A Privacy Loophole with Facebook Status Updates?

Sure, Facebook has received its fair share of criticism over privacy concerns. For the most part I think they’ve done a pretty good job of addressing them by providing their users with a growing list of options for controlling who can see what.  The recently added ability to segment ones “friends” into lists is a nice feature that can help fine tune privacy settings even further.

However, in Facebook’s quest to become more like Twitter, they’ve compromised everyone’s attempt to secure their own privacy.   How might you ask? By making each user’s RSS feed, or “Friends’ Status Feed”  accessible. For those that have no idea what that means, just understand that its possible for your status updates to be viewed by others outside of Facebook. And as I’ve discovered, your privacy settings are rendered useless once that happens.

Below are a two examples that I’ve noticed over the last few weeks.

TweetDeck

TweetDeck is a popular application for managing ones Twitter activity.  A recent update now allows users to view the status updates of their Facebook friends within the same application.  The Facebook integration also allows TweetDeck users to “Tweet” or email the status updates posted by any their Facebook friends.

So what does that mean to you? It’s simple. With only a couple clicks of the mouse, any of your Facebook friends using TweetDeck could 1) email your status updates to anyone of their choosing, and/or 2) publicly broadcast your status updates to the millions of people and media outlets now using Twitter. Both without your consent, of course!

Google Reader

Google Reader is a web-based RSS aggregator that helps users organize and manage all of the information they are interested in. Since it accepts any RSS feed,  it’s very easy for one to add their “Friends’ Status Feed” to their list of subscriptions. Like TweetDeck, this allows users to view the status updates of their friends within an application other than Facebook, thereby creating the loophole that would allow them to do things with your updates that you may not approve of.

Google Reader will allow any of your Facebook friends to 1) email your status updates to anyone of their choosing, and/or 2) make your updates public to the Internet by “sharing” either a single update or their entire stream of friends’ updates – all with or without comment.

While testing the email functionality of Google Reader I noticed an even bigger problem: the recipient of the email is given a link to subscribe to the “Friends’ Status Feed” of the Facebook user who sent the email to them.

So what’s the problem?

For starters, all Facebook users are exposed. It doesn’t matter how selective you are in choosing your friends or how restrictive you are with your privacy settings.

It doesn’t matter if it’s your status update that gets emailed out.  It could be any one of the many updates that any of your friends receive on a daily basis. Think of it like this: What if you could add the total number of your friends plus the total number of your friends’ friends? Each member of that group represents an opportunity for your privacy to be compromised. And that’s if everyone made their updates available to “Only Friends” versus “Friends of Friends.”

Anyone that obtains access to any of your friends’ feeds can subscribe and view your updates – they don’t even have to have a Facebook account.

Lastly, the magnitude of this privacy outbreak could multiply exponentially for every person who receives the email…including those it could be forwarded to. Imagine what could happen if the email went viral.

Keep in mind, the privacy vulnerabilities exposed by TweetDeck and Google Reader existed even before Facebook announced their Open Stream API earlier this week. Doesn’t it seem fair to think that the additional “openness” and the applications that will be built around it could lead to even more problems?

Addressing The Problem

The underlying problem I see here is that although Facebook may provide an ample supply of privacy settings for users to control the information they share inside Facebook, they have failed to provide the proper education and measures for controlling the information shared about them outside of Facebook. Consider this excerpt taken from the Open Stream announcement:

“Consistent with our previous steps toward greater openness, we believe users must have full control and choice and that’s exactly how we’ve designed Facebook Platform and the Open Stream API. All Facebook Platform terms governing data use apply and an application or Facebook Connect site can only access a user’s view of the stream if the user gives the application permission.”

These terms may address the privacy of the person using the application but what about the privacy of that person’s friends?

With that in mind I spent a considerable amount of time scouring Facebook for an answer. I finally thought I had struck gold when I came across this tab (pictured below) within the privacy settings for applications. Note the line that reads, “You can use the controls on this page to limit what types of information your friends can see about you through applications. Please note that this is only for application you do not use yourself.”

When I first arrived at this page nearly all of the boxes were checked.  So I unchecked each of them, one-by-one, and tested how my information was being distributed across TweetDeck and Google Reader each step of the way.  Guess what?  It made no difference.  Trying to limit the information being shared about me outside of Facebook with these controls accomplished nothing.

Next, I found the following little gem way back in the basic settings of my profile.  On “Status and Links” I chose “Customize…” and unchecked the box under Subscription that reads “Allow friends to subscribe to my status.” I surely thought this would remove my status updates from all of my friends “Friends’ Status Updates” feed.  Strike two. After multiple tests it still didn’t work either.

Safety Precautions You Can Take Now

Ready for some spring cleaning on your Facebook privacy settings? These steps may not be the answer to the problem I’ve discovered, but they’ll go a long way to protecting your privacy and just might make you feel a little better.

1. Read here to gain a better understanding of how applications will interact with your information.
2. Check your privacy settings regularly to make sure you don’t miss any newly added options.
3. Review privacy best practices provided by Sophos and act as you see fit.
4. Segment your friends into lists as Amy Driscoll outlined here earlier this week.

Where Do We Go From Here?

At this point I’m at a loss.  I’m not an expert by any stretch of the imagination, but it seems like the RSS feeds are the culprit here,  as opposed to something in the API. It seems like Facebook has good intentions based on the options I’ve shown above, but they’ve apparently missed something and it needs to be addressed.

I would think that a part of Facebook’s success could be contributed to the trust they’ve established with their users.  I don’t think people would post the same comments and photos if they knew they were going to be broadcast to the world versus their private group of friends. If Facebook wants to be more open like Twitter, that’s fine, but they better be sure that the community that got them this far understands what’s going on and they better give them the option to opt out of all the new found “openness.”

Here’s to hoping its a quick fix or yet another new setting I missed.

What say you @facebook?