Wanting privacy is not about needing something to hide. It’s about wanting to maintain control. Often, privacy isn't about hiding; it's about creating space to open up. If you remember that privacy is about maintaining a sense of control, you can understand why Privacy is Not Dead. There are good reasons to engage in public; there always have been. But wanting to be in public doesn’t mean wanting to lose control.
- danah boyd, "Making Sense of Privacy and Publicity," SXSW, Austin, Texas, March 13, 2010.
In the past six months we’ve seen some interesting happenings in the privacy world. Facebook announced and implemented a sweeping set of privacy changes and continues to evolve their privacy model. Google released Google Buzz, introducing social networking features to tens of millions of Gmail users, and started an interesting privacy debate in the process. Millions of people have started to broadcast their real time location information via services such as Foursquare, Gowalla, Yelp, and Twitter. The intersection of your online activities and your private life has never been so easy to screw up.
In the Sharing 2.0 post by Windows Live Messenger Group Program Manager Piero Sierra, he highlights the explosive growth of sharing that is currently happening online. Chances are that you've shared something in the last few days: a photo, a status update, a blog post, or your location.
When you share something online, you usually have a general idea who has access to it based on 1) the service they're using (Twitter, Facebook, Flickr), 2) the privacy settings or defaults of the service, and 3) the list of friends to whom they have granted access.
Some services are generally public (Twitter, Flickr) but also have modes where you can be private. Some services started off as private (Facebook) and have evolved into a more hybrid model where your privacy settings and your list of friends are combined in such a way to grant some people access to some data, while also allowing everyone access to some date (or all your data).
Most people don’t think about privacy either when they sign up for a new service or when that service changes their default settings. Instead, they think about what that services lets them do. In Windows Live, we have a variety of scenarios that let users do powerful things, with an emphasis on sharing and doing those things with your friends and family. This includes sharing photos, documents, status updates, blog posts, and instant messages.
Privacy controls get much more complex when you start mixing several kinds of things you can share with a wide variety of people that you might be sharing them with. This can result in angst, confusion and in some cases, disaster, when you discover that something you thought was private, or intended to be private was actually public and broadcast to people who you did not intend to have access to that data.
For example, when I send an instant message to someone, I generally believe that the only person who is seeing that message is the recipient. The same is true with email, except that I know that anyone can forward an email to anyone, but that’s an acceptable risk, given that I generally use good judgment when sending sensitive information via email or IM. What about photos of my child? I can email them; or post them to SkyDrive, Flickr, Facebook, SmugMug, or a dozen other services. Each service lets me specify who can see my photos when I upload them, but I want this to be simple, and at the same time ensure that the right people have access to my photos, and the wrong people don’t know they exist. What happens when the decisions I make when uploading a photo are later impacted by a change in the privacy settings on a service? Informing you about any changes to your settings, and presenting a set of coherent settings that you can understand is central to maintaining control over your data and your memories.
Furthermore, for services that allow you to become “friends” and automatically give your friends access to your information, the importance of having control along with clear and understandable settings is even more critical.
As such, we have spent many years thinking about and evolving our privacy model in Windows Live. Instant messaging products pioneered the concept of online friends, where you and I can agree to see each other’s online presence and status, allowing us to chat. In the past few years, this model has expanded to include seeing all the other content I share on that service.
According to a Webroot 2009 survey, most users (78%) reported concerns about the privacy of their social network profiles, but when asked about specific behaviors, it was apparent that concern didn't translate into action. In fact, it didn't even seem to translate into a basic understanding of how to use the privacy tools already in place on social networks today.
Today Windows Live offers an array of privacy controls, but it lacks a simple, easy-to-use interface for managing your settings. This is an area we're looking at very closely, and where we believe that getting it right is important.
As we think about the privacy of the community we serve, we believe in the following things:
People don’t want all their data to be public. They want easy ways to share their memories and keep in touch with friends and family. For example, you may want to upload photos and send a link to those photos for your friends and family to view (also allowing them to forward that link to additional family members you might not have contact info for). But you also expect that the service won't advertise the fact that your photos are “in the cloud” (keeping the photos away from search engines, for example). It's also important to be able to lock down certain sets of photos so that only a specific set of authorized users have access (via username and password). People want to do both, while still maintaining an online presence on social networks and IM services so that their friends and family can find and keep in touch with them. Maintaining the balance of all these things requires a system that is both simple to understand and not overcomplicated by dozens of separate privacy settings. This means some data is public and some data is private.
Different people have different tolerances for how openly they share. There is plenty of evidence here, most notably how popular Twitter and Facebook are, given that they each started off with entirely different privacy models (Public vs Private). This is especially true when you examine cultural and social differences between users across the globe.
People have different privacy needs for different kinds of content. Not all content is the same. Most people would agree that if you were to evaluate all kinds of content that can be shared today, there are clear differences in how you might think about, say, an Excel document with your financial info compared to photos of your vacation, or profile info about the schools you attended, your place of work, address, phone number, etc. So, while we can see many examples of super public users versus super private users, everyone wants simple sharing choices and defaults that cater to some things being more private by nature.
A one-size-fits-all model for privacy is untenable for everyone. You say tomato, I say tomato; people are different, want different things, and giving everyone the same setting is not going to make everyone happy and comfortable sharing online. The power of default settings with a worldwide audience of hundreds of millions of users has a significant impact on the data that is shared. For example, when Facebook prompted users to select a new privacy default of “Everyone” for some of their settings, like status updates, 35% of users selected an option other than Everyone. That means that 2/3 of users left the default option and accepted a change that impacts the access of their data from less visible to most visible. (Sarah Perez, 2010. “Facebook Brags: 35% Adjusted their Privacy Settings." ReadWriteWeb)
Accidentally sharing something private can be disastrous. The email you sent to your sister with your last will and testament is not meant to be seen by anyone but your sister. Even though she could forward it to everyone she knows and post it on the Internet, the likelihood that she will do so is low (well, I don't know your sister, but probably not).
Not all friends are the same. How many times have you stared at a friend request without knowing what to do? What happens if I say yes? I don’t want to be rude and say no, they’ll know! It could be awkward when I see my co-worker tomorrow and I’ve declined their friend request. If I say yes, they might be offended by something I say, or they might have access to photos I don’t want them to see.
These are all things people think of when contemplating what to do. The net effect over time of accepting people as online friends that you really aren’t sure about is that it may change the way you behave in the context of the service. People need and want a way to accept friend requests from both people they are close to, and acquaintances, while ensuring that the information that they previously shared or will share in the future is shared only with the appropriate subset of their friends.
As the amount of information we share and our connectedness to people increases, the importance of privacy controls that are understandable, personalized, easy, and flexible has grown. For the next release of Windows Live, we've been working hard to meet this challenge and create an online environment where you can feel secure about sharing, and know that your personal expectations for privacy are respected.
- Omar Shahine
PS – if you’re interested in some of the privacy challenges around the corner, the New York Times ran a great piece, “How Privacy Vanishes Online,” that I would recommend adding to your reading list.
(Omar is a Lead Program Manager on the Windows Live Social Networking team, and thinks about privacy a lot).
@anonymous - thanks for the feedback. As Omar mentions above, we agree that this current UX is too complex, and it's something we're looking at closely and intend to improve.
Yeh I do appreciate your efforts, great post, but let me say 1 thing that this is too long post, you should follow the KISS approach :P
Great post my friend.... but should have been fed to all WL subscribers to read. My sentiments exactly are stated, security for the masses in WL and all social networking forums are either overlooked or misunderstood.
* Seems feeds to WL home page For the team blog has been stuck showing the same post since 2/4/10 when Chris Jones posted engineering item. We have sent feedback numerous times of course to no avail!
As far as Windows Live and privacy settings are concerned, I appreciate the fine-grained control offered by various permissions for the different Live services but the UI of that page needs to be critically improved. Why should I have to press a "Permissions" link 20 times to set privacy options (img256.imageshack.us/.../windowslivepermissions.png)? Please bring these together on a single scrollable page.