In light of Facebook’s recent privacy settings overhaul, it should be clear to everyone that social networking websites are seeking to open up their userbases to the world. There is a good incentive for them to do so. The more information that is publicly searchable, the more attractive websites become for marketers. Of course, it would be downright foolish for a company like Facebook to come right out and say this to its users. People may be willing to give up their privacy in exchange for something of value, but they won’t do it if they don’t feel protected in other ways. That’s why so many companies have put up a mere facade of privacy, or as entrepreneur Rohit Khare calls it, “Privacy Theater.”

In a recent guest post for TechCrunch, Mr. Khare, who is the co-founder of Angstro and an award-winning Internet researcher, expounded upon the notion of “Privacy Theater,” explaining just how social networking websites are only pretending to protect user privacy. Khare begins his blistering column talking about the recent hacking of social networking app developer, RockYou.

From the post:

Last week’s headlines brought news that RockYou had accumulated 32,603,388 identities over the past few years — and negligently stored them in plaintext in an incompetently protected database.

RockYou’s official bluster about “illegal intrusion” should fool no one: blaming Imperva, the firm who exposed the flaw, or accusing the hacker(s) of being the identity thieves is misdirection: it was actually RockYou who stole those credentials, and RockYou should be held to account.

I realize that I’m using the incendiary terms “identity theft” and “stole,” even though I would agree that users voluntarily consented to type their passwords into RockYou’s forms. I assume that both users and RockYou’s developers actually only intended to share some particular bits of information: a contact list, a user photo, a friend’s gender; but the bottom line is that instead of sharing that specific data, RockYou retained enough secrets to impersonate those users at will.

[...]

The fault, dear Reader, is not in our stars; it lies with sites that pretend to waive all care and duty by idly warning their users not to share their account passwords with anyone else.

In the absence of vigorous enforcement of those ToS agreements, any RockYou developer who passed up the opportunity to, say, phish MySpace passwords was putting their own employer at a disadvantage to any other startup that was willing to race them to the bottom.

Khare goes on to explain how Personally-Identifiable Information (PII) is distributed freely in order for social networking websites to function.

If PII is so hard to protect, then the only way for social networks to protect their users’ privacy must be to prohibit partners from accessing contact information in the first place. I might not be able to export my holiday card mailing list from my favorite social network— a roach motel for our data — but giant marketing corporations can buy and sell our private information with impunity.

[...]

Now, merely indexing public web pages can’t be evil—but reconciling online identities and 3rd-party advertising cookies with real-world credit reports, government records, and other databases can be. Adding in all that information doesn’t increase Mr. Smith’s anonymity; Jeff Jonas has made a small fortune proving that semantic reconciliation dramatically collapses uncertainty. Just think about combining Spock’s 100M profiles with Intelius’ 20B other data points; or Wink’s 200M profiles with Reunion MyLife’s 34M members and 700M records…

Khare closes his editorial with a warning that government regulation is coming if the Internet industry doesn’t take proactive steps to fix its epidemic privacy problems.

If the industry expects self-regulation to forestall government regulation, well, here’s what I think it would take: An immediate ban on all of RockYou’s applications by all of their partners, pending a public audit of all of their apps. That’s taking a page from the audit provisions of LinkedIn’s ToS and adding sunlight by publishing the results.

Sounds harsh? I thought the market was supposed to provide swifter, surer justice than some pesky regulator with its clunky old notions of due process and presumptions of innocence. API agreements are a private matter between ruthless corporations. Heck, if they really wanted to put the rest of the ecosystem on notice, they ought to audit every application funded by Sequoia, Partech, DCM, and Softbank, all lead investors in RockYou.

It’s not like lawsuits are being filed, as Marissa Mayer announced by going after work-from-home scam artists in an interview with Mike Arrington at LeWeb. It’s not like this is Scamville 2.0, since this isn’t stealing users’ cash, only their dignity. It’s not like there’s a legal spotlight on the issue, since there’s only $9M set aside for a hazy new privacy foundation in the latest Facebook class-action settlement. It’s not like it’s a political issue in the headlines, since a Facebook Chief Privacy Officer is running for Attorney General, the top law-enforcement office in California. It’s not like it’s as complicated as “don’t be evil,” since I can give you one simple tip to eliminate privacy theater: enforce your ToS and obey others’ ToS — or else stop setting unrealistic expectations and just let users have their data back!

While, I have cherry-picked a few selections of Mr. Khare’s piece, I highly recommend you read the whole article at TechCrunch. It is undoubtedly one of the best and most thoughtful summations of the state of our digital privacy I’ve ever read.