Facebook Users: Do What I Want, Not What I Say

Written by Evan Schuman
February 22nd, 2009

Facebook officials learned a hard lesson this month when the social networking site snuck in a privacy policy change that could have allowed it to access users’ content—and use it forever for pretty much anything Facebook could think of—even after users had deleted it from their accounts. After public backlash, the policy was reversed—for now. But I’ll bet serious money that these execs learned the wrong lesson.

What’s learning the wrong lesson? A few years ago, I was involved in a home cleaning contract and the agency didn’t do what it said it would do and, as a consequence, permanently damaged some furniture. For two weeks, I tried getting company officials to fix the problem or even return a phone call. Nothing. So I had little choice but to dispute the firm’s credit card fee with the bank, and I got it reversed.

Not surprisingly, the CEO of the company suddenly found the time to call me back. I explained the situation so that he would understand the importance of the chemicals his people used and that it was important to have his teams do what they say. He said that he would change policies as a result of the incident. “What will you change?” I asked. Yep, you guessed it: The company would no longer accept credit cards. (Hey, at least the guy was being honest. An honest lowlife is better than a lying lowlife, I guess.)

My fear is that a version of this scenario is going on at Facebook. Were the subsequent stern meetings at Facebook focusing on the fact that people need to trust Facebook, so considering using their data for any purpose is acceptable? Or did they focus on ways this policy change could have been made—or can still be made—even more quietly?

To accept Facebook’s version of events, we either have to believe that a terms of service change of this magnitude was implemented without the CEO’s knowledge or that the CEO didn’t anticipate that this particular change would alienate folk. Is it not more likely that the executives knew precisely what they were doing and made the legitimate assumption that of the very few people who would read the revised terms of service, none would pick up on the significance? (Oops! Web media to the rescue: In this case, the Consumerist.)

Interpretation Is In The Eye Of The Beholder

To interpret motivation and real intent, sometimes a look at history can be useful. Do you remember another Facebook privacy incident back in December 2007? In that case, Facebook tried sharing—without permission—customers’ purchases with people on their friends list.

“The program, called Beacon, informs Facebook users’ friends when purchases are made on certain online retail sites, including Amazon, Zappos, Travelocity and Fandango. In some cases, friends were informed exactly what item was purchased, ruining some holiday gift-giving plans,” said a RetailWire report at the time. Again, Facebook said “oops” and promised to hold off for the time-being.

Is this a pattern? Is Facebook trying things, and if it’s caught and there’s a loud enough protest, the site pulls back? In short, is Facebook trying the permission versus forgiveness approach? Indeed, it seems to have tried both options. For a company that is trying to solidify a brand and build as much trust as possible, these tactical approaches seem odd.

But there’s a bigger issue in the perception vs. reality category. If you ask consumers whether they would make purchases at a retailer that suffered a huge data breach, they’ll say “No, of course not.” But in reality, as the financial reports of TJX and Hannaford made clear, consumers actually do the opposite of what they tell poll takers.

If you ask a consumer whether they want to give up permanent rights to their data, of course they’ll say “No way.” But if you don’t ask and suddenly start offering them the customized services that such data sharing enables, will the result be different?

Consumers historically have very little imagination about such things. Had you asked a 1990s consumer about whether they’d want to use a network of networks to make tons of purchases on their laptops, what do you think they would have said? Without having the vision to understand what the Web would be like, what would have been their natural reaction? What about the first meeting in Detroit when some engineer proposed the airbag? Can’t you envision some marketing exec saying, “Impressive. As soon as customers start asking for a giant balloon to pop out of their steering wheel during an accident, we’ll let you know.”

The problem with the Facebook plan as rolled out is that the site, in effect, talked about a giant balloon popping out and forgot to talk about a safety device that will save lives in major accidents. The way to make such a privacy change is to talk about the customization advantages that await consumers.

As a mostly free service, Facebook has the right to use content in a wide range of ways, as long as those options are not specifically forbidden in its privacy policy. Pledging that users could remove their content and instantly cause their license to terminate was an unfortunate move on Facebook’s part, back when that policy was likely its true intent. I hate to say it, but that’s what lawyers are for, to remind execs to keep their options open for the future.


3 Comments | Read Facebook Users: Do What I Want, Not What I Say

  1. IT guy Says:

    If you are not in Computer Technology and/or Security for your occupation I don’t think that it’s that common knowledge that the TJ Max store you shop at is the one which was at the time the biggest security breach of stolen credit cards ever. I’ve never found an non-technology person that knows this. Being a news junkie I know they are not constantly talking about it like other news. The news does talk about security breaches but the name TJ Max is not used every time. Also I feel that most consumers that hear about TJ Max breach either ignore it or wipe the TJ Max part from their memory because they feel that every retail store is just as at risk and there’s no sense worrying about it because they still want to use their credit card to shop. On the other hand I’m in IT security and the one time I went in that store I couldn’t help but pay with cash.

  2. Evan Schuman Says:

    Editor’s Note: TJX happened to catch a marketing break with this case, which partially explains what you reference.
    Unlike most retail chains, none of TJX’s stores use the parent company’s name. Two get sort of close (T.J. Maxx and T.K. Maxx) but others (Marshall’s, HomeGoods, A.J. Wright, Winners, Stylesense, HomeSense) are quite far removed.
    If this had happened to Target or Wal-Mart, the argument could be made that the consumer awareness would have been higher. After all, even a dedicated news junkie who also happens to be a devoted Marshall’s shopper might be forgiven for not connecting news reports of a TJX breach with the store she shops at.
    I sincerely doubt that was even a small reason for the branding choices that TJX made, but it’s a nice benefit for them.

  3. Rob Martell Says:

    Undoubtedly correct, Mr. Schuman. I knew about Marshall’s, but not the rest. Since so many brand names have been bought by so few companies, it is a worry. Who would know what corporate parent really owns what!


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.