Image via Wikipedia
The chances are that I’m not your friend on Facebook. But that doesn’t matter. I can almost certainly access personal content that you’ve posted on the network.
With a very simple web script I could mine the comments that you are making to your Friends on your Facebook page – unless you’ve throttled back your security settings to the maximum level of protection.
Speed’s Dan Howe tracks social media developer sites and forums and has spotted a potential security hole in the Facebook applications designers Graph API. An API is a fancy name for how one software application such as Facebook talks to another. TechCrunch also spotted the conversations about the hole and covered the story this afternoon.
The Facebook Graph API can be used to find out what people are posting behind the network’s closed walls.
Here’s an application call for everyone that is making posts about a job interview. If you click on the link you’ll see the code generated by the API-call. Look closer and you’ll see text strings of each conversation that mention the string “job interview”.
Can you see the privacy issues we can?
Of course we could make the presentation prettier by designing an application to manipulate the search data and present it in a more attractive way, but that’s the not the point. This is a very trivial example that demonstrates how easy it is for developer to integrate user data within what we assume to be a closed social network.
I caught up with Dan this afternoon. He’s been working with the API and reckons that unless you have locked down your privacy settings to a friends only setting it is possible for anyone with a web browser to access content that you post on your personal Facebook page.
Facebook has published a list of the type of search queries supported in the documentation for the Graph API. These include individual users (you and me), pages, events, groups and status messages. It’s a marketing wet dream.
I don’t know about you but it makes me very uncomfortable and I’ve locked down my security settings as a result. Privacy and transparency are the two issues that could halt the phenomenal growth of social media.
Facebook must make users aware of the potential of the tools that it’s making available to harness data and content posted within its network if it’s to avoid a backlash.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=0ab64c93-6ff6-4f4a-99f8-2a34f3dd03e5)
All that’s changed, surely, is the ability to *search* Facebook. This won’t expose information I’ve set as private. As such, can’t see that it’s strictly a “hole.”
The issue is the ease of mining data on Facebook as you suggest and the very low levels of awareness amongst users
Hi Mat,
Yeah, it is not so much a hole to someone who is tech literate; we may have consciously chosen not to change our privacy settings, but as Facebook hasn’t educated users to the privacy setting defaults being open, the average user just isn’t aware.
One of the comments in the HN discussions, from the link in the blog, explains:
Behavioral Economics studies show that when something is made a default, about 90-95% of people will keep that default. So, when something is made “Opt out” by default vs “Opt in”, the vast majority of people won’t bother to change things.
Sure, but this is a story from June 2009 really, isn’t it? It’s got nothing to do w/ the graph being opened up – the horse bolted almost a year ago.
Yeah, Facebook privacy issues are an old story and the company pushing us to be more open with our profiles dates back a year.
What happened at the F8 Developer Conference, and why I think it is a game changer is what the newly launched Open Graph is allowing people to do with the information that many user’s aren’t aware is public.
As Wadds said above, it is a marketers wet dream. While Facebook Connect allowed developers to use the data, Open Graph allows them to view and store it in an easy-to-access URL.
Take a look at http://willmoffat.github.com/FacebookSearch/, it just launched yesterday. The site is from a couple of software engineers looking to shock users to be more aware of their privacy settings by showcasing status updates and photos from users talking about about rectal exams and cheating at school, not topics people would be posting about if they new it was open to the world.
I am sure other creative ways to use and harvest this information will pop up soon, whether it is from marketers or criminals. Think about the benefits this will have for spammers. Instead of sending out messages to thousands of untargeted users, they can now easily and anonymously identify hundreds of Lloyd’s customers who they can target a phishing message specifically for. http://graph.facebook.com/search?q=lloyds%20bank&type=post
I think the news here isn’t that Facebook privacy sucks, it is that Facebook privacy sucks and look at what they’re allowing the public to do with your information.
[...] writing about Facebook personal privacy issues recently I met a developer at a Thinking Digital dinner tonight that has created a web application [...]