Facebook’s delicate balance between profits and privacy

In less than a week, the financial world is going to witness Facebook drive one of the biggest initial public offerings in history. It will make its investors stinking rich and have techies espousing the transformative power of the web and social media. But Facebook’s IPO already has skeptics calling the into question the company’s incredible valuation. Some are even wondering if it’s the start of a new bubble.

If that forecast turns out to be true — if Facebook (and the social ecosystem that grew up around it) crashes and burns like MySpace and so many dot.coms before it — privacy might play a major role in its demise. Investors want to see ad revenue grow, but users might bail in a hurry if Facebook crosses the line of how it’s acceptable to treat their very-personal data.

Where’d that revenue growth go?

Forget Hoodiegate and the Silicon Valley versus Wall Street storyline; the latter will embrace the former if they can actually figure out a way to make money. But therein lies the rub for Facebook, which relies on two primary components — users and their data — to drive value in its free service. “We have a lot of users,” Facebook says, “and we can place ads in front of them based on their interests.” It’s a fine strategy until it isn’t.

As Bloomberg reported on Friday, concern that Facebook’s revenue growth is slowing and that ad revenue isn’t keeping up with user growth has some would-be institutional investors wary of the stock. Even if it could keep up, though, one has to wonder how far Facebook’s growth can actually scale. There are almost 7 billion people on the planet, and almost a billion Facebook accounts. There just aren’t that many more truly potential users to add.

However, save for some new business model that transforms Facebook beyond what it is (I’ve suggested it could make a lot of money selling IT software and services, or maybe charging users who don’t want their data collected), advertising is likely going continue as Facebook’s primary source of revenue. And if it can’t rely on ever-greater numbers of users to drive revenue growth, it has to drive more revenue per user. And greater per-user revenue means better targeting, which is fertile ground for privacy breaches real or perceived.

Facebook’s — and the web’s — great privacy risk

Privacy has been and might continue to be Facebook’s Achilles’ Heel. The company already has battle scars because of past transgressions (usually related to privacy settings rather than advertising) and faces 20 years of privacy audits as part of a settlement agreement with the FTC. If Facebook turns up the ad targeting, it risks re-opening those old wounds among users not on board with the trend toward ever-greater personalization online.

In an editorial last week, the Christian Science Monitor asked a very important question:

Will all that trust [that leads users to share their personal information] evaporate someday, especially among users who are “creeped out” by ads that seem to know them so well or that suddenly join a Facebook conversation? If so, Facebook’s advertising earnings would evaporate, too.

NYU Stern School of Business professor Arun Sundararajan seems to think so. “I think the single biggest driver of risk for Facebook … comes down to ‘are they able to strike the right privacy balance?’,” he told me during a recent interview. It’s kind of a chicken-and-egg problem: Facebook has to use and monetize consumer data into ad revenues to justify its lofty valuation, Sundararajan explained, but if it goes too far and turns off users, it risks losing those very users whose data it relies upon.

Is it worth the risk?

This balancing act isn’t unique to Facebook, though, which is why Sundararajan and his colleague Vasant Dhar are working on a framework to help companies mitigate risk by aligning data usage with consumer intent. That means answering the question of how valuable is this data (the stuff you feed into models for profiling, etc.) versus the risk of misalignment of intended use? Those risks range from ethical violations (think Target’s (s tgt) now-infamous teenage pregnancy situation) to database breaches (like when Citi (s citi) customers learned their data was given to — and then stolen from — a third party called Epsilon).

Sundararajan says most companies are still intentionally ambiguous on their plans for consumer data — both how they intend to use it and how they communicate those possible uses to consumers via privacy policies — because they want to keep their options open. They’re relying strictly on return-based thinking, he explained, but “if you’re investing in the stock market and you’re only thinking about returns and not risk, at some point you’re going to lose your shirt.”

Still, even among web companies, Facebook might be in a particularly precarious situation. For example, Sundararajan said, actions such as reviewing a product on an e-commerce site or searching for something on Google are proactive actions that suggest a commercial interest in something or the desire for more information. There’s less alignment between action and data usage if a site is just tracking and using the data that consumers generate (perhaps unknowingly) merely by surfing a site.

When it comes to advertising and Facebook, Sundararajan said, “I don’t go to Facebook looking for stuff to buy. I go to interact with other people.” Finding the right balance between advertising and intent might be prove rather tricky.

Feature image courtesy of Shutterstock user Minerva Studio; bungee jump image courtesy of Flickr user Arjen Toet.