There's no hiding on Facebook

It's impossible to keep your personal information private on a social networking site. We need stronger privacy protections.

In September, Facebook lost a $9.5m class-action lawsuit and subsequently shuttered its Beacon service, which recorded what users did on non-Facebook sites and posted the information to the system's news feed. Beacon infuriated Facebook users, who argued that it drew together disparate information that was disturbingly more than the sum of its parts. (One plaintiff's Christmas present to his wife, a ring bought on Overstock.com, was unexpectedly revealed to his network, ruining the surprise. He received $15,000.)

Facebook has been repeatedly criticised on privacy grounds. While the company claims it doesn't sell user information, details are made available to third-party application developers, who account for much of the site's profits. And researchers have found that personal data can be "leaked" to advertisers and data aggregators, who already collect browsing and behavioural information about people as they move about the web. Just last week, Facebook announced a multi-million dollar deal with Nielsen, known for their meticulous tracking of television ratings and internet metrics.

Even without these partnerships, Facebook makes privacy advocates uneasy. University of Wisconsin professor Michael Zimmer accurately identified an "anonymised" Facebook dataset from the description that it was a private college in the northeast (spoiler alert: it was Harvard). Similarly, the "Project Gaydar" research team at MIT found that gay men's sexual orientation could be identified based solely on their friends. It's not just information you make explicitly available – age, partner's name or favourite film – that identifies you on Facebook. Close analysis of a network of friends can reveal deeply personal details, even with a private profile. These studies suggest that it's impossible to retain complete control over personal information within a detailed, publicly available network.

Highly publicised incidents in which information posted on Facebook led to firings, evictions and expulsions have inspired stern lectures to students, warning them to remove their profiles, or else. But it's not that simple. For millions of people – and not just teenagers – Facebook facilitates conversations, connections and invitations that are integral to both online and offline social life. Indeed, there are clear social benefits to letting your friends know what you're up to.

But providing personal information to friends as part of a thriving social web is very different from passing that same information to teachers, employers or marketing companies. Personal details are shared within a social context that already has certain privacy expectations – don't tell my mom I'm having a party. Don't tell John about his birthday present.

The enormous protests over Beacon show what happens when users believe their privacy expectations have been violated. In February, Facebook changed its terms of service, claiming that it owned content contributed by users. The uproar that ensued spurred it to ask for user input into future changes, a surprising victory.

While people are starting to hold Facebook accountable for these promises, the company's privacy controls need to be more transparent and user-friendly. Users should know, for example, that installing an application makes all their friends' personal information available to the company that developed that application – which could be a marketing agency, a major corporation or one student in a dorm room.

Equally important, we need stronger privacy laws for social media users. For example, although it's illegal for US employers to ask job candidates their race or age, this information is routinely found using social network sites. People are unlikely to stop using sites like Facebook. Rather than protesting, we need legal, social and technological institutions to protect us. If Facebook and other social media creators care about the long-term success of their companies, they should take an active role in instituting privacy controls and support data protection legislation.