One of the reasons I put my own website together was a kind of reaction to Facebook. I figured that if I was going to have all my "stuff" online collected in one place, I'd rather it was in my own place than someone else's, and I knew enough about website design to be able to do it myself.

There has been a lot of fuss about Facebook's privacy changes at the end of last year. Without going into all the details, they declared that they were making it easier for people to control their privacy and the way they shared things and were encouraging people to review their settings, but looking into what they were doing (rather than what they were saying) it was pretty clear that what it was really about was trying to get more people to make more of their "stuff" public.

One of the changes that was made is that users no longer have control over who can see their "friends" lists, and some other settings (if they hadn't already been set) would default to being public.

To me, this is breaking the unwritten rules, or the "social contract" that they have with their users. I'm sure that there's nothing illegal about the changes (after all, those lengthy terms and conditions that you click through without reading aren't there to protect the users.) But it seems to me that there's an ethical violation that's taken place.

But does it really matter? If you haven't changed your privacy settings in the first place, then should you care if the default changes?

There was an interesting article on ReadWriteWeb that criticised the changes, comparing it to what would happen if Google made all their users' Gmail contacts and Google Reader subscriptions public. My first thought was something along the lines of "so what?" I'd thought about sharing my Reader subscriptions before (but it's too much of a mess to be useful to anyone, and too much effort to tidy up in a way that would make it useful), and I can't see the value in having someone else see my contacts lists. (Either the positive value that they would gain, or what I would potentially lose.) It didn't sound like a good idea, but neither did it sound like anything that would worry me.

But then China went and showed me the error of my thinking. Yesterday, Google announced a change in their thinking; apparently hackers had been trying to get access to some users' Gmail accounts and although apparently very little information had been accessed through security compromises at Google, some accounts had apparently been compromised through other methods, suspected to be malware or phishing attacks— apparently, due to security issues at the users' end, rather than Google's. (Incidentally, the same reason I worry about online banking; I'm happy that banks websites etc. are secure, but even as a pretty tech-savvy user, I can't say that I have quite the same confidence in my own machines' security.)

It appears that the hackers were targeting Chinese human rights activists, in a highly sophisticated and targeted attack on [Google's] corporate infrastructure, and that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted. Suddenly, the importance of something as trivial as a Facebook "friends list" seemed a lot clearer.

(In what might be a related move by Google, they have now enabled secure HTTPS as default for Gmail users, which I'm guessing would help to protect against some of the user-side attacks, or security breaches that might happen on the network. It's not an area I'm an expert in, but I have to say that I was surprised that this wasn't already a default.)

This story highlights the fact that privacy is something that's very important that everyone understand, and protect. The fact that my own friends list isn't very interesting doesn't mean that everyone's is the same. If you consider the kind of things that have happened to Facebook users in Egypt or Iran, you should have some idea of why this kind of information could be very dangerous in the wrong hands.

Facebook's position seems to be that as more and more people are blogging, twittering, and generally sharing their information online (and through reality TV and so on), that this is the direction that the world is going, and they are just following along with the wider social trend. Since then, Zuckerberg has come out and said that, if he could start Facebook all over again, that he'd just make everything public. Which I can believe; if everything on Facebook were public, then Facebook would probably have all of Twitter's recent buzz. They would be able to make an absolute fortune from licensing their users' data to "buzz monitoring" agencies, or doing the analysis themselves and selling the insight that it would generate.

It would clearly be brilliant for their business. But I don't believe that, had Facebook done that from the start, that they would have got to the position that they are in right now. (After all, why did people start using Facebook instead of MySpace?) I didn't think that it was a good thing for the users; now I believe that it's definitely a bad thing.

The bottom line is that I think it's very important for people to consider their attitudes to what they do online— not just what they share and who they share it with, but how they share it. Of course, this also touches on everything you do online— which might be recorded on your computer through cookies or Flash object tracking, or recorded on the network by systems like Phorm, or by other methods, such as those being used to identify people illegally downloading music and other content— something backed by our UK government in what sounds to me like a horribly misguided and ill-informed piece of legislation. (As a sidenote, I can't figure out if it's better or worse, when the governments of countries like China, Iran and Egypt show their contempt for citizens' privacy because of a completely different attitude towards freedom, ours seems to be doing it over some downloaded MP3s and a record industry that's struggling to deal with a new technology that's undoing all the good work that CDs did in getting people to buy their record collection all over again. But that's probably the subject of a different post.)

If you're happy to put something in public, then I say go ahead and put it in public— on a blog, on Twitter, on Facebook, or wherever you like. But if you're not so happy with the idea that it might be seen by anybody, then don't put it online and consider it to be "private."

Especially if the only thing protecting that privacy is a statement that includes anything like We can change this Statement if we provide you notice (by posting the change on the Facebook Site Governance Page) and an opportunity to comment. Because unwritten rules aren't a good thing to rely on.