Think back a week, a month, a year or almost five years ago to when you started using Facebook or MySpace. It seemed like such a harmless, simple social transaction as you were friended by a friend, colleague or significant other.

Folks, it's not so simple anymore because a lot more is at stake. Facebook growth has been rocketlike, gaining some 150 million users and eclipsing MySpace's 125 million users this year. Both sites hope to leverage their user bases for more advertising revenue.

These walled gardens have established their brands well enough that they, along with Google, have decided it's time to federate their platforms somewhat, enabling users to move data seamlessly from one Web site to the next. This, of course, brings critical privacy concerns to mind.

Accordingly, some Google researchers are getting scientific about this. Monica Chew, Dirk Balfanz and Ben Laurie point out three areas where social networking sites compromise user privacy in a new, thankfully brief white paper, "(Under)mining Privacy in Social Networks."

White papers concerning data security on the Web are far from new, but the emergence of one for the so-called social Web spotlights just how serious the social networking phenomenon has become.

These researchers cite lack of control over activity streams, unwelcome linkage and deanonymization through merging of social graphs as the three main privacy concerns for social Web users.

The activity stream is a collection of events associated with a user, including changes the user made to a profile page, any applications the user runs on a social networking site, shared news items and messages sent to friends.

The authors warn that a user may not be aware of all the events that are fed into the activity stream. Second, a user may not be aware of the audience who can see that activity stream.

Both issues signal a gap between how a site actually works and how the user perceives it, as well as a lack of adequate communication on the part of providers that wrongfully assume their users know how their technology works.

It's okay to set up a Web service and watch it propagate online, but when you start messing with people's data and breaking boundaries without user permission, you're asking for trouble. Duh. Facebook Beacon, CoComment and Google Reader are the great examples the authors cite, all of which caused brouhahas with users.

Unwelcome linkage occurs when links on the Internet reveal information about an individual that they had not been intended to reveal. This happens in plenty of places online, but the social Web is great testbed for these issues because people exchange a lot of data on them.

Data from one context can leak over into another, sparking some unpleasant reactions. Blog trackbacks can break anonymity barriers.

Merging social graphs are an extension of the breakdown of anonymization online. Again, because social networking sites extract a lot of personally identifiable information from people, users can figure out who an otherwise anonymous user is and expose that person.

So what are ardent social Web users to do? After all, it's not as if they can bury their heads in the sand. After spending hours nurturing their profiles on social networks, should they suddenly abandon them? That's the worst-case scenario. The authors have a number of recommendations, which ReadWriteWeb's Lidija Davis summarizes:

• Applications should be explicit about which user activities automatically generate events for their activity stream
• Users should be given control over which events make it into their activity stream and be able to remove events from the stream after they have been added by an application
• Users should be explicitly told who the audience is for their activity stream; users should also have control over who the audience is for their activity stream
• Application developers should build their applications such that the creation of activity stream events is more likely to be in sync with user expectation

Notice any themes with these recommendations? Oh wait, they're the same two that I mentioned earlier: user ignorance and poor communication. Educating users about how social Web services operate will clear up a lot of confusion.

Service providers can save themselves headaches by granting users greater control over their data online without enabling them to compromise their personal data. That's a fine line to walk ideologically and technically, but it needs to be worked out. In fact, folks at these sites are working on just that.

Do you agree or disagree with the positions in the Google paper? Why? What would you recommend?