Privacy as Product Safety

Online social media confound many of our familiar expectations about privacy. Contrary to popular myth, users of social software like Facebook do care about privacy, deserve it, and have trouble securing it for themselves. Moreover, traditional database-focused privacy regulations on the Fair Information Practices model, while often worthwhile, fail to engage with the distinctively social aspects of these online services. Instead, online privacy law should take inspiration from a perhaps surprising quarter: product-safety law. A web site that directs users' personal information in ways they don't expect is a defectively designed product, and many concepts from products liability law could usefully be applied to the structurally similar problem of privacy in social software. After setting the scene with a discussion of how people use Facebook and why standard assumptions about privacy and privacy law fail, this essay examines the parallel between physically safe products and privacy-safe social software. It illustrates the value of the product-safety approach by considering another ripped-from-the-headlines example: Google Buzz.

along the shore, and ended up on a private yacht as the sun went down. 2 It was a good day.
I know all of this because Andrea posted her photos on Facebook. 3 This in itself might not have been a big deal, except that her musician friend was named Bono and his band was an outfit called U2. 4 The tabloids jumped at the chance to run pictures of the middle-aged rocker partying in the sun with two nymphets whose ages combined added up to less than his. 5 So much for a private little walk on the beach.
The story is noteworthy because it features a celebrity, but similar things happen on social software everyday. 6 An education major lost her teaching placement-and with it her degree-after a photo of her as a " 'drunken pirate' " along with an unflattering MySpace post came to the attention of her school's superintendent. 7 Another college student faced criminal charges after the police used Facebook to link him to a friend he denied knowing. 8 Say the wrong thing on Facebook-or rather, say it without realizing who might see it-and you could lose your job. 9 The smaller losses of dignity are so routine that there are now entire websites devoted to cataloguing them. 10 On Facebook, Andrea is an everywoman. This essay will take up two questions suggested by Andrea's example: is the loss of privacy in social media something lawmakers ought to worry about and, if so, what should they do? Part II will answer the first question with a clear yes: users want privacy, deserve privacy, and cannot easily secure privacy for themselves. Part III will suggest, somewhat more tentatively, that lawmakers could benefit from thinking about the problem of privacy in social software as one of safe product design. I will use Facebook as the principal example, with Andrea's story 11 serving as a recurring motif. Near the end of this article, I will illustrate that my theory is not Facebook-specific by showing that it also helps us make sense out of a recent privacy controversy involving Google Buzz.

II. THE MYTHS OF PRIVACY ON FACEBOOK
The first question raised by Andrea's story is whether there is a problem here at all. The very fact that so much personal information is available on Facebook could be an argument against legal intervention. How so? Here are three things one might say about privacy in social software, using Andrea as a representative example of her fellow users: 8 11 See supra text accompanying notes 1-5. The references to Andrea throughout the rest of this article are pulled from the illustration used in the introduction of this essay. Id. [Vol. 19 Andrea does not care about privacy. Andrea makes rational privacy choices. Andrea's desire for privacy is unrealistic. If even one of these claims is true, then the law should keep its hands off. If Andrea does not want privacy, the law should not force it on her. If she wants privacy but is capable of securing it for herself, then she does not need help from the law. If she wants privacy in the same unrealistic way that five-year-olds want to be surgeon princesses and astronaut ninjas, then there is little the law could do about it.
In reality though, all three of these claims are false. 12 They are myths about privacy. 13 Users of Facebook care passionately about privacy, but they have great trouble achieving it. 14 That trouble is not their fault; it arises out of the quite natural difficulty they have in understanding what will happen to their personal information once they post it. 15 However, a substantial part of what they mean by 'privacy' is readily achievable-at least most of the time. 16 To these three myths about privacy on Facebook, we should add a fourth half-myth about privacy law and Facebook: Regulating Facebook as a database will solve Andrea's privacy problems. It is true that Facebook and other social network sites have enormous databases of personal information on their users. 17 It is also true that privacy law can and should prevent misuse of those databases-so Facebook, for example, should be required to take reasonable steps to secure its site from hackers. But the social nature of this social software means that database regulation alone is insufficient-and, indeed, can be counterproductive if not carefully handled. 18 Database regulation is thus a half-myth: a good idea, but also a distraction from other privacy issues. 19 12 See infra pt. II.A-D. 13 See id. 14 See infra pt. II.A. 15 See id. 16 See id. 17 See Harry Lewis, How Facebook Spells the End of Privacy, BOSTON GLOBE, June 14, 2008, at A11. 18 See infra pt. II.D. 19 See id.

A. Myth 1: Facebook Users Don't Care About Privacy
Webster's New World Dictionary selected "overshare" as its "2008 Word of the Year." 20 As its press release explained, "[I]n an era of online social networking and instant digital broadcasts, this type of unsolicited and often embarrassing communication is an inescapable sign of the times." 21 That is certainly true on Facebook: there are days-perhaps most days-when the site can seem like a single global case of TMI. 22 Whether it is women posting their bra colors, 23 bosses posting pink slips, 24 or people's simple narcissism, 25 you can find it all on Facebook.
This let-it-all-hang-out attitude seems, on its face, flatly inconsistent with anything resembling privacy as we have traditionally understood it, leading to the obvious conclusion that the Facebook generation has turned its back on privacy. As columnist Robert J. Samuelson wrote, "[M]illions of Americans are gleefully discarding-or at least cheerfully compromising-their right to privacy. . . . People seem to crave popularity or celebrity more than they fear the loss of privacy." 26 Or, as Emily Nussbaum summed up the "disgusted, dismissive squawk" of an "older generation": "Kids today. no sense of privacy. They are show-offs, fame whores, pornographic little loons who post their diaries, their phone numbers, their stupid poetry -for God's sake, their dirty photos!online." 27 Behind the generation gap and the apprehension of a socially disruptive new technology, there is a genuine sociological theory at work here. It asserts that the kids these days simply do not care about privacy. A collection of attitudes-personal dignity, post-Nixonian suspicion of government surveillance, patience with slower analog media, and willingness to think about the future-that kept older generations from revealing too much about themselves have all fallen by the wayside. Meanwhile, mass culture is now dominated by Jersey Shore, 28 The Real Housewives, 29 Celebrity Rehab, 30 and other reality TV offerings that conflate public exposure with personal fulfillment. There is little wonder that today's teens and young adults see only benefits in sharing their every move online, with little concern for the consequences of foregone privacy. Facebook use is just a symptom of an underlying unconcern for the private-visible confirmation that oversharing is the new black.
It is an elegant theory, except for the inconvenient fact that it does not fit the available data. Actual Facebook users act in ways that indicate that they very much care about privacy. When Facebook rolled out News Feed, there were massive user protests to the point that Mark Zuckerberg had to apologize to the Facebook community. 31 The same thing happened a year later with Facebook's Beacon advertising system 32  a change to its data-retention policy. 33 Meanwhile, when Facebook users find out that others are looking at their Facebook profiles, such as employers, 34 relatives, 35 or police, 36 they also object. 37 These are the protests of people for whom privacy matters.
It is not cheap talk. Facebook users also act in ways that show a regard for privacy. Consider Andrea. Her choice to use Facebook was actually a privacy-positive move. Her alternative, after all, was the web. Facebook is a controlled network; Andrea chose which networks to belong to and whom to 'friend.' She may have failed at keeping her pictures private, but she did at least try-and so does everyone who uses Facebook and puts any effort into choosing friends or adjusting privacy settings.
In fact, as soon as you scratch beneath the surface of Facebook social practices, carefully modulated privacy management is everywhere. danah boyd has documented how teens on Facebook, MySpace, and other social media use fake profiles, fake names, 33  fake ages, and a cloud of other minor lies to keep their profiles safe from prying (usually parental) eyes while also connecting with their peers. 38 Meanwhile, college students coming back from a night of partying have learned that the first thing they need to do is check Facebook and untag their names from any photos of them doing keg stands, lest their athletic coaches or campus police catch them drinking. 39 The point is not that these "Digital Natives" prize privacy above all else or that they experience privacy in the same way previous generations did or that the social content of privacy is stable. 40 The privacy they care about is social and relational, perhaps less concerned with databases and governmental surveillance than their parents' and grandparents' privacy. 41 They are constantly trading their privacy off against other social opportunities and making pragmatic judgment calls about what to reveal and what to keep hidden. 42 However, they do care about privacy, and they act accordingly.

B. Myth 2: Facebook Users Make Rational Privacy Choices
Why, then, does the idea that Facebook users reject privacy have such resonance? The ideal appeals, in part, because of a related idea: people make rational, cost-benefit tradeoffs when evaluating privacy online. If Facebook users are choosing online options that lead to low-privacy outcomes, they must have a good reason for it.
Again, the thought has a certain logic to it. Just as it may not be rational for people to invest in picking good passwords if someone else bears the risk from computer intrusions, 43 44 This is particularly the case if they have something to gain by exposing their personal information. In Ed Felten's words, " 'Given the choice between dancing pigs and security, users will choose dancing pigs every time.' " 45 The behavioral advertising industry (which Facebook has been trying mightily to break into), for example, describes highly targeted advertising as a benefit to consumers, something they willingly seek out. 46 If this were right, then we could treat the fact that thirty-five percent of Facebook users adjusted their privacy settings after its latest design changes as evidence that they are carefully reviewing the pros and cons of privacy-that would be 100,000,000 well-informed users. 47 The other sixty-five percentsome 250,000,000 strong-must have fully approved of Facebook's changes. 48 Just as the death of privacy was a myth, however, so too is the belief in rational privacy balancing. For one thing, users massively misunderstand Facebook's privacy architecture and settings. One study found that over half of Facebook users surveyed were unaware that their profiles were searchable by millions of other Facebook users. 49  were willing to add a green plastic frog as a friend. 50 The frog's name, in a nice touch, was " 'Freddi Staur,' " an anagram for " 'ID Fraudster.' " 51 Suddenly, the inactivity of the sixty-five percent who left their privacy settings untouched sounds less like agreement and more like ignorance. Of course, one also starts to wonder how effective the choices made by the other thirty-five percent were.
Consider Andrea again: she posted the photos to her seemingly private Facebook account, thinking that they would be visible only to her friends and networks. 52 The trouble is that one of her networks was "New York City," whose membership by default consisted of anyone in New York City with a Facebook account. 53 Over 1,000,000 other users were able to view Andrea's photos of herself with Bono. It is hard to describe this as a rational choice about privacy. 54 Facebook itself eventually eliminated this 'feature' of networks, having presumably concluded that users were never going to understand how networks worked. 55 Facebook users who attempt to weigh the privacy costs and benefits of each individual act of participation systematically get the balance wrong. 56 The design of social networking sites plays into plenty of well-understood, social cognitive biases. The most basic heuristic of privacy self-help-know your audience-is hard to use in an electronically mediated environment that gives you little feedback on who any given communication is visible to. Instead, social networking sites activate the subconscious cues that make users think they are interacting within bounded, closed, private spaces. Indiscretions follow because users are cognitively distracted from the work of predicting the social consequences of their activities. Moreover, in many cases of Facebook privacy trouble, the victim has made every reasonable effort to keep the information confidential. Miss New Jersey 2007 was blackmailed by someone who got a hold of some mildly racy photographs that she posted to what she thought was a Facebook photo album restricted to friends only. 57 As between blackmailer and victim, the fault is clear. Similarly, Facebook's ill-fated Beacon advertising program utilized users' names and faces to hawk the products that they bought on other sites, like Blockbuster or Zappos. 58 Nothing in their previous online experience would have led them to expect such a model of information sharing and exposure. 59 Indeed, the social-network aspects of social media mean that even information that people deliberately try to keep offline can find its way online. A group of students at MIT were able to identify gay users on Facebook with surprisingly high accuracy, simply by looking to see whether they had gay friends, even when the users themselves had not posted their sexual orientation. 60 Photo tagging is another good example: the entire untagging ritual is possible-and necessary-because Facebook allows users to tag photos of each other before the taggee has a chance to object. 61 [Vol. 19

C. Myth 3: Facebook Users' Desire for Privacy Is Unrealistic
If users want privacy and fail in their efforts at obtaining it, it is tempting to tell them to stop trying, to dismiss their desire as a pipe dream, a relic of the preinformation age. A decade ago, Sun's Scott McNeely said, " 'You have zero privacy anyway . . . Get over it.' " 62 Google's Eric Schmidt echoed the sentiment when he said, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." 63 In legal filings, his company has argued that "even in [a] desert, complete privacy does not exist." 64 The argument echoes those made by legal scholars such as Richard Posner, who has compared privacy "to the efforts of sellers to conceal defects in their products." 65 This too is a myth. It is true that Facebook regularly smashes its users' fragile and precious hopes for privacy. Although it may be wise to remember that anything posted to the site could become public knowledge, 66  the exception, not the rule. This should not be a surprise. The site is not designed to be fully public, and that is not how people use it. Instead, it facilitates back-and-forth conversations among small groups, 67 social contexts not intended to be intelligible to outsiders, and bounded spaces for interaction. The same network structure that helps people communicate also predictably limits the spread of what they say. 68 Facebook's moves towards making more information public have been necessary, from Facebook's point of view, precisely because people were sharing information less widely than the site would have liked. 69 Recognizing this truth about sociality and information-sharing, most people are willing to say at least a few things about themselves on Facebook that they would not shout from the rooftops. They expect not to be harmed, and most of the time, they are right. 70 At some point, this expectation starts to create its own reality-to become the kind of expectation that creates enforceable duties at law. Privacy law is full of them, from criminal procedure's 'reasonable expectation of privacy' 71 to the "reasonable person" standard of offensiveness used in the intrusion on seclusion, 72 public disclosure of private facts, 73 and false light 74 torts. 67 Welcome to Facebook, supra note 6 ("Facebook helps you connect and share with the people in your life."). 68  Indeed, not just privacy law but privacy itself is socially constructed in just this way. My anger when you take a 'Wall' post and forward it to my employer is grounded in your violation of the norms of our relationship-of the social context that defined the post in its original venue. 75 To treat everything on Facebook as fair game is to run a steamroller over the millions of differentiated, localized social contexts on Facebook, each with its own norms of what is appropriate behavior and how information should flow. Those norms are inseparable from the sociality of the site itself: the self-expression, relationships, and communities it helps its users build. 76 People are not really trading off privacy against socializing on Facebook so much as using it to define them both, simultaneously, in relation to each other.
Examples may help clarify the point. Take Andrea. Her photographs were taken to memorialize a frozen moment. They were an attempt to tell the story of her day on the beach with Bono with an aura of seemingly unmediated, authentic truth, 77 Andrea used Facebook as such: she posted the photos to it to make them visible to what she thought was a small group of friends. 78 The closeness of her relationship to those friends was bound up with the closeness of her relationship with Bono-the latter became an element of the former. Both of these relationships were more meaningful to her because of the photographs and because she did not indiscriminately show them to the world. When the photographs escaped from that social context, their meaning changed; suddenly Andrea was a participant in a tabloid driven "scandal" about Bono's seemingly debauched behavior. 79 When interviewed, she protested: "I think that for somebody who's much 75  Consider the women who posted their bra colors to Facebook. 81 The point was to raise awareness of breast cancer; 82 however, had a male coworker approached them the next day and said "So you wore a pink bra yesterday; what color are you wearing today?" it would have been not just socially inappropriate, but potentially actionable as workplace sexual harassment. 83 The bra-color posts were designed for the social context of Facebook, but what is acceptable in one context becomes a privacy violation when decontextualized.
The bra-color example also illustrates the deeper point that privacy itself cannot be understood apart from the social contexts that make it meaningful. 84 The zing of the meme came from making 'public' a typically 'private' subject-mirroring the consciousness-raising agenda of making breast cancer a political subject, rather than just a personal issue for afflicted women. Women who posted their bra colors were engaged both in an act of self-expression and in conscious affiliation with a larger community of women. 85 The inappropriateness of the male coworker's comment comes not so much from the fact that bra color is a private subject as from its violation of the very specific way the meme constructs the public/private divide in a socially embedded fashion. 80 Tapper, supra note 1. 81 Posting of Hortense to Jezebel, supra note 23. 82 Id. 83

D. Myth 4: Database Regulation Will Make Facebook Privacy-Safe
If, as I have been arguing, privacy mistakes are endemic on social networking sites, the next question is what the law can and should do about it. Much of the time, the answer will be nothing. Many privacy harms, embarrassing though they may be, are beneath the threshold at which the law ought to take notice. The fact that your mother found out your plans to attend International Skip School Day is not, and should not be, a legally cognizable harm. 86 Moreover, there are often good reasons to let people make even serious privacy mistakes. Respecting a person's autonomy to make privacy choices requires us to give him or her the freedom to fail. Indeed, some privacy mistakes are good for society, like the one made by the burglar who checked his Facebook account from his victim's computer and forgot to log out. 87 Even a privacy 'fail' can be an important learning experience. Youthful experimentation, bumps and bruises included, is a significant part of how people come to understand how privacy works and what it means to them. 88 Most of the time, there are good policy reasons for making users the stewards of their own online privacy. Privacy is an intensely personal good, especially in the social dimensions at stake on social networking sites. That means it is impossible for anyone but the user to define what privacy is important for him or her. The user is also the best-motivated person to protect his or her privacy because the user is generally the cheapest cost-avoider. Even though the privacy harms of Facebook use are real, so are the 86  social benefits-if the walls of your house are made of glass, throwing stones is not the solution to your privacy problems.
That, however, still leaves a substantial rump of cases in which legal intervention is justifiable. Some, like Miss New Jersey's case of blackmail, 89 are easily addressed under existing law. Others, like Beacon, are trickier: Blockbuster's participation in Beacon clearly violated the Video Privacy Protection Act, 90 but Zappos and Epicurious are less clearly troublesome given the lack of omnibus privacy protections in the United States. 91 Many harms-Andrea's photographs of herself with Bono come to mindmay not rise to the level justifying ex post tort liability under current law, 92 but would be good to prevent ex ante if at all possible.
The dominant modern approach to information privacy regulation focuses on limiting misuse of databases. 93 In the United 89 See supra text accompanying note 57. 90  States, the so-called 'Fair Information Practices' are not binding law but are used by the Federal Trade Commission and industry self-regulation groups to set benchmarks of good conduct. 94 In Europe, the Data Protection Directive makes them enforceable. 95 The high-level idea is to ensure that personal data is collected only with disclosure of the legitimate purposes that it will be used forand then to ensure it is used only for those purposes. 96 In the words of the Data Protection Directive, personal information must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes." 97 This database frame is useful. The secret, error-riddled, and sprawling database has a uniquely Kafkaesque tone. 98 The Fair Information Practices approach tries to tame the database by keeping it open, accurate, and limited to its original uses. 99 That is a good way of thinking about credit card data or a collection of search queries: essential for daily life but highly dangerous in the wrong hands (think of a small-town sheriff with personal grudges). Informed consent at the time of collection legitimates the primary use; secondary uses are forbidden.
For some threats, the database frame is also a useful way of thinking about Facebook. Facebook's huge reservoirs of personal information are tempting to outsiders. That is a reason why its general counsel told an audience of lawyers that Facebook would vigorously contest subpoenas for personal information, saying, 94   " 'We're itching for that fight.' " 100 The fear of secondary use is also at work when privacy advocates worry that Facebook will turn its user data over to third-party advertisers. 101 As useful as the database frame is in thinking about the data processing taking place on the back end, it is not so helpful in thinking about the social interactions taking place on the front end. Neither 'limited data collection,' 'no secondary use,' nor 'full disclosure' really gets at the user-user relationships on Facebook.
In the first place, Facebook's social nature means that there is nothing so personal that it is entirely off-limits. A typical Facebook profile contains answers to most of the questions employers are not allowed to ask of job applicants: race, sex, age, national origin, religion, and marital status. 102 People are voluntarily uploading it all because they are social and because Facebook scratches social itches. If you were to tell Facebook that it could not collect these types of information, you would kill it. Given the profound social benefits that social media offer, that would be a tragic outcome.
Trying to limit secondary use is also surprisingly difficult. The problem comes in defining the original purposes for which the data is collected. Defined broadly-in the words of Facebook's mottos, to "connect and share with the people in your life" 103 or "the power to share and make the world more open and connected" 104 -it is a purpose that swallows everything on the site. Everyone who uses Facebook gives it personal data for the express purpose of sharing that data with other users, which implies that pretty much anything other users do or see on the site falls within the original, legitimate purpose. 100  Defining purpose narrowly, on the other hand, would render the site unusable. If you think the flood of Facebook notifications is bad now, just wait until Facebook asks you for fresh, specific consent for each transfer of personal data to an individual user. Demanding explicit consent every time information is shared with someone other than its specific, original audience could require hundreds of prompts, per user, per day. It would make viewing one's News Feed or clicking from Wall to Wall impossible. It is, in other words, incompatible with the very reasons that people use Facebook and other social software. 105 In between those two extremes, however, it is difficult to make the concept of 'secondary use' bear much weight. If it means 'any use not originally contemplated by the user,' then all we have managed to do is restate the problem. We got into this mess precisely because users have been unable to predict all the ways in which their information might be seen. We need a way to get more intellectual traction on the question of which uses they expect and which ones they do not-and on how to bring their expectations more closely in line with reality.
That sounds like the problem of disclosure, but disclosure as usually practiced by commercial data controllers is weak tea in a social setting. The law does not demand that friends give each other full disclosure of their data collection practices when they are catching up to each on the last few months. Transpose that conversation to Facebook, and they are still not giving or expecting disclosure. The confidences are regulated by implicit social norms, rather than by explicit promises. Facebook can easily disclose its own practices; however, when it comes to what other users might choose to do, it cannot say much more than "anything can 105 See Grimmelmann, supra note 6, at 1151.
[P]eople have social reasons to participate on social network sites, and these social motivations explain both why users value Facebook notwithstanding its well-known privacy risks and why they systematically underestimate those risks. Facebook provides users with a forum in which they can craft social identities, forge reciprocal relationships, and accumulate social capital. These are important, even primal, human desires, whose immediacy can trigger systematic biases in the mechanisms that people use to evaluate privacy risks.

Id.
happen." 106 Again, the database-oriented Fair Information Practices approach is not wrong. It just does not provide enough leverage on the specific problem of social privacy in social media.

III. PRIVACY AS PRODUCT SAFETY
To review: people use Facebook in complicated ways, sometimes leading to privacy trouble. There is often a significant gap between what users expect will happen with their personal information and what actually does happen. Overall, the beneficial uses of Facebook outweigh its dangers, but it would be good to find ways of preventing some of the specific privacy harms. Facebook probably cannot be made perfectly safe for privacy, but it could almost certainly be made safer.
Put this way, there is a natural affinity between the privacy law challenges facing Facebook and another area of the law: product safety. It is true that using Facebook can be hazardous to your privacy, but a hammer can be hazardous to your thumb. People need tools, and sometimes they need dangerous tools. Hammers are physically dangerous; Facebook is socially dangerous. We should not ban hammers, and we should not ban Facebook. The challenge for policymakers is to ensure that the tools people do use are not unnecessarily dangerous.
Thus I would like to suggest that some of the lessons the law has learned in dealing with product safety could usefully be applied to the analogous problem of privacy safety. Unlike database regulations, which tend to focus only on the flow of information in itself, a product-safety approach can also consider how people use social media. After a survey of previous work on this metaphor, this part will tentatively map the products liability doctrine onto the problem of making social media safe for privacy. The fit is not perfect, but it is surprisingly good. This part will conclude with a case study of another recent, high-profile online privacy debacle: the launch of Google Buzz. 107 I will argue that like product safety regulation before the strict liability and regulatory revolution of the 1960s. 113 Benjamin Sachs traces the connection further back, drawing a parallel between the rise of the industrial economy around the turn of the twentieth century and the information economy around the turn of the twenty-first century. 114 Their common point about society and the law is that an era in which individuals could generally protect themselves has given way to an era in which social and technological forces make it far harder for consumers to be successful stewards of their own safety. 115 The law caught up with the changes in how products were made and sold; the question we face today is how the law will catch up with the changes in how information is made and sold.
When it comes to specific proposals, Sachs argues that data collectors should be held strictly liable in tort for failure to secure the data they store. 116 His emphasis is on back-end data breachesharms caused when unauthorized intruders gain access to the stored data on users 117 -and thus can easily be reconciled with the database model of privacy discussed above. 118 Sarah Ludington, also noting the institutional parallel to product safety, 119 offers a similar proposal of a tort for the misuse of stored personal data, one that would explicitly enforce the Fair Information Practices. 120 Other than the historical parallel, the product safety metaphor is not doing as much work in these proposals as it could.  115 See id. at 219-23 (providing a discussion of the four primary breach of privacy issues and their effects on individuals). 116 Id. at 240. 117 Id. at 219-23. 118 See generally Solove, supra note 98 (discussing the database model of privacy). 119  by scholars who have not relied on the metaphor. 121 Indeed, the database-centric Fair Information Practice approach has been the basis for most of the information privacy law the United States actually has. 122 To the extent that we seek a common-law tort metaphor for imposing a duty to carry out back-end data processing securely and confidentially, Danielle Citron's invocation of strict liability under Rylands v. Fletcher may be even more on point than products liability. 123 In her description, large "reservoirs" of personal data are akin to large reservoirs of water: both are liable to cause great damage if their contents escape. 124 The duty to handle personal data securely has relatively little to do with how the data was acquired: the same concerns arise whether it is consciously entered into an online quiz or generated invisibly by a grocery-store scanner. Instead, the greatest-and, so far, largely untapped-potential of the product safety metaphor is on the front end. The parts of an online service that users actually see and interact with are more like a 'product' than the largely invisible back-end data processing. Users have expectations about what the service will do; a site that acts otherwise frustrates those expectations. A site that violates their privacy causes harms, and when those harms are preventable with better design choices or more careful programming, it makes sense to ask whether the site operator should be held accountable for them. What follows, then, are a few thoughts about how product-safety law-principally, the branch of tort law known as products liability-may have useful lessons for thinking about privacy and social software.

B. The Basics of Product Safety Law
The starting point of the simile is the starting point of products liability: holding sellers liable for the harms their products cause. As the Restatement puts it, "One engaged in the business of selling or otherwise distributing products who sells or distributes a defective product is subject to liability for harm to persons or property caused by the defect." 125 This rule, simple as it may seem, has several important consequences.
The first point implicit in the basic duty of sellers to make their products safe is that sellers can be held liable even when the consumer is at fault in the accident. 126 The consumer's recovery may be reduced by principles of comparative fault, 127 but the seller could still be held liable for selling the consumer a defective product in the first place. 128 All that is required is the usual but-for and proximate causal connection. 129 Even the consumer who 125 RESTATEMENT (THIRD) OF TORTS: PROD. LIAB. § 1 (1998). 126 See id. § 1 cmt. a.
Courts early began imposing liability without fault on product sellers for harm caused by such defects, holding a seller liable for harm caused by manufacturing defects even though all possible care had been exercised by the seller in the preparation and distribution of the product. In doing so, courts relied on the concept of warranty, in connection with which fault has never been a prerequisite to liability.

Id.
127 Id. § 17(a). Evaluating the user's actual conduct under comparative fault is more respectful of his or her agency than a broad rule that the social network site has no duty at all to him or her, which makes the user's own conduct irrelevant under all circumstances. 128 See id. 129 See id. § 15 ("Whether a product defect caused harm to persons or property is determined by the prevailing rules and principles governing causation in tort."); DAVID G. OWEN, PRODUCTS LIABILITY LAW § § 11.1-. misuses the product can sometimes recover; after all, certain kinds of misuse are foreseeable at the time of sale. 130 If Andrea was careless in sharing her photos with the New York network, this was a carelessness that Facebook, arguably, should have anticipated and guarded against.
A second implicit point in the basic duty of sellers to make their products safe is that disclaimers are not a substitute for a safe product. The Restatement makes disclaimers unenforceable "for harm to persons," 131 and many states have laws forbidding the disclaimer of product warranties. 132 This rule has particular importance for services like Facebook, which require users to 'consent' to contractual agreements when they sign up, along the way disclaiming all liability on Facebook's part for any harms in this life or the next. 133 The products liability paradigm calls into question the appropriateness of allowing such waivers. 134 A third point is that sellers are liable for generic design defects as well as for individual manufacturing defects. 135 (1998). The substantive standard of liability differs between them: manufacturing defects are judged according to a rule of strict liability, whereas design defects are judged according to a more negligence-like, risk-utility calculus. Compare id. § 2(a) (manufacturing defects), with id. § 2(b) (design defects). troublesome in practice, 136 this equivalence makes intuitive sense. A gas tank manufactured with slipshod welding and one designed with excessively thin walls will cause the same damage if they rupture and explode, and the carmaker is equally culpable for selling an exploding car. 137 Given that the most striking privacy harms on Facebook stem from design mistakes, rather than one-off bugs afflicting individual users, it again makes sense not to take design decisions off the table entirely. 138 This attention to design is a critical and valuable feature of products liability law. The Restatement explicitly requires courts to consider the costs and benefits of the design alternatives open to the seller; the definition of a design defect requires proof that the actual design was inferior to a "reasonable alternative design" that would have prevented the harm. 139 The court, in other words, must 136  [O]occasionally a product design causes the product to malfunction in a manner identical to that which would ordinarily be caused by a manufacturing defect . . . Section 3 allows the trier of fact to draw the inference that the product was defective whether due to a manufacturing defect or a design defect. Under those circumstances, the plaintiff need not specify the type of defect responsible for the product malfunction.
Id. 138 Cf. Scott, supra note 134, at 459-60, 467-70 (discussing ambiguity of software defects between "manufacturing" and "design"). I would add that the replicability of software means that every user's copy of the "product" is actually identical. See generally James Grimmelmann, Note, Regulation by Software, 114 YALE L.J. 1719 (2005) (discussing the predictable consequences of using software as a regulator). This fact collapses the most obvious distinction between manufacturing defects (in which a single product falls short of the usual standard for its class) and design defects (in which the entire class falls short). Michael Scott would make the distinction based on the point during the software production process at which the mistake was introduced. Scott, supra note 134, at 459. I am not so sure. In addition to the evidentiary costs of such an approach, it seems unnecessary in light of the purposes of products liability law. Whether Facebook ought to be liable for users' privacy harms ought to depend on policy choices and evidence of the specific software features at issue, rather than details of the software design and testing process. 139 RESTATEMENT (THIRD) OF TORTS: PROD. LIAB. § 2(b) (1998); OWEN, supra note 129, § 8.5. think through the same kinds of tradeoffs that a reasonable seller would-which puts legal pressure on actual sellers to choose better overall designs. While Facebook is not about to explode like a poorly designed gas tank-its privacy harms are extensions of "normal" use rather than catastrophic accidents-there are ways in which better designs can make it more privacy-safe.
For one thing, good product design discourages or prevents particularly hazardous uses. For example, guards on a punch press keep the operator from sticking his or her hand in at the wrong time, 140 while the safety on a pistol protects the user who drops it. 141 Similarly, good software interfaces can suggest low-risk actions and make high-risk ones less tempting. Facebook already uses this principle to good effect. Its private messages have a 'reply' button but no 'forward' button-you cannot, within Facebook itself, easily violate the privacy of your correspondents. 142 That is a smart, safe design choice.
For another thing, good product design makes consequences predictable. Sharp spinning blades can be handled safely-provided you know where they are. The on-by-default New York City network that caused Andrea and Bono such trouble was a feature with unintuitive, hard-to-predict consequences. 143 Similarly, the reason that Beacon and News Feed were such disruptive, destructive changes is that nothing Facebook had done-indeed, nothing anyone had done-prepared users for the sudden shift in how their personal information would be used. 144 The smaller the gap between expected and actual exposure, the safer; good design can help close that gap.
Product safety law also scrutinizes consumers' expectations about products. 145 While the 'consumer expectations' test itselfwhich focuses on consumers' expectations of how safe a product should be, rather than on how they expect it to function-is troublesome to apply in practice; 146 in a broader sense, consumer expectations pervade products liability. If consumers were perfectly informed about exactly what a device would do in every case, there would be no accidents. They would not have bought the trampoline with the wobbly leg or they would not have done handstands on it or they would have stopped jumping a minute sooner. Every accident is an example of frustrated consumer expectations. Asking how its users expect Facebook to work-and when their expectations go wrong-again directs our attention to the right place.
In addition to scrutinizing design decisions, products safety law also pays attention to the quality of warnings. 147 A good warning can point out hidden dangers to help a user avoid them or even make an informed decision to avoid the product entirely. 148 Here again, tort law shows some common sense. Some defects are so obvious that there is no duty to warn against them; 149 others are so serious that no warning can cure them. 150 Facebook's blistering pace of design innovation has often outstripped its ability to document the changes or explain them clearly to users. 151 Sensible policy would focus on encouraging Facebook to make salient a few truly important facts about how it works, with good contextual help for the rest.
In at least one important respect, Facebook is in a better position than most product sellers. Given the fact that the products are out in the wild wreaking havoc, even the seller who learns of the dangers may not be able to do much to limit the harms-or its liability. Contrariwise, products liability law recognizes only limited duties of postsale warning 152 and recall, 153 so there is little legal pressure to make existing products safer. Facebook, however, runs a service that can be patched on the fly. 154 Facebook has used this power to ill effect with Beacon and News Feed, but when it turned off geographic networks, it instantly improved privacy for all its users. 155 Finally, perhaps the most important lesson of product safety law is that there is no silver bullet. The field is complicated and controversial, as one might expect when the stakes can be so high. Nor has product-safety law made products fully safe. As of this writing, Toyota has recalled 9,000,000 cars to fix faulty gas pedals and brakes. 156 Tort law is a useful tool as part of a comprehensive effort but is not a solution by itself. Regulation, tort liability, consumer education, and conscientious design all play into making products physically safe; we should expect them all to play a role in making social software safe for users' privacy. 157 business lawyer conducting confidential negotiations or a criminal lawyer corresponding with witnesses, this kind of exposure could easily be a sanctionable violation of client confidences. 167 Others had even more to fear. As blogger Harriet Jacobs wrote: As a political analyst put it, "If I were working for the Iranian or the Chinese government, I would immediately dispatch my Internet geek squads to check on Google Buzz accounts for political activists and see if they have any connections that were previously unknown to the government." 169 Google quickly moved to turn off this feature, 170 but not before triggering both a Federal 167 See MODEL RULES OF PROF'L CONDUCT R. 1.6(a) (2008); see also United States v. Monnat, 853 F. Supp. 1301, 1305 (D. Kan. 1994) (citation omitted) (discussing the identity of a client as confidential information). 168 See Posting of Robin Wauters to TechCrunch, http://techcrunch.com/ (Feb. 12, 2010) (quoting Posting of Harriet Jacobs to Fugitivus, http://fugitivus.wordpress.com/ (Feb. 11, 2010) (entitled "Fuck You, Google")). In a fitting twist, the original post has been password-protected, presumably for privacy reasons. See Posting of Harriet Jacobs to Fugitivus, supra. 169 Net Effect, http://neteffect.foreignpolicy.com/ (Feb. 11, 2010, 06:20 EST). 170 See Helft, Anger, supra note 107.
Trade Commission (FTC) complaint 171 and a class-action lawsuit. 172 The book on Buzz is still open, but in the mere eight days from launch to lawsuit, the debate over Buzz hit on almost every point made above as to why product safety is a useful frame for thinking about privacy-threatening social software. Buzz as a whole is a powerful, possibly revolutionary product 173 -however, it also launched with a serious design defect. Just as an otherwise useful buzzsaw is still unreasonably dangerous to life and limb if it sports a flimsy handle, the auto-add feature made the otherwise useful Buzz unreasonably dangerous to users' privacy.
In particular, Buzz was dangerous because it abused users' expectations. E-mail address books are traditionally private. By default, so is the list of blogs you read. Even Facebook, which officially treats your list of contacts as publicly available, does not by default push the complete list out to a publicly accessible webpage. 174 When Buzz made users' contact lists public, it used their information in a way that none of their previous experience had primed them to expect. This by itself need not have been fatal. There is a first time for everything, including new forms of social software. However, Google's innovative Buzz design was poorly documented: the window asking permission to create a user profile did not explain that its "publicly viewable follower lists are made up of people you most frequently email and chat with." 175 Nor did Google clearly explain how to undo the move once users realized what happened. 176 Instead, it fell to bloggers to create their own guides to disabling Buzz, adding increasingly detailed instructions as they painstakingly reconstructed how Buzz worked. 177 In product-safety terms, Google failed to supply Buzz with sufficient instructions and warnings. Even if opening up your list of contacts to the world was a user mistake, it was an eminently foreseeable mistake that Google should have expected and guarded against. 178 What is more, Google had reasonable alternative designs available to it. The first change Google made to Buzz was to add an explicit checkbox to the sign-up process, allowing users to show or hide their lists of contacts on their profile. 179 This checkbox could have been present all along; it was clearly achievable and imposed few costs on Buzz's utility. 180 Ultimately, Google disabled the auto-add feature entirely, merely providing suggestions of other users to follow. 181 At the same time, Google made Buzz easier to disable entirely. 182 In addition to demonstrating the existence of feasible but less dangerous designs, this rapid response also illustrates the importance of being able to patch a software service on the fly. 183 Whether and to what extent Google ought to be held liable in the pending FTC complaint and lawsuit are more difficult questions-but the power of the product-safety approach in cutting straight to the essentials of the Buzz story should be clear.

IV. CONCLUSION
I am not calling for the direct application of products liability law to online privacy. For one thing, some doctrines of productsliability law, taken at face value, would bar its application to privacy harms altogether. For example, products liability tort suits do not compensate plaintiffs for economic loss and other nonphysical injuries 184 and are limited to defective "products." 185 These doctrines serve important gatekeeping functions within product liability law itself, and blithely discarding them is likely to do violence both to products liability and to privacy law. 186 Moreover, products-liability law has its own doctrinal problems, such as the confused split of authority between risk-utility balancing and consumer expectations as the test for whether a design is defective. 187 There is no good reason to import the full details of these doctrines, warts and all, into privacy law.
Instead, I am suggesting a process of thoughtful conversation and translation between two bodies of law that have a common history and more in common than scholars and lawyers sometimes realize. Products-liability law may not hold all of the answers to privacy law, but it does ask the right kind of questions to help make sense of the confusing world of online social privacy. In the words of the reporters of Restatement (Third) of Torts: Products Liability, 188 "[t]here are no easy answers -only good questions." 189