Privacy advocates' criticism over recent moves by Facebook and Google Buzz begs the question: Is privacy possible in a social network? And, if so, which social-network service does it the best? To answer this question, this month I donned my privacy goggles and pored over the two social networks that my professional peers seem to use the most: Facebook and LinkedIn. I also asked all my Facebook friends and LinkedIn connections to tell me which they thought did privacy better. What did I find out?
Privacy certification: A draw
One way to easily determine whether a website takes privacy seriously is to check for a privacy seal. In North America, the two worthwhile options are Truste and WebTrust, while the German-based EuroPriSe seal is a nascent arrival in Europe. With all of these trust marks, a website generally pays a fee to have its privacy practices independently certified.
As it turns out, both Facebook and LinkedIn have earned the Truste EU Safe Harbour seal. This means they both officially made Truste their arbiter for consumer disputes over European privacy compliance.
Indeed, both companies have self-certified to the EU-US Safe Harbour agreement that the Department of Commerce administers and the Federal Trade Commission enforces. (You can find the Facebook certification here and the LinkedIn submission here.)
By taking this step, both companies have committed themselves to adhering to seven European privacy principles. Moreover, the privacy officers putting their names on the Safe Harbour submissions have personally attested, under penalty of the federal False Statements Act, that their submission is truthful. I've clicked that False Statements button before, and I can tell you it causes you to make sure a strong privacy programme is backing you up.
So far, the comparison on this point is a draw.
To their credit, both policies provide an above average level of detail of the data they collect and how they use and disclose it. That said, they're both weak in three areas: data security, data access and email retention.
On security, neither provides any level of detail behind the standard commitment to use SSL on payment pages and also use network firewalls. On data access, both fall short of offering to provide users a full account of the data stored and disclosed about them. On email retention, I've always wondered whether the messages I send via Facebook and the InMails I send via LinkedIn are retained indefinitely, but neither policy sheds light on this question. One Facebook friend of mine, a privacy attorney, has forsworn sending any messages via LinkedIn until a delete button is added, a feature that LinkedIn reports is being rolled out now.
For its part, the LinkedIn policy makes a bolder statement about third party disclosure, stating: "We do not sell, rent, or otherwise provide your personal identifiable information to any third parties for marketing purposes." You can't get much better than that.
Facebook, meanwhile, makes a much clearer commitment to delete user information, stating: "You may deactivate your account on your account settings page or delete your account on this help page" and "Removed and deleted information may persist in backup copies for up to 90 days, but will not be available to others."
All in all, still a draw.