Facebook CTO: Don't forget Facebook is for sharing

CTO Bret Taylor says privacy policies on Facebook respond to the site's social-networking mission

Attention to privacy on Facebook has been intense in recent months after the company made more profile information public by default, added options to its already-complicated privacy settings and introduced features to personalize external Web sites using people's profile information.

The company responded last week by launching a simplified privacy dashboard, restoring the ability to hide some public profile data and giving users an "off" switch to block all third-party Web sites and applications from accessing their accounts.

Now that the dust has largely settled, IDG News Service had a chance to chat with Facebook Chief Technology Officer Bret Taylor about the latest privacy controversies and Facebook's reaction. An edited transcript of the conversation follows.

IDG News Service: There has been an intense focus on Facebook privacy recently, but protecting one's privacy online must be a broader endeavor. What's a holistic view of the online privacy problem, in your opinion?

Bret Taylor: One thing that was lost in the dialogue prior to some of our changes last week is that Facebook is a service primarily about sharing. People join our site to share with their friends. The reason you publish a photo to Facebook as opposed to saving it on your hard drive is because you want your friends to see it and comment on it and like it. Facebook isn't a service primarily about securing your information but about sharing your information, while giving users the confidence to know with whom they're sharing the information.

Privacy on Facebook and privacy on the Internet are very different things because obviously when your bank mentions privacy it means something completely different than when Facebook mentions privacy. When we talk about privacy at Facebook we're really talking about how can you know that when you publish a photo only your friends and extended network can see it. Also when your best friend from elementary school looks you up, that he can figure out if [this is you], which is another very important part of our service. So balancing the privacy aspects of sharing with discovery and this massive directory of everyone in the world, which Facebook is also very useful for, are just some of the problems we're dealing with, which are very different from other Internet services.

IDGNS: Privacy advocates want Facebook to set more conservative default settings for sharing and to leave it up to users to pro-actively opt into and enable broader sharing of their information. How do you strike a balance between those concerns and the risk of hurting Facebook's social-networking nature, which is to help people find other people and interact with them?

Taylor: That balance is something we talk about a lot internally. Obviously, you need a certain amount of sharing because otherwise you wouldn't be able to friend new people because they weren't your friends yet. What we've tried to do with our privacy defaults is reflect the norms of usage on our site. Obviously, the default settings are not perfect for everybody, so we try to make changing those defaults extremely easy, which is what our launch last week was about. Most people have changed their privacy settings at one time or another.

IDGNS: Many privacy concerns center on Facebook users' confusion about what and how information is being shared. Have you considered providing users with anonymized usage analytics for their profiles, so that they can see, say, that this photo was viewed by five friends, seven friends of friends and three people not connected to them in any way? The idea being that people get a concrete picture of how their content is being viewed and that they can adjust privacy settings based on that concrete knowledge if necessary.

Taylor: It's an interesting idea. I'm not sure if it's something we've considered.

IDGNS: Some people say Facebook search goes too far in making site data discoverable, while others complain that it doesn't go far enough. What's the right balance for the search function on Facebook?

Taylor: The primary use of Facebook search is finding people. The thing a lot of the technology community has been focused on is searching over the Facebook stream. But on Facebook, the primary purpose of the search box is finding people. A distinguishing feature of Facebook search is that it's personalized by default, so you can search through all your friends' updates. It's a very unique and personalized experience over a set of content that is very personal, like status updates and photos.

Searching over the status updates tagged with the [public] "everyone" setting has been very well-received by our users, but we haven't invested tons of efforts into it because we've been focused on other areas of the site to date. We've been eager to hear everyone's feedback as we exposed the APIs [application programming interfaces], but I don't think we have any specific plans to announce at this point.

IDGNS: Regarding your "everyone" privacy setting, which makes content available to everyone on and off Facebook, what happens when someone whose profile is set to "friends only" interacts with a friend whose profile is set to "everyone"? Whose privacy settings govern those interactions, if, say, the "everyone" friend comments on a photo of the other "friends only" person?

Taylor: Comments inherit the privacy of the object on which you comment. So if I comment on a post that's set to "everyone" then my comment is also viewable by everyone.

IDGNS: So if you have an "everyone" setting for your profile and you comment on a photo posted by someone whose content is available to "only friends," the notification that you made that comment wouldn't be viewable by "everyone" on your news feed?

Taylor: Right. In the news feed, we only show links to things that you have permission to see, so that item might show up for people who are friends with that person, but we don't link to things that you can't see.

IDGNS: What has been the reception of Facebook's new features to use your Facebook identity to customize the experience on external sites?

Taylor: The most widely used product of the ones launched at our F8 [developers conference] is Social Plug-ins, which includes the Like button and other plug-ins, which let sites provide instantly personalized experiences with a line of HTML on their sites.

So if you go to the front page of the Washington Post or CNN you'll see an activity stream of the things your friends have recently "liked" on those sites. Those plug-ins have been deployed on over 100,000 sites, and millions of users have interacted with them. We've gotten very positive feedback from our users.

So on news sites like CNN.com and WashingtonPost.com you not only find out the big news of the day, but also what articles your friends have liked. For me, technology stories are disproportionately interesting, so when I go to CNN.com, I'll see that my friends have liked three technology stories deep into the CNN site, so that CNN front page has become more relevant for me. We've gotten similar feedback from many users.

IDGNS: You have more than 1 million external developers who have built apps for Facebook. How do you make sure all those people are doing the right thing and not trying to misuse data their applications get access to?

Taylor: We addressed this data issue at F8 with the change that when a user uses a Facebook application by default, that app will only be able to access the public parts of a user's profile. To access any private information on your profile or from your friends, the application has to ask the user specifically and granularly for access to that information.

That way you know the parts of the profile the application will access, so that if an application that is about publishing photos asks for access to your events, you might find that unusual and decide you don't trust that application. Users can also revoke applications' access to their account.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityctoFacebookprivacy

More about CNNetworkFacebookIDGNN

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Juan Carlos Perez

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts