Recently there has been a lot of criticism of Facebook for changing its privacy policy again. While I have no problem with criticising a company for muddling through a policy/terms of service change without talking to its users, I do have an issue with people giving them all the blame for revealing private information.

I'm in the middle of listening to This Week in Tech episode 250 and the show's host, Leo Laporte, said the following:

Facebook made a promise to me we will keep it private unless you say otherwise. You tell us who you want to share with. That was the promise and I feel it's like a friend that I went and I told something secret to and then he blabbed it and they said, oh my bad. So I go back and said, okay, I understand you made a mistake. He blabs it again.

and later:

To be honest, I feel like this is a bad girlfriend who three times now has revealed stuff that I said this is secret and I am not going to give her a fourth chance. I just don't think it's right.

Since when was Facebook your friend, girlfriend or confidant? Why are you telling it information you want to keep private? Sure, it promised to not reveal any of it, but why did you expect it to keep its promises? If you stopped a stranger on the street and showed them a picture of you drunk or told them that you hated your boss, would you expect them to keep it private? What if they promised you? Would that make any difference?

This is not something solely related to Facebook. Every site on the net is the same to a greater or lesser extent. If you put private information on the internet then it's not private any more, no matter how many "guarantees" you're given. For your information to remain private you have to assume that at least all the following are true:

  • The company that owns the website/social network/mail server/whatever is honest and wants to keep your information private.
  • The company will never be taken over by another company who will be less honest.
  • All of the employees of the company who have (now or in the future) access to your information will be honest (even if bribed or blackmailed).
  • The employees are so technically competent that they will never accidentally leak your information to anybody.
  • The technology used is so sophisticated that no-one can gain unauthorized access to your stuff.
  • The people running your ISP (or your employer) and the ISP of the company you're giving the information to all fulfill the same criteria as the company itself.

That's an awful lot of things to assume, and I don't think there's any person or company on the internet who could honestly make those guarantees, even if they really want to. No matter how small and trivial the online service, there are so many people involved in making it happen that some of them will be dishonest. Some of them will be incompetent. Some of them will be bribed or tricked into giving away your information. Some part of the system will have a security flaw that gets exploited. One way or another, the information you give to an online service will end up under the control of someone you don't trust sooner or later.

So how do we solve this problem? As far as I'm concerned, the only approach is to treat every internet service like you would a stranger. Sure, you might strike up a conversation with someone in a bar or at a conference or on a train, and sure, you might tell them personal information, but you're never going to tell them something you wouldn't tell absolutely any other person on the planet, right? Just don't put anything on the net that you're not willing to write on a piece of paper, sign and hand to a stranger. Yes, this restricts the usefulness of the web and, in particular social networks, but remember:

The internet is not your friend, so don't tell it anything you want to keep private.