When Private Information Isn't

Personal information is the fuel that powers Facebook, Twitter, Myspace, and the other social networks, attracting users and advertisers alike. But privacy activists and regulators are taking a close look at the way all that information is collected, used, and protected, and this scrutiny could result in strict rules for network operators.

These watchdogs are finding that operators have repeatedly left personal information and subscriber data vulnerable, leading to highly visible privacy snafus that exposed users to the risk of embarrassment, identity theft, or even stalking. In February of last year, for example, Google launched its social-networking service Buzz with default settings that revealed whom users were e-mailing frequently. (Google was forced to make a settlement with the U.S. Federal Trade Commission, requiring it to submit to independent privacy audits for the next 20 years.) Then, in June, a hacker exploited a bug to capture the names and profile photos of approximately 70 percent of Foursquare users in the San Francisco area over a three-week period, regardless of privacy settings. Similar problems and allegations have plagued other social-media websites.

State and federal legislation has been proposed to address these issues. A bill in Congress would greatly expand the FTC’s ability to regulate online privacy, defining e-mail addresses and precise geographical locations as personally identifiable information that must be adequately protected and compelling companies to get permission before they can collect medical and religious data.

Complying with these regulations could require social networks to make costly changes to their infrastructure. In addition, operators would be exposed to greater legal risk if they were caught collecting restricted data, whether accidentally or otherwise.

Not surprisingly, many social-network operators claim that they are complying with existing law and that more regulation is unwarranted, even counterproductive. They contend, for example, that users who face a slew of detailed questions about how they want access to their information controlled before they even start using a service may become confused and make poor privacy choices. Nevertheless, it seems likely that the freewheeling approach of the industry’s early days will be curtailed in some fashion before too long.