Facebook's stealth attack on Google exposes its own privacy problem

[REX]

When Facebook was attempting to expose Google's privacy problem, they accidently outed themselves, too.

STORY HIGHLIGHTS

#A big corporate PR firm, Burson-Marsteller, tried to entice USA Today to lambaste Google

#It also encouraged a security blogger to write an op-ed attacking Google

#The client wasn't rivals AT&T or Microsoft, it was Facebook

OK, here's the deal. A big corporate PR firm, Burson-Marsteller, tried to entice USA Today to lambaste a Google feature called Social Circle, on privacy grounds. It also encouraged a security blogger to write an op-ed attacking Google on the product.

Burson would not say the name of its client. But instead of taking the bait, USA Today did due diligence and consulted experts who said that Social Circle was small potatoes compared to more pressing privacy stories.

Instead it published a story about the Burston "whisper campaign" against Google on behalf of a secret client.

Meanwhile the blogger released a damning transcript of his exchange with the sleazy folks from Burson.

Most people would have assumed that the client was Microsoft or AT&T, Google rivals already actively involved in seizing every possible opportunity to take its foe down a notch. But last night we learned that the cowardly accuser was Facebook. Thus exposed, Facebook has 'fessed up.

This is a stunning story for a number of reasons.

But here's what makes the least sense -- if there were privacy problems about Facebook information in Google Social Circle (which has now been transformed into a different product called Social Search), they may well have been a result of Facebook's own practices.

Facebook was griping that Google is getting information about its users without permission. But some information that users share with Facebook is available publicly, even to people who aren't their friends in in their social networks -- or even are members of Facebook.

It's not because outsiders raided the service and exposed that information. It's because Facebook chose to expose it.

Facebook used to have an implicit promise with its users. Basically the deal was what goes on Facebook stays on Facebook. But over the past couple of years Facebook has chosen to alter the deal.

Certain profile information became available outside of Facebook, easily searchable via Google and other means. (Users can opt out of showing this but relatively few do.) Some of that profile information includes a few of the people on the user's friend list. By repeatedly pinging public profiles, it's possible for Google or anyone else to figure out pretty much all your friends.

This information is a lot easier to unearth from inside Facebook, but actually logging into Facebook to purloin information would indeed be troublesome. For one thing, it would violate the terms of service agreement.

Is Google doing this? One of the Burson operatives implied that it is. But Google says the company does not go inside Facebook to scrape information, and I find this credible. (If Facebook has logs to prove this serious charge, let's see them.)

When Google launched Social Search, it also said specifically that it was not going to learn about Facebook connections by mining the Web as described above. Just how Google does get Facebook information is complicated, but as Danny Sullivan of Search Engine Land concluded after an extensive look, much of it seems to be by permission.

Things should be more clear when Google prepares a more detailed briefing on this, which I assume it is preparing at this moment. Or maybe Facebook will directly spell out its charges now that it's been outed.

But even if Google did scrape information from the public web, would that be so bad? You can argue whether or not Google would be crossing a privacy line by doing this. (And, remember, Google says it is not mining that public information.) But it's an argument with a pro and con. What you cannot argue is that is not Google but Facebook that puts some Facebook information into the open Web.

That is why Facebook's campaign is so weird. If outsiders are going to examine how third-party companies get information about Facebook's users, you can't help but question why some Facebook information, by default, shows up on the open web.

Also, consider this excerpt from the letter Burson's operative named John Mercurio wrote to gin up an attack without Facebook's fingerprints on it. "Google's latest plan," he wrote, "totally disregards the intimate and potentially damaging details that could be revealed, including sexual orientation, political affiliation, personal connections, etc..."

This is ironic since, in my experience, Facebook user profiles with such information are much easier to view that they were in the early days of the service. Unless people actively take steps to opt out, it's possible for "friends of friends" (i.e., strangers) to view someone's personal information on Facebook.

And it was also remarkable that the Burson operative wailed about the privacy implications of letting millions of people examine a Facebook user's friend list. In my experience the vast majority of Facebook users do not take the steps to hide their connections, a list which is open by default to half a billion Facebook users.

Any responsible journalistic (or congressional) examination of the Burson charges would wind up asking questions about these Facebook privacy issues.

Given this, I conclude that Facebook was running a smear campaign against itself.

Over the next couple of years, the privacy practices of many companies -- especially Google and Facebook -- will come under severe scrutiny. Essentially it is neither company that is the cause of our privacy dilemma. It is the internet itself. The internet makes a broadcast of what once was a whisper.

The internet raises to the top of our attention embarrassing items that once would have faded into obscurity. The internet allows strangers and the ill-intentioned to aggregate innocuous personal data into a devastatingly revealing dossier.

The internet also allows companies to monetize our private information without our full knowledge. (Burying snoop tactics in the dense text of a privacy policy is not a justification.) And that gives profit-making firms a powerful incentive to abuse our privacy.

These companies want our trust. They even want us to hold off strong legislation and allow them to self regulate. And now here comes Facebook, doing one of the dumbest things imaginable.

It tried to beam attention on a privacy problem of a rival, but exposed itself as a sneaky maligner. Furthermore, the sorts of privacy fears Facebook evokes are exactly the sort that makes people worried about Facebook.

Not the greatest way to win our trust.

Copyright 2010 Wired.com.

Staff Note: Moved to Security and Privacy News. ;)