It's long past time for Facebook to simply stop using the words "private" and "delete" on any of their pages, because they obviously don't mean it whenever they use them.
I once made a fake FB account for testing purposes. I used private browsing in order to avoid having to log out of my real FB account. The two accounts never became friends or shared anything. The fake account does not have friends at all. The email address can not be tracked to me as well.
Yet every week, this email account receives an email with friend suggestions. I know about 75% of those people. With some of them , I'm not even friends on FB with my real account.
Maybe it's not strange, but it sucks from a privacy PoV: if you can register an account with somebody else ip address you will know who are their circle of friends, even if the person opted for having the friend list hidden from everyone.
Their "Suggest a Friend" algorithm uses lots of factors, including IP address history.
This is also probably why this is a "wontfix" issue for Facebook, since the "creepiness" of friend suggestion accuracy is considered critical to their business success, going by how much effort they put into it.
I think Facebook should just stop playing games and state that nothing will be private with the exception of personal messages. At least then everyone will know what to expect.
Privacy doesn't mean "not everyone is getting everything". If FB shares my secrets with anyone without my consent, they're violoating my privacy. They don't need to make them available to everyone for that.
..unless they decide that you are a "radical", in which case they very well might leak it to your family, friends, and acquaintances in an attempt to distance them from you.
Well, the story made its way into the English speaking world via google translate, which is pretty notorious for dicking up subtle things like word order and direct vs indirect objects. She gave them the printout. She the printout them gave. They gave the printout her.
The details of the story seem unlikely and it was probably sloppy journalism, but I haven't found anything besides speculation that claims it happened otherwise.
It doesn't appear anything was lost in translation:
It sure does, but that's still just speculation. I think the story carries more weight than my speculation. Ultimately, we'll never really know what happened.
I’ve discovered this exact vulnerability (it is really a vulnerability, since you even see friendships when both people have set their friends list to "only me") about a year ago and sent Facebook the description to their white hat program. Their response was more or less "won’t fix, no security issue". But it’s kind of funny to see a public blog post about this issue now, maybe this creates some pressure.
The friend list issue seems to be an always "won't fix". I'm pretty sure every few or so security researchers, testers reach this "vulnerability" in one method or another. I've gotten a similar response from the Security Team for trying to dig up friend lists. Maybe it helps maybe it doesn't. I've learned to accept the stance and move on with other security holes.
"A friend connection is two-way - you friend someone, then they approve the friend request. In essence, a friend connection means both "Philippe considers John a friend" and "John considers Philippe a friend". In other words, both people involved have some ownership over this claim - which means the privacy isn't always as simple as with other content."
"Let me use the third example in your screenshots to illustrate. Mark Zuckerberg's friend list is not public. But Greg Golkin's friend list is public - meaning if you pull up Greg's friends, you can see Mark in the list. You can also see Kevin Scott is in the list. Kevin's friend list isn't public... but Stuart Gillette's is, so you can see Kevin show up there. Consequently, using fb:degrees hasn't shown you any information you couldn't theoretically figure out by looking at public friend lists - it's just made it easier to find that info."
"Now I that at first glance this might appear to be inconsistent or a privacy violation. But remember what I said earlier about the two parties involved in a friendship connection. Essentially, you're free to hide the fact that you consider John a friend, but it's also John's choice to publicize that he counts you as a friend - and hiding connections he's publicized would essentially override his privacy wishes. In some cases, such as with fb:degrees, we show connections if they're visible to you on at least one side of the friendship."
"Now, if Mark's list is private and all of his friends set their lists to private too, you should never get a result using fb:degrees. In that case, any final link in the chain connecting you to Mark would involve a friendship that was hidden to you from both sides of the connection, so we wouldn't display it to you."
"A common case where we get similar reports is the "friendship page" between two people - we show mutual friends of the two people if each of the two friend connections is visible to you on at least one side, but we hide any mutual friends where one of the connections is hidden on both sides. To help clarify some of these situations, we added this description to the friend list privacy setting: "Remember: Your friends control who can see their friendships on their own timelines. If people can see your friendship on another timeline, they'll be able to see it in news feed, search and other places on Facebook. They'll also be able to see mutual friends on your timeline."
This is a case where privacy can get complicated, but we think the way we've chosen to operate is a good balance of the competing priorities involved. We've also chosen to focus more on privacy controls around your content and personal information, since trying to maintain privacy by limiting discoverability is often an illusion. Since Facebook is a network designed for social participation, it's nearly impossible for it to work properly and let people stay completely hidden - there are many ways to discover a profile or friendship beyond friend lists or searches. But even if someone discovers your profile, you have a great degree of control about what they can then access.
I hope that helps clarify what you were observing here. Emrakul was also correct that we have rate limiting to prevent brute-forcing at scale, and given the above controls, even building up a list through iterations would never allow you to know for sure if you'd acquired the entire hidden friend list. I think our current setup is working as intended here, but definitely let us know if you think the controls I described can be overridden somehow."
Obviously there will be a contention when you have an asset that is shared and they flag it in a different way... and on a certain level it makes sense that "public" wins when you have 1 public and 1 private because if one person chooses to share anything else then it's public, so why should connections be different?
But on another level, no.
If a person has decided their connections are private information, then the implication is pretty strong that they could expect that to be private completely. Otherwise I would expect a warning of some-kind on my "private" connections that are actually public because the other end is public. They are completely violating the user's expectation and the described functionality of that option.
Right, when preferences are in conflict do you protect the person who cares or the person who doesn't?
Also privacy is like a thermodynamic arrow. You can't unspread a secret or make public information private. So you shouldn't treat the decision to go public lightly.
Running off on a tangent, that's a really interesting analogy. I wonder how much could be done with the notion that privacy is the opposite of entropy: that is, privacy is about minimizing the arrangements of how your information is formed, and there's a universal, inevitable trend towards maximizing those arrangements. Differently, privacy as the predictability of how a piece of information moves: as entropy, or publicity, increases the predictability of the information becomes less as its possibility space increases.
This notion makes sense to me. The more public or quotidian your thoughts and behavior, the greater chance that people will be able to nail you down. And there are interesting feedback loops when you go public, then people expect you to continue to be public in similar situations.
There is an interesting tension between the benefits of collaboration and the benefits of individuality. John Lennon and Paul McCartney playing off each other, or Andrew Wiles working alone in obscurity.
Surprise and disruption are closely linked to privacy in my mind. Not necessarily by launch time. But the groundwork for originality to me is laid in the soil of a rich inner life.
> Right, when preferences are in conflict do you protect the person who cares or the person who doesn't?
There is a cost to always protecting the person who cares, which is that people may self-modify to care more, making cooperation harder. (Or just pretend to care more than they actually do.)
It's not necessarily a worry in this particular case, but it's worth considering in the general case.
This works the way secrets work in real life. You may want to keep something secret, but if your friend is indescreet, the secret is out. You can't force someone else to keep a secret on your behalf.
I think this is a good insight, and it pertains to any connection between two parties for any service, Facebook or no. You may use a private email service, you may encrypt all your emails...but the moment you email something to another party, and they transmit/copy it in an unencrypted way, your email is no longer "private" and it's not the fault of your own email service either (replace "email" with "SnapChat" for more contemporary analogy).
In the same way, if you're trying to keep yourself incognito...well, don't use Facebook. And, if you must use Facebook, then make friends with great discretion. Just like it's a good policy to only create emails/nude-selfies sparingly, and only when the occasion demands it.
Wow, awesome discussion. Thanks for the original comment phwd. And for the add-ons pxtl & danso. All of your thoughts made me refine and further back my own.
Though I agree there is a two sided ownership (both friends own a 'side') why the privacy policy stinks to me is that it does not seem to me that Facebook really cares about this 'ownership'. They really only want more data and to make their site more valuable. Is it unfair of me to attribute a rationale to Facebook's decision without cold-hard-facts, perhaps.
However, lets look at the took cases 1) They actually care about this 'ownership' 2) They do not care.
In case 1), they are afraid to violate a person's privacy choice of having a friendship be public. There is essentially a tension between their privacy choices and their 'friends'. It seems to me that when two choices are odds like this, caution is the best route. For instance, when two people know a secret that relates to both of them, and one feels uncomfortable about revealing it, the general rule of thumb is that you do not reveal (unless its like murder 0.o). Overall, I guess it seems like if you do make it 'public' it makes someone uncomfortable. While if you do not, it makes someone not get something 'they want'. In this situation, just err towards caution and make it private. What does everyone else think?
In case 2), they just want more data. Well I understand it, but I do not really respect it. I think this is easy. Make it private.
What do other people think? I am open to any logically flaws you find with the above statements.
I think this is a "wontfix" because Facebook heavily relies on their "Suggest a Friend" feature as a core business asset.
I think it's actually a rather sophisticated algorithm. For example, if you own multiple Facebook accounts, it uses what is likely a combination of IP history and persistent cookies to suggest friends no matter what account you are logged into, or what computer you're accessing it from.
My guess is that Security brought this up with management, management consulted business analysts, analysts said fixing this will cripple the accuracy of "Suggest a Friend", and Security has no other recourse. So it stays.
Are you sure about the IP history? That doesn't make much sense to me. I work in a building with a shared internet collection with other offices. It may appear to Facebook that all traffic for that building comes from the same IP. Would Facebook then suggest every person that uses the building to me as a friend?
There is a possibility that if you have multiple Facebook accounts and use the same browser for each, a cookie could be used to link the two. Just because two people use the same computer and the same browser to login to Facebook does not mean they are friends. You might be using a public terminal.
Facebook could match a specific browser session with user visits to other sites that have Facebook features. Your digital fingerprint could be determined through your browsing habits. You don't need to be logged in for that. That would be pretty insidious of Facebook. I'm not a fan of 3rd party JS scripts in that respect.
I've seen friend suggestions that are linked to my email account that I've signed up with. I think this is an email address book leak. Perhaps it's possible to discover someone's work contacts say by just signing up with that someones email address (say a work address). I'm not sure if the email needs to be verified before this information is leaked.
The confusion arises because there's a difference between:
1. Allow my friend list to be seen
2. Allow me to be seen on other peoples friends lists
Given Facebook wants users to be as discoverable as possible to form easy relationships, I can see how (1) is generally less damaging to that requirement.
Its a pity since many legacy services allow for (2), e.g. Unlisted phone numbers.
This problem doesn't happen when links are one-way like on Twitter or G+. If you instead have two one-way links, then hiding one side means it looks like it's one-way, and you can't see which links Mark has reciprocated.
You can also view a list of someone's friends by trying to recover their password. I reported it to their security team months ago and didn't get a response.
I think you just have to accept that facebook, in general, has a 'share to a wide audience' as a default design stance. That stances enhances general viriality and usage of their program and thus increases their user base.
Same with never deleting anything, recording everything you do with like buttons around the internet and making it difficult to do such things as 'delete everything older than 3 months' with one click. Storage is cheap and the more information they have, the more valuable their product is to their customers, marketing firms.
Have a locked down by default stance just decreases the virality of their social product. The amount they piss off is smaller than the amount they gain unfortunately.
The article mentions the NSA, but if you don't think this can be used by anyone (not just people with huge botnets or databases like the NSA) then you'd be wrong as well. Consider trying to find the address of a person that you only know the facebook account of, but their name isn't listed in the phonebook. If you can see their friends list then it's fairly likely that it might have familiy members or housemates on it who _are_ listed. This is just one way of using the friends list. So it's a huge privacy issue that someone's friends list is exposed because anyone can use that information to figure out things about the person.
FB should've really kept the initial idea of a public worldwide friend-graph and build a special website for people who want to hang out in private (or let someone else build it).
Yeah, I think that's one of the chief reasons I and others disagree about privacy and Facebook, a mis-match between views of what Facebook is or should be.
I see Facebook as a super-public platform for sharing your life, and that's how I've always thought of it. It's why I've had a hard time understanding how people can debate "privacy on Facebook" in the first place: I've felt there was nothing to debate.
I have a pseudonymous Facebook account that I use to access two private groups. My friends list is empty, which is nice. (It would be nicer if I didn't have an account and the people in the two private groups would check their email as often as they check Facebook so that we could use mailing lists instead of Facebook groups.)
The same is true for the profile picture which is always public even if you set the privacy settings to 'only me'. Opening the thumbnail in the browser and changing the image size in the URL lets you view a full size image. Wonder why they even give you the privacy option there.
In other news, clear incentive structures predict the future actions of companies.
FB makes money when they receive data created when people interact. Anything that limits this interaction, will eventually disappear. Take this reasoning to the limit, and everything will be made public.
> I agree with Abezgauz on this issue: Facebook has no right to siphon our friends off of a list putatively set to be private.
Now it strikes me that Facebook does have that right. You gave them that right when you chose to create an account with them and chose to make friend connections with that account. If you don't like the way they operate, don't use their service. You'd have to live in a vacuum not to know that Facebook has been consistently pushing the envelope of acceptable privacy for years. The reality is that if you truly need complete privacy, a Facebook account is not for you.
Silly article. Why should Facebook fix anything here? Facebook is making billions of dollars the way it is. Facebook is a social networking site, not a private networking site. No one will get a reply to this because it's pointless. What you're asking for goes against the whole point of Facebook. Move on.
I think you can do it even without creating a fake account. The "People you may know" page seems to comprehensively list all of your friends' friends. All you'd need is some scraper software to build it into a better organised list.
