Widening exposure of member information 2011–12
In 2010, the
Electronic Frontier Foundation identified two personal information aggregation techniques called "connections" and "instant personalization". They demonstrated that anyone could get access to information saved to a Facebook profile, even if the information was not intended to be made public.
 A "connection" is created when a user clicks a "Like" button for a product or service, either on Facebook itself or an external site. Facebook treats such relationships as public information, and the user's identity may be displayed on the Facebook page of the product or service.
Instant Personalization was a pilot program which shared Facebook account information with affiliated sites, such as sharing a user's list of "liked" bands with a music website, so that when the user visits the site, their preferred music plays automatically. The EFF noted that "For users that have not opted out, Instant Personalization is instant data leakage. As soon as you visit the sites in the pilot program (Yelp, Pandora, and Microsoft Docs) the sites can access your name, your picture, your gender, your current location, your list of friends, all the Pages you have Liked—everything Facebook classifies as public information. Even if you opt out of Instant Personalization, there's still data leakage if your friends use Instant Personalization websites—their activities can give away information about you, unless you block those applications individually."
On December 27, 2012,
CBS News reported that
Randi Zuckerberg, sister of Facebook founder Mark Zuckerberg, criticized a friend for being "way uncool" in sharing a private Facebook photo of her on Twitter, only to be told that the image had appeared on a friend-of-a-friend's Facebook news feed. Commenting on this misunderstanding of Facebook's privacy settings,
Eva Galperin of the EFF said "Even Randi Zuckerberg can get it wrong. That's an illustration of how confusing they can be."
Issues during 2007
In August 2007, the code used to generate Facebook's home and search page as visitors browse the site was accidentally made public.
 A configuration problem on a Facebook server caused the
PHP code to be displayed instead of the web page the code should have created, raising concerns about how secure private data on the site was. A visitor to the site copied, published and later removed the code from his web forum, claiming he had been served and threatened with legal notice by Facebook.
 Facebook's response was quoted by the site that broke the story:
||A small fraction of the code that displays Facebook web pages was exposed to a small number of users due to a single misconfigured web server that was fixed immediately. It was not a security breach and did not compromise user data in any way. Because the code that was released powers only Facebook user interface, it offers no useful insight into the inner workings of Facebook. The reprinting of this code violates several laws and we ask that people not distribute it further.
In November, Facebook launched
Beacon, a system (discontinued in September 2009)
 where third-party websites could include a script by Facebook on their sites, and use it to send information about the actions of Facebook users on their site to Facebook, prompting serious privacy concerns. Information such as purchases made and games played were published in the user's news feed. An informative notice about this action appeared on the third party site and gave the user the opportunity to cancel it, and the user could also cancel it on Facebook. Originally if no action was taken, the information was automatically published. On November 29 this was changed to require confirmation from the user before publishing each story gathered by Beacon.
On December 1, Facebook's credibility in regard to the Beacon program was further tested when it was reported that the
New York Times "essentially accuses" Mark Zuckerberg of lying to the paper and leaving
Coca-Cola, which is reversing course on the program, a similar impression.
 A security engineer at
CA, Inc. also claimed in a November 29, 2007, blog post that Facebook collected data from affiliate sites even when the consumer opted out and even when not logged into the Facebook site.
 On November 30, 2007, the CA security blog posted a Facebook clarification statement addressing the use of data collected in the Beacon program:
||When a Facebook user takes a Beacon-enabled action on a participating site, information is sent to Facebook in order for Facebook to operate Beacon technologically. If a Facebook user clicks 'No, thanks' on the partner site notification, Facebook does not use the data and deletes it from its servers. Separately, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well.
The Beacon service ended in September 2009 along with the settlement of a class-action lawsuit against Facebook resulting from the service.
News Feed and Mini-Feed
On September 5, 2006, Facebook introduced two new features called "
News Feed" and "Mini-Feed". The first of the new features, News Feed, appears on every Facebook member's
home page, displaying recent Facebook activities of the member's friends. The second feature, Mini-Feed, keeps a log of similar events on each member's profile page.
 Members can manually delete items from their Mini-Feeds if they wish to do so, and through privacy settings can control what is actually published in their respective Mini-Feeds.
Some Facebook members still feel that the ability to
opt out of the entire News Feed and Mini-Feed system is necessary, as evidenced by a statement from the Students Against Facebook News Feed group, which peaked at over 740,000 members in 2006.
 Reacting to users' concerns, Facebook developed new privacy features to give users some control over information about them that was broadcast by the News Feed.
 According to subsequent news articles, members have widely regarded the additional privacy options as an acceptable compromise.
In May 2010, Facebook added privacy controls and streamlined its privacy settings, giving users more ways to manage status updates and other information that is broadcast to the public News Feed.
 Among the new privacy settings is the ability to control who sees each new status update a user posts: Everyone, Friends of Friends, or Friends Only. Users can now hide each status update from specific people as well.
 However, a user who presses "like" or comments on the photo or status update of a friend cannot prevent that action from appearing in the news feeds of all the user's friends, even non-mutual ones. The "View As" option, used to show a user how privacy controls filter out what a specific given friend can see, only displays the user's timeline and gives no indication that items missing from the timeline may still be showing up in the friend's own news feed.
Cooperation with government requests
Government and local authorities rely on Facebook and other social networks to investigate crimes and obtain evidence to help establish a crime, provide location information, establish motives, prove and disprove alibis, and reveal communications.
 Federal, state, and local investigations have not been restricted to profiles that are publicly available or willingly provided to the government; Facebook has willingly provided information in response to government
subpoenas or requests, except with regard to private, unopened inbox messages less than 181 days old, which would require a
warrant and a finding of
probable cause under federal law under
Electronic Communications Privacy Act (ECPA). One 2011 article noted that "even when the government lacks reasonable suspicion of criminal activity and the user opts for the strictest privacy controls, Facebook users still cannot expect federal law to stop their 'private' content and communications from being used against them".
 Since the
U.S. Congress has failed to meaningfully amend the
ECPA to protect most communications on social-networking sites such as Facebook, and since the
U.S. Supreme Court has largely refused to recognize a
2013 mass surveillance disclosures identified Facebook as a participant in the U.S.
National Security Administration's
PRISM program. Facebook now reports the number of requests it receives for user information from governments around the world.
Complaint from CIPPIC
On May 31, 2008 the
Canadian Internet Policy and Public Interest Clinic (CIPPIC), per Director Phillipa Lawson, filed a 35-page complaint with the Office of the Privacy Commissioner against Facebook based on 22 breaches of the Canadian
Personal Information Protection and Electronic Documents Act (PIPEDA).
University of Ottawa law students Lisa Feinberg,
Harley Finkelstein, and Jordan Eric Plener, initiated the "minefield of privacy invasion" suit. Facebook's
Chris Kelly contradicted the claims, saying that: "We've reviewed the complaint and found it has serious factual errors—most notably its neglect of the fact that almost all Facebook data is willingly shared by users."
 Assistant Privacy Commissioner Elizabeth Denham released a report of her findings on July 16, 2009.
 In it, she found that several of CIPPIC's complaints were well-founded. Facebook agreed to comply with some, but not all, of her recommendations.
 The Assistant Commissioner found that Facebook did not do enough to ensure users granted meaningful consent for the disclosure of personal information to third parties and did not place adequate safeguards to ensure unauthorized access by third party developers to personal information.
There have been some concerns expressed regarding the use of Facebook as a means of surveillance and
Massachusetts Institute of Technology (MIT) students were able to use an automated script to download the publicly posted information of over 70,000 Facebook profiles from four schools (MIT,
University of Oklahoma, and
Harvard University) as part of a research project on Facebook privacy published on December 14, 2005.
 Since then, Facebook has bolstered security protection for users, responding: "We've built numerous defenses to combat phishing and malware, including complex automated systems that work behind the scenes to detect and flag Facebook accounts that are likely to be compromised (based on anomalous activity like lots of messages sent in a short period of time, or messages with links that are known to be bad)."
A second clause that brought criticism from some users allowed Facebook the right to sell users' data to private companies, stating "We may share your information with third parties, including responsible companies with which we have a relationship." This concern was addressed by spokesman Chris Hughes, who said "Simply put, we have never provided our users' information to third party companies, nor do we intend to."
In the United Kingdom, the
Trades Union Congress (TUC) has encouraged employers to allow their staff to access Facebook and other social-networking sites from work, provided they proceed with caution.
In September 2007, Facebook drew criticism after it began allowing search engines to index profile pages, though Facebook's privacy settings allow users to turn this off.
Concerns were also raised on the
BBC's Watchdog program in October 2007 when Facebook was shown to be an easy way in which to collect an individual's personal information in order to facilitate identity theft.
 However, there is barely any personal information presented to non-friends - if users leave the privacy controls on their default settings, the only personal information visible to a non-friend is the user's name, gender, profile picture, networks, and user name.
New York Times article in February 2008 pointed out that Facebook does not actually provide a mechanism for users to close their accounts, and raised the concern that private user data would remain indefinitely on Facebook's servers.
 As of 2013 , Facebook gives users the options to deactivate or delete their accounts. Deactivating an account allows it to be restored later, while deleting it will remove the account "permanently", although some data submitted by that account ("like posting to a group or sending someone a message") will remain.
Inability to voluntarily terminate accounts
Facebook had allowed users to deactivate their accounts but not actually remove account content from its servers. A Facebook representative explained to a student from the
University of British Columbia that users had to clear their own accounts by manually deleting all of the content including wall posts, friends, and groups. A New York Times article noted the issue, and raised a concern that emails and other private user data remain indefinitely on Facebook's servers.
A notable ancillary effect of social-networking websites, is the ability for participants to mourn publicly for a deceased individual. On Facebook, friends often leave messages of sadness, grief, or hope on the individual's page, transforming it into a public book of condolences. This particular phenomenon has been documented at a number of schools.
 Facebook originally held a policy that profiles of people known to be deceased would be removed after 30 days due to privacy concerns.
 Due to user response, Facebook changed its policy to place deceased members' profiles in a "memorialization state".
Some of these memorial groups have also caused legal issues. Notably, on January 1, 2008, one such memorial group posted the identity of murdered
Stefanie Rengel, whose family had not yet given the
Toronto Police Service their consent to release her name to the media, and the identities of her accused killers, in defiance of
Youth Criminal Justice Act which prohibits publishing the names of the under-age accused.
 While police and Facebook staff attempted to comply with the privacy regulations by deleting such posts, they noted difficulty in effectively policing the individual users who repeatedly republished the deleted information.
Customization and security
In July 2007, Adrienne Felt, an undergraduate student at the University of Virginia, discovered a
Quit Facebook Day
Quit Facebook Day was an
online event which took place on May 31, 2010 (coinciding with
Memorial Day), in which
Facebook users stated that they would quit the
social network, due to privacy concerns.
 It was estimated that 2% of Facebook users coming from the
United States would delete their accounts.
 However, only 33,000 (roughly 0.0066% of its roughly 500 million members at the time) users quit the site.
 The number one reason for users to quit Facebook was privacy concerns (48%), being followed by a general dissatisfaction with Facebook (14%), negative aspects regarding Facebook friends (13%) and the feeling of getting addicted to Facebook (6%). Facebook quitters were found to be more concerned about privacy, more addicted to the Internet and more conscientious.
Photo recognition and face tagging
Facebook enabled an automatic
facial recognition feature in June 2011, called "Tag Suggestions", a product of a research project named "
 The feature compares newly uploaded photographs to those of the uploader's Facebook friends, in order to suggest photo tags.
National Journal Daily claims "Facebook is facing new scrutiny over its decision to automatically turn on a new facial recognition feature aimed at helping users identify their friends in photos".
 Facebook has defended the feature, saying users can disable it.
 Facebook introduced the feature in an
 European Union data-protection regulators said they would investigate the feature to see if it violated privacy rules.
 Naomi Lachance stated in web blog for NPR:All Tech Considered that Facebook's facial recognition is 98% of the time compared to the FBI's 85% out of 50 people. It's also noted, however, that the accuracies of Facebook searches being from a larger, more diverse photo selection compared to the FBI's closed database.
 Mark Zuckerberg showed no worries when speaking about Facebook's AIs saying, "Unsupervised learning is a long term focus of our AI research team at Facebook, and it remains an important challenge for the whole AI research community" and "It will saves lives by diagnosing diseases and driving us around more safely. It will enable breakthroughs by helping us find new planets and understand Earth's climate. It will help in areas we haven't even thought of today".
Investigation by the Irish Data Protection Commissioner 2011/2012
In August 2011, the Irish Data Protection Commissioner (DPC) started an investigation after receiving 22 complaints by europe-v-facebook.org, which was founded by a group of Austrian students.
 The DPC stated in first reactions that the Irish DPC is legally responsible for privacy on Facebook for all users within the
 and that he will "investigate the complaints using his full legal powers if necessary".
 The complaints were filed in Ireland because all users who are not residents of the United States or Canada have a contract with "Facebook Ireland Ltd", located in
Ireland. Under European law Facebook Ireland is the "data controller" for facebook.com, and therefore, facebook.com is governed by European data protection laws.
 Facebook Ireland Ltd. was established by Facebook Inc. to avoid US taxes (see
Double Irish arrangement).
The group 'europe-v-facebook.org' made access requests at Facebook Ireland and received up to 1,222 pages of data per person in 57 data categories that Facebook was holding about them,
 including data that was previously removed by the users.
 Despite the amount of information given, the group claimed that Facebook did not give them all of its data. Some of the information not included was "likes", data about the new face recognition function, data about third party websites that use "social plugins" visited by users and information about uploaded videos. Currently the group claims that Facebook holds at least 84 data categories about every user.
The first 16 complaints target different problems, from undeleted old "pokes" all the way to the question if sharing and new functions on Facebook should be opt-in or opt-out.
 The second wave of 6 more complaints was targeting more issues including one against the "Like" button.
In an interview with the
Irish Independent a spokesperson said that the DPC will "go and audit Facebook, go into the premises and go through in great detail every aspect of security". He continued by saying: "It's a very significant, detailed and intense undertaking that will stretch over four or five days." In December 2011 the DPC has published a first report on Facebook. This report was not legally binding but suggested changes that Facebook should undertake until July 2012. The DPC is planning to do a review about Facebook's progress in July 2012.
Tracking of non-members of Facebook
An article published by
USA Today in November 2011 claimed that Facebook creates logs of pages visited both by its members and by non-members. Relying on
tracking cookies to keep track of pages visited, the
United States Congress and the
World Wide Web Consortium are attempting to set new guidelines to deal with Internet privacy concerns, potentially giving users the ability to limit or stop technology companies from tracking their activities.
In early November 2015, Facebook was ordered by the Belgian Privacy Commissioner to cease tracking non-users, citing European laws, or else risk fines of up to £250,000 per day.
 As a result, instead of removing tracking cookies, Facebook prevents non-users from seeing any material on Facebook, including publicly posted content. Arguing that the cookies provided better security, Facebook said in a statement: "We're disappointed we were unable to reach an agreement and now people will be required to log in or register for an account to see publicly available content on Facebook."
Social networks, like Facebook, can have a detrimental effect on marriages, with users becoming worried about their spouse's contacts and relations with other people online, leading to marital breakdown and divorce.
 According to a 2009 survey in the UK, around 20 percent of divorce petitions included some kind of reference to Facebook.
 Facebook has given us a new platform for interpersonal communication. Researchers proposed that high levels of Facebook use could result in Facebook-related conflict and breakup/divorce.
 Previous studies have shown that romantic relationships can be damaged by excessive internet use, Facebook jealousy, partner surveillance, ambiguous information, and online portrayal of intimate relationships.
 Excessive internet users reported having greater conflict in their relationships. Their partners feel neglected and there's lower commitment, lower feelings of passion and intimacy in the relationship. According to the article, researchers suspect that Facebook may attribute to an increase in divorce and infidelity rates in the near future due to the amount of accessibility to connect with past partners.
By statistics, 63% of Facebook profiles are automatically set "visible to the public" meaning anyone can access the profiles that users have updated. Facebook also has its own built in messaging system that people can send message to any other user, unless they have disabled the feature to "from friends only". Stalking is not only limited to
SNS stalking, but can lead to further 'in person' stalking, because nearly 25% of real life stalking victims reported it started with online instant messaging (e.g. Facebook chat).
The notion that people are very much aware that they are being surveiled on websites, like Facebook, and use the surveillance as an opportunity to portray themselves in a way that connotes a certain lifestyle—of which, that individual may, or may not, distort how they are perceived in reality.
Application privacy breach
The Wall Street Journal found that many of Facebook's top-rated apps were transmitting identifying information to "dozens of advertising and Internet tracking companies". The apps used an
HTTP referer that exposed the user's identity and sometimes their friends' identities. Facebook said that "While knowledge of user ID does not permit access to anyone’s private information on Facebook, we plan to introduce new technical systems that will dramatically limit the sharing of User ID’s". A blog post by a member of Facebook's team further stated that "press reports have exaggerated the implications of sharing a user ID", though still acknowledging that some of the apps were passing the ID in a manner that violated Facebook's policies.
Employer-employee privacy issues
In an effort to surveil the personal lives of current, or prospective employees, some employers have asked employees to disclose their Facebook log-in information. This has resulted in the passing of a bill in New Jersey making it illegal for employers to ask potential or current employees for access to their Facebook accounts.
 Although, the U.S government has yet to pass a national law protecting prospective employees and their social networking sites, from employers, the fourth amendment of the US constitution can protect prospective employees in specific situations.
 Lots of companies look at Facebook profiles of job candidates looking for reasons to not hire them. According to a survey of hiring managers by CareerBuilder.com, the most common deal breakers they found on Facebook profiles include references to drinking, poor communication skills, inappropriate photos, and lying about skills and/or qualifications.
Users violating minimum age requirements
A 2011 study in the online journal
First Monday, examines how parents consistently enable children as young as 10 years old to sign up for accounts, directly violating Facebook's policy banning young visitors. This policy is in compliance with a United States law, the 1998
Children's Online Privacy Protection Act, which requires minors aged 13 or younger to gain explicit parental consent to access commercial websites. In other jurisdictions where a similar law sets a lower minimum age, Facebook enforces the lower age. Of the 1,007 households surveyed for the study, 76% of parents reported that their child joined Facebook at an age younger than 13, the minimum age in the site's terms of service. The study also reported that Facebook removes roughly 20,000 users each day for violating its minimum age policy. The study's authors also note, "Indeed, Facebook takes various measures both to restrict access to children and delete their accounts if they join." The findings of the study raise questions primarily about the shortcomings of United States federal law, but also implicitly continue to raise questions about whether or not Facebook does enough to publicize its terms of service with respect to minors. Only 53% of parents said they were aware that Facebook has a minimum signup age; 35% of these parents believe that the minimum age is merely a recommendation, or thought the signup age was 16 or 18, and not 13.
Student privacy concerns
Students who post illegal or otherwise inappropriate material have faced disciplinary action from their universities, colleges, and schools including expulsion.
 Others posting libelous content relating to faculty have also faced disciplinary action.
 The Journal of Education for Business states that "a recent study of 200 Facebook profiles found that 42% had comments regarding alcohol, 53% had photos involving alcohol use, 20% had comments regarding sexual activities, 25% had seminude or sexually provocative photos, and 50% included the use of profanity."
 It is inferred that negative or incriminating Facebook posts can effect alumnis' and potential employers' perception of them. This perception can greatly impact the students' relationships, ability to gain employment, and maintain school enrollment. The desire for social acceptance leads individuals to want to share the most intimate details of their personal lives along with illicit drug use and binge drinking. Too often, these portrayals of their daily lives are exaggerated and/or embellished to attract others like minded to them.
Effect on higher education
On January 23, 2006, The Chronicle of Higher Education continued an ongoing national debate on social networks with an
opinion piece written by Michael Bugeja, director of the
Journalism School at
Iowa State University, entitled "Facing the Facebook".
 Bugeja, author of the
Oxford University Press text Interpersonal Divide (2005), quoted representatives of the
American Association of University Professors and colleagues in higher education to document the distraction of students using Facebook and other social networks during class and at other venues in the
wireless campus. Bugeja followed up on January 26, 2007 in The Chronicle with an article titled "Distractions in the Wireless Classroom",
 quoting several educators across the country who were banning laptops in the classroom. Similarly, organizations such as the
National Association for Campus Activities,
Association for Education in Journalism and Mass Communication,
 and others have hosted seminars and presentations to discuss ramifications of students' use of Facebook and other social-networking sites.
EDUCAUSE Learning Initiative has also released a brief pamphlet entitled "7 Things You Should Know About Facebook" aimed at higher education professionals that "describes what [Facebook] is, where it is going, and why it matters to teaching and learning".
 on Facebook in higher education suggests that there may be some small educational benefits associated with student Facebook use, including improving engagement which is related to student retention.
 2012 research has found that time spent on Facebook is related to involvement in campus activities.
 This same study found that certain Facebook activities like commenting and creating or RSVPing to events were positively related to student engagement while playing games and checking up on friends was negatively related. Furthermore, using technologies such as Facebook to connect with others can help college students be less depressed and cope with feelings of loneliness and homesickness.
Effect on college student grades
As of February 2012, only four published peer-reviewed studies have examined the relationship between Facebook use and grades.
 There is considerable variance in the findings. Pasek et al. (2009)
 found there was no relationship between Facebook use and grades. Kolek and Saunders (2008)
 found that there were no differences in overall grade point average (GPA) between users and non-users of Facebook. Kirschner and Karpinski (2010)
 found that Facebook users reported a lower mean GPA than non-users. Junco's (2012)
 study clarifies the discrepancies in these findings. While Junco (2012)
 found a negative relationship between time spent on Facebook and student GPA in his large sample of college students, the real-world impact of the relationship was negligible. Furthermore, Junco (2012)
 found that sharing links and checking up on friends were positively related to GPA while posting status updates was negatively related. In addition to noting the differences in how Facebook use was measured among the four studies, Junco (2012)
 concludes that the ways in which students use Facebook are more important in predicting academic outcomes.
The term phishing is one kind of online fraud in which criminals try to trick people into revealing passwords, credit card information, and other sensitive information. Phishing takes the form of a message or Wall post that appears to come from someone on the user's Friend List but in actuality the message was sent by phishers using the friend's login information. The phishers are hoping the user takes the bait resulting in the phishers gaining access to the Facebook user's account . Soon afterwards, the user's other friends will start getting phishing messages from what appears to be from the Facebook user. The point of the post is to get the Facebook user to visit a website with viruses and malware.