Categories: Findings General Persona

Some attitudes on Facebook privacy

As part of our commitment to privacy on the web, the Mozilla Identity team is hard at work on Mozilla Persona, an identity system for the web. You can learn more about Mozilla Persona at our website or see it in action on OpenPhoto.

The Identity team wanted to know more about regular users’ feelings about privacy. We chose Facebook as a proxy, since it has such wide adoption here in the United States. We interviewed 8 Facebook users about privacy on Facebook. While 8 users cannot stand in for everyone, we did find some interesting patterns.

Most of our participants liked what they perceived to be Facebook’s privacy policy. “…You can control who can and can’t see what you’re doing” (Participant 8). “…You can structure it in different ways. You can give out information to select people, or send it out to everyone.” (Participant 5). Only one user talked about sharing data with advertisers as a specific threat to privacy.

Participants also had low levels of awareness of and concern about what they were sharing when they logged into other sites with Facebook or played Facebook games. “Name. I’m guessing they can get my friends list. And anything on my personal profile I guess… which I need to double check to see what’s on there. It’s all hidden in a deep cave on Facebook” (Participant 2).

Some participants felt strongly that it was their job to police their own Facebook content: “I’ve told people: be careful what you’re putting on there… Think before you put it in there” (Participant 5).

For the most part, participants had not had their privacy violated by a site, and didn’t know anyone who had. Their biggest fears for privacy were around spam and popups.

All of our participants accessed Facebook on a computer shared with others. The good news is that most of them (6/8) knew that logging out of Facebook takes an explicit action. That is, you can’t just close the browser or tab that Facebook is on in order to logout. We will have to design specifically for the shared-computer use case for Mozilla Persona. How can we make the logout option explicit and easy to use?

A colleague will repeat this study a couple months from now in London. I am curious to learn whether Facebook user attitudes to privacy are similar in the UK.

3 comments on “Some attitudes on Facebook privacy”

  1. Lozzy wrote on

    “We will have to design specifically for the shared-computer use case for Mozilla Persona. How can we make the logout option explicit and easy to use?”

    Are you thinking perhaps in terms of alerting the user when they close the browser that they are still logged in? Or are there other strategies you have in mind to ensure shared computers don’t compromise security? I’m imagining having a interface element with the user’s name and possibly photo on would be another avenue to explore.

    1. Mary Trombley wrote on

      Great questions! Yes, we are exploring a variety of options for managing the shared-computer experience. I’ll ask the UX designer to drop by and answer your question more specifically, since I’m not sure of the details.

  2. cbeasley wrote on

    @Lozzy

    When identity is your whole product, you take each of these threats very seriously. We’ve been working for the past couple of months on a solution to the concern you brought up.

    There are two distinct sorts of shared computers:

    1. Shared – a computer you share with a trusted person
    2. Public – a computer you share with untrusted people (i.e. a library or internet cafe)

    For both of those, we detect that the user has never accessed Persona from this device and we tell the requesting site to issue the user a short session.

    The next time a user accesses from that same computer, we ask them “Is this your computer.” If they say yes, we keep them logged in on that device.

    We will be building a feature that will let you log out from all sites from that device. If a user loses a “remembered” device, they can change their password to invalidate future login attempts. The big bonus here is that you only have to change your password in that one spot instead of all over the web.