investors assume that Facebook will "figure out" a better way to monazite their audience. Facebook commerce and credits sales for the Facebook platform look to be their most promising options. Facebook isn't all-in on data mining. They're certainly hedging their bets.
Obviously nothing is guaranteed, and I personally believe that they'll have trouble finding anything that justifies their valuation. But a lot of smart people think they'll figure it out, and are putting their money where their mouths are. They have some options, but we'll just have to wait and see how those actually progress.
Better for whom? They'll have trouble justifying their valuation indefinitely, which normally would mean that they're better off going public sooner rather than later. But Facebook stock seems to be a rather liquid investment right now on the Secondary Market. So for the average employee or investor, they can pretty much get out whenever they'd like, mitigating one of the big benefits of going public.
For FB as a company, they're probably better off delaying their IPO as long as they can. As a private company, they don't have to make their books public, and can continue to "figure it out" without extra scrutiny. Delaying the IPO also lets them promote themselves as a pre-IPO "startup", while I don't personally see the growth potential, and I think they've got a lot to do to even meet their current valuation, it could help sway some developers. They've got a long way to go to justify their valuation, and they can use all the developer talent they can get, so any little thing can help.
Thanks. Should FB have to justify their pre-IPO valuation(s) or should that be the responsibility of the investment firms and individual investors who have set it?
FB doesn't need to justify their valuation. They didn't set it. It's unfortunate that it's so high. I think their valuation is a weight around their necks. They're expected to "figure it out", and eventually justify it, and it's a lot of extra noise they'd probably be better off without. What they're looking to do (and what they have the potential to do) is very ambitious. Extra expectations make it even more difficult.
The billing systems (and customer support) you'd have to put in place for something like this would likely make it prohibitive. It's the flipside of "there's no such thing as a free lunch": there's no such thing as a free lunch payment (or pricing) system. Billing, collections, currency conversion, and end-user hand-holding ... it doesn't hold up. Advertisers are far fewer, find far higher value in the system, and on a per-unit basis are much more economical to tap.
Network effects are another huge factor. A large part of FB's value is that everyone's on it, and everyone's on it because everyone's on it and it's free.
You could conceivably come up with an end run around some of this, but it would take some creative thinking. I don't believe it's feasible to have the end users be the direct customers of such a product directly, though with a concentrating middleman, possibly.
With how much Facebook are doing behind the scenes with the user tracking, it's hard to blame the EU officials trying to stop them. Facebook tried to bite more than they can chew, and they've been warned about going too far with all the privacy invasion for 2 years now, and they still didn't care, and went ahead anyway.
>First, let’s have a primer on how Facebook makes money: The company gets you to willingly enter all kinds of demographic and behavioral information into a massive database. Advertisers, big brands and Facebook’s sales team call it “data.” You call it your profile, your likes, your checkins, your comments and everything else you do on the site. Facebook then sells that data — in an aggregated, anonymized form, of course — to brands and advertising agencies so they know how, when, where and to whom to market their wares.
Data is not "sold". Data only leaves Facebook's servers when you ask for it. Facebook makes money by targeting ads on facebook.com. This is constantly misstated and it frustrates the hell out of me.
EDIT: I tweeted at the author and she made the language much less ambiguous. Journalism points to Jolie O'Dell.
Agreed. For a certain definition of the word, Facebook does "sell" data to advertisers, but not by my intuitive definition of "sell". To me, they "sell" targeted ad space.
However, Facebook maintains that users prefer seeing ads that are linked to their interests and lifestyles. Also, the company reminds us that private information stays private, even when data is used to sell ads, because information is collected in aggregate and is anonymized.
This troubles me, because information being collected and 'anonymized' is somewhat of a misnomer. I think many would contest any assertion that data capable of disassembly into its constituent parts (assuming each constituent part to be a unique combination of variables represented in the aggregate) comports with anonymity. I'm generally not one to praise governmental regulatory agencies for their technological prowess, but the U.S. Department of Health & Human Services really "got it" with HIPAA's de-identification standard.
HHS understands the importance of aggregating healthcare data and conducting statistical research, and does not let HIPAA preclude this from occurring. Instead, HIPAA outlines a "safe harbor" approach that limits a covered entity's criminal/civil liability in the event of a breach if and only if the covered entity removes 18 identifiers and has no actual knowledge that the remaining information could identify the individual. These identifiers include names, dates, geolocational codes covering populations less than 20,000, etc. Alternatively, covered entities may opt to use a 'statistical' approach by hiring a qualified statistician (or other scientific expert) who can use acceptable analytic techniques to conclude that the risk of identifying the person from the disclosed information is very, very small.[1]
A safe harbor approach to large-scale data privacy would be absolutely wonderful. Using statistics to prove the anonymity of data being collected/used by Facebook is nonsensical, since by default, we've given them a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to 'use' anything we submit to them. Contracts of adhesion, in my opinion, are more of the problem since there's no good way to 'make change' for the information that you submit. For example, someone very active on Facebook might arguably be 'worth more' to the company than someone who isn't, but both receive the same product.
EDIT: A safe harbor approach to large-scale data privacy isn't even unknown. See COPPA[2], for example.
> Contracts of adhesion, in my opinion, are more of the problem
In the Internet/data mining era, contracts of adhesion are an incredibly overpowered legal tool. Suddenly things you used to do in person, with reasonable expectations and no practical way for commercial entities to override those expections, have been replaced by doing everything in software and on-line, with EULAs and click-through agreements that contain numerous obviously abusive terms that are not necessary for the performance of the basic agreement, would be unexpected by the individual agreeing to the standard form contract, but are never known (until it's too late) because no-one actually reads the full details of every form agreement they "agree" to.
It is well past time that consumer protection laws were updated to dramatically rebalance the legal weight of form contracts containing potentially unexpected or misunderstood terms against what would seem necessary and reasonable to the person entering into such an agreement.
It is also well past time that privacy laws were updated to reflect the Internet/database/data-mining age. You can't just assume that some minor action that might not in itself have been considered an invasion of privacy in more innocent times is still harmless at a time when technology can turn a collection of such actions into a searchable life story.
28 comments
[ 3.2 ms ] story [ 72.6 ms ] threadhttp://www.privacyparrot.com/privacy-policy-for-facebook.com
I would also like to follow-up that people are dissimilar enough that de-anonymizing is not that difficult. I do not know why, yet, an advertiser would want to explicitly de-anonymize its data, but it is certainly possible.
From https://developers.facebook.com/policy/
6. You will not directly or indirectly transfer any data you receive from us, including user data or Facebook User IDs, to (or use such data in connection with) any ad network, ad exchange, data broker, or other advertising or monetization related toolset, even if a user consents to such transfer or use. By indirectly we mean you cannot, for example, transfer data to a third party who then transfers the data to an ad network. By any data we mean all data obtained through use of the Facebook Platform (API, Social Plugins, etc.), including aggregate, anonymous or derivative data.
you can set what data your friends can use in their applications.
The EC is planning to ban such activity unless users themselves specifically agree to it.
Okay, so, at worst Facebook just has to make users specifically agree to this before they can continue using Facebook. I'm sure some people wouldn't agree, but it's not a big enough deal that Facebook would change their business model.
Obviously nothing is guaranteed, and I personally believe that they'll have trouble finding anything that justifies their valuation. But a lot of smart people think they'll figure it out, and are putting their money where their mouths are. They have some options, but we'll just have to wait and see how those actually progress.
Perhaps the key word is "better".
For FB as a company, they're probably better off delaying their IPO as long as they can. As a private company, they don't have to make their books public, and can continue to "figure it out" without extra scrutiny. Delaying the IPO also lets them promote themselves as a pre-IPO "startup", while I don't personally see the growth potential, and I think they've got a lot to do to even meet their current valuation, it could help sway some developers. They've got a long way to go to justify their valuation, and they can use all the developer talent they can get, so any little thing can help.
$6 Billion per year revenue
The billing systems (and customer support) you'd have to put in place for something like this would likely make it prohibitive. It's the flipside of "there's no such thing as a free lunch": there's no such thing as a free lunch payment (or pricing) system. Billing, collections, currency conversion, and end-user hand-holding ... it doesn't hold up. Advertisers are far fewer, find far higher value in the system, and on a per-unit basis are much more economical to tap.
Network effects are another huge factor. A large part of FB's value is that everyone's on it, and everyone's on it because everyone's on it and it's free.
You could conceivably come up with an end run around some of this, but it would take some creative thinking. I don't believe it's feasible to have the end users be the direct customers of such a product directly, though with a concentrating middleman, possibly.
(http://news.ycombinator.com/item?id=3285466)
>First, let’s have a primer on how Facebook makes money: The company gets you to willingly enter all kinds of demographic and behavioral information into a massive database. Advertisers, big brands and Facebook’s sales team call it “data.” You call it your profile, your likes, your checkins, your comments and everything else you do on the site. Facebook then sells that data — in an aggregated, anonymized form, of course — to brands and advertising agencies so they know how, when, where and to whom to market their wares.
Data is not "sold". Data only leaves Facebook's servers when you ask for it. Facebook makes money by targeting ads on facebook.com. This is constantly misstated and it frustrates the hell out of me.
EDIT: I tweeted at the author and she made the language much less ambiguous. Journalism points to Jolie O'Dell.
That's a fascinating comment, particularly when read immediately after this one (the top comment from the top HN thread, as I write this):
http://news.ycombinator.com/item?id=3287480
Apparently "asking for it" can be as simple as having ever used the almost-ubiquitous Facebook OAuth integration on a site, for example.
This troubles me, because information being collected and 'anonymized' is somewhat of a misnomer. I think many would contest any assertion that data capable of disassembly into its constituent parts (assuming each constituent part to be a unique combination of variables represented in the aggregate) comports with anonymity. I'm generally not one to praise governmental regulatory agencies for their technological prowess, but the U.S. Department of Health & Human Services really "got it" with HIPAA's de-identification standard.
HHS understands the importance of aggregating healthcare data and conducting statistical research, and does not let HIPAA preclude this from occurring. Instead, HIPAA outlines a "safe harbor" approach that limits a covered entity's criminal/civil liability in the event of a breach if and only if the covered entity removes 18 identifiers and has no actual knowledge that the remaining information could identify the individual. These identifiers include names, dates, geolocational codes covering populations less than 20,000, etc. Alternatively, covered entities may opt to use a 'statistical' approach by hiring a qualified statistician (or other scientific expert) who can use acceptable analytic techniques to conclude that the risk of identifying the person from the disclosed information is very, very small.[1]
A safe harbor approach to large-scale data privacy would be absolutely wonderful. Using statistics to prove the anonymity of data being collected/used by Facebook is nonsensical, since by default, we've given them a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to 'use' anything we submit to them. Contracts of adhesion, in my opinion, are more of the problem since there's no good way to 'make change' for the information that you submit. For example, someone very active on Facebook might arguably be 'worth more' to the company than someone who isn't, but both receive the same product.
EDIT: A safe harbor approach to large-scale data privacy isn't even unknown. See COPPA[2], for example.
[1] http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&rgn... 45 CFR 164.514(b)(1)--(2).
[2] http://en.wikipedia.org/wiki/Childrens_Online_Privacy_Protec...
In the Internet/data mining era, contracts of adhesion are an incredibly overpowered legal tool. Suddenly things you used to do in person, with reasonable expectations and no practical way for commercial entities to override those expections, have been replaced by doing everything in software and on-line, with EULAs and click-through agreements that contain numerous obviously abusive terms that are not necessary for the performance of the basic agreement, would be unexpected by the individual agreeing to the standard form contract, but are never known (until it's too late) because no-one actually reads the full details of every form agreement they "agree" to.
It is well past time that consumer protection laws were updated to dramatically rebalance the legal weight of form contracts containing potentially unexpected or misunderstood terms against what would seem necessary and reasonable to the person entering into such an agreement.
It is also well past time that privacy laws were updated to reflect the Internet/database/data-mining age. You can't just assume that some minor action that might not in itself have been considered an invasion of privacy in more innocent times is still harmless at a time when technology can turn a collection of such actions into a searchable life story.