Answer by Cristina Cordova:
I researched privacy on Facebook heavily from January 2009 through May 2010 for a senior thesis (85 pages of which you can read here if you have lots of free time:). Facebook made many mistakes in regards to user privacy, the most prominent being:
Complicated Profile Privacy User Experience:
In 2006, Zuckerberg said “This is the same reason we have built extensive privacy settings - to give you even more control over who you share information with”. Facebook’s robust privacy settings actually made it more difficult for users to execute this control. Take a look at the profile privacy settings from January 2010:Not quite as simple and easy as uploading a photo, is it? At the time, if a user wanted to block friends from seeing his photos, he would have to change the following settings: “photos and videos of me”, “photo albums” and “posts of me”. If a user selected custom privacy settings, he had the option of sharing information with specific friends or groups of friends, making the process even more complicated as one would have to set up and maintain specific lists or groups of friends who could see particular information. Adding buttons, toggles and drop-down menus only complicated the experience and left users feeling like they had very little control at all. This resulted in users leaving the settings to the default public option, which was in the best interests of Facebook, not its users.
Application Privacy Issues:
At one point, Facebook gave Zynga access to some (normally private) information from friends of friends of the users that played their games - a clear privacy issue as those users never authorized Zynga to have their information. This led to many of the spammy practices Zynga was known for in its early days.
In 2007, Facebook launched Beacon, an advertising system that send data from external webpages to Facebook. When users would purchase from Overstock, for example, a pop-up like the one below would appear saying that Overstock was sending your purchase information to Facebook:
A user would have about ten seconds before the window would disappear. The information about the purchase would appear on a user’s Facebook wall. Facebook implemented this program as opt-out only. In 2008, a class action lawsuit was filed against Facebook and the third party companies who participated in the program as personal information about users was released to these companies without a user’s permission.