Q&A: Policy head says 'no reason to leave Facebook'

Facebook logo

Facebook has been under fire lately over the complexity of its privacy controls, with some 22,000 users joining a campaign to quit the site on 31 May.

Founder Mark Zuckerberg yesterday unveiled changes to privacy controls, in the hopes of easing users concerns. Some pundits have praised the move, others have said Facebook isn't doing enough to protect users.

We spoke to Richard Allan, Facebook's director of policy for Europe, to find out why the social networking behemoth made the privacy decisions it has - and whether they'll be enough to keep users from deserting the site.

There's been some feedback already in response to yesterday's announcement, suggesting the new controls don't do enough to protect users' privacy. Do you think the changes will be enough to regain users' trust?

The feedback we had from our users was that they thought the controls were too complex and they didn't feel confident about using them. We think with the changes we've made that we very much have achieved the goal of simplifying the controls and ensure that users to feel very much in control of their sharing on Facebook.

Zuckerberg said in his conference call yesterday that there hasn't been a very significant number of users deserting the site. Do you think campaigns like Monday's Quit Facebook Day are likely to encourage many to leave?

Facebook has continued to grow throughout this period of discussion around the privacy settings. We've moved pretty quickly to address the major concerns that were addressed to us.

Our users, for a large part, are pretty content with the service; there were some concerns expressed, and we have responded to those, so there is no reason for people to leave Facebook on the basis of concerns in this area.

In fact, if anything, I think that users should feel empowered as when they do express concerns with the company, we are able to listen.

In terms of any user who does leave the site, that is regrettable, but we think we have managed to respond to the concerns of the vast majority of users.

Security firm Sophos released a survey today, looking at the opt-in/opt-out question, saying a majority of people it spoke to would have preferred to have an opt-in system for sharing information. Could you walk us through the decision to default to opt-out instead of opt-in?

There are a variety of different options. What we have is a set of recommended settings. Those recommended settings are trying to achieve the right balance between people's wish to use a social service - and therefore dependent on a certain amount of sharing - and their wish to keep some things private.

So, for example, the recommended settings blend information which we absolutely recommend you keep just to your friends, like your contact information, some information which you want to share with a wider circle like your friends of friends, that's more sensitive information like your political or religious views and photos you're tagged in, and then information you may want to share with the entire community, and that may include things like comments on things that are of interest to you which you may want to share with other people who might find them interesting [too].

So we've recommended that blend of settings, which isn't as simple as opt-in/opt-out, but actually grading the controls according to the different pieces of information.

The other element I know people are interested in is when it comes to sharing information with third party applications. And there again, most of our users want to do that, so it doesn't make sense for that to generally be an opt-in question, because the normal thing is for our users to use applications, but we have given them a very clear opt-out for those who don't want to use them.

We've also changed the way applications ask users for permission, so that they now actually have to ask specifically for all the data items beyond the publicly available data.

So actually there's far more user control over sharing with applications, so when they install the application, they're opting in to sharing data beyond public data with that application.

Do you think that government or EU level regulation is needed around online privacy to keep all the companies level, whether it's Facebook or Google or whoever else? Or is the industry capable of managing itself?

There is an existing regulatory framework which we're very sensitive to and aware of... based on general principles about how to use data and how to be transparent with people and so on, which I think all of us in the sector support.

The question is, do you go beyond that and try and do detailed regulations for specific services or specific sectors? And I think that would be challenging given the pace of innovation in the sector and given the fact that actually users are adopting services quite willingly knowing how those services work.

I think it would be quite hard to come up with a regulatory framework that really would support that kind of sector, that kind of innovative sector.

So generally speaking, there's a baseline of regulation which we will work within, but beyond that we would hope that we are able to innovate freely as long as we maintain and support those general principles about being very open with users and ensuring that they have control over the things they do [using] our services.

What do you think of Facebook's take on privacy? Let us know at comments@itpro.co.uk.