More Isn't Necessarily Better When It Comes To Preferences
from the keep-it-simple-stupid dept
Facebook has unveiled a new set of privacy settings that have been getting some positive reviews in some quarters. While I'm always happy to see a company that's not afraid to experiment with new privacy protections, I think Facebook has some more work to do on this one.
One problem has been identified by Chris Soghoian: if you're in an academic network, you can theoretically limit access to your profile based on each viewer's academic status at your institution. So if you're an undergrad, you can set things up so that your friends can see those pictures of you doing body shots, but your professors and TAs can't. The problem is that apparently, peoples' status is self-reported, and can easily be changed. So a nosy grad student could temporarily switch his status to "undergrad" and to get access to an undergraduate's photos. This seems like a problem.
The more fundamental flaw, I think, is that there are now way too many options. The exact options I see on my Facebook account are different from the ones Chris sees, presumably because he's a student and I'm not. But on my version of the preferences, there are a dozen categories of information, each of which have 6 to 8 different options. For example, there are separate privacy settings for "profile," "basic info," and "personal info." Do you have any idea what is in each of those categories? I don't. And then you have to decide whether each category will be available to "Only Me," "Some Friends," "All Friends," and "Friends of Friends." And you have to decide which of your "networks" will be able to see that information. And you can provide a list of people to exclude.
This is a bewildering array of options, and it's likely to retard the usefulness of Facebook's privacy features. When it comes to user preferences, a handful of carefully chosen options is better than allowing users to adjust every conceivable setting. A well-designed user-interface should economize on the user's valuable time and attention by giving him a reasonable number of options that encompass the most likely use cases. If you give users a huge number of options, most of them will give up in frustration, leaving them in a much worse position, privacy-wise, than if you'd given them a smaller menu of easy-to-understand options to choose from.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: complexity, preferences, simplicity
Companies: facebook
Reader Comments
Subscribe: RSS
View by: Time | Thread
Why soo difficult
[ link to this | view in chronology ]
Myspace was bad for one reason
Either way, I still don't have a page on either. Well, not a serious one. And not one with my name or professional email on it.
[ link to this | view in chronology ]
isn't creating confusion in facebook's interest? if it becomes too complicated, then people will simple stop caring and just go with the flow (eg. making more information available). this lets facebook make more ad money and capitalize on that social network "snooping on acquaintances" value.
Of course, this assumes that there's a trade-off between a desire for privacy and the hassle of actually getting it, versus the versus the real threat of having the information out there. at some point its too much a hassle to care anymore. if i set my privacy settings wrong, i have no idea what other people see until it bites me. if i wear a tinfoil hat i'll probably double check things, but what, i'll probably have to register a second facebook account to check unless i rely on friends to tell me. most people won't and won't notice they'll be sharing more than they thought. And, to boot, all the in the name of more power for the user!
creating confusion is the only way they can get beacon (or whatever their ad plan is) to work without pissing people off.
i think the problem is that no one knows what these categories mean. right, what is the difference between basic and personal info? this is lawyer crap, where you throw an innocuous term in a contract, one that everyone generally understands to mean one thing, and then only once you reach the definition of that term later on do you realize that term has a substantially different meaning in the contract. sneaky lawyer crap.
[ link to this | view in chronology ]
great idea, why did i have to think of it?
more than one password allowed. what i mean is this, an admin account with full access and one or more user accounts with access limited by the admin acount.
why? a few reasons,
1. a business using the site could give employees a user account to do whatever they like but NOT change the password or delete the entire page. this way when they got pissed off or left they couldn't screw things up for there old company.
2. an individual could give friends access to there account so they could load pics and such but they couldn't screw up the entire thing to badly as your admin password would supercede there user acount and you could go in and lick them out without having to worry about your stuff.
3. (and this is the biggest reason) phishing. if you set up an admin account with full access and then give yourself a user account with access MINUS password change or deleting capabilities you could use the site without worrying about getting phished. just use the "user" account whenever you log in and if a few days later you notice your page has been phished just log in using the "admin" account and change the "user" password and the phishing site is now locked out again! EASY!!!!
so why don't facebook, myspace, etc. do this?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]