Are Facebook’s privacy settings working?

Anand Iyer — Sat, 20 Jun 2009 23:52:10 +0000

A couple of weeks ago I had an incident with someone I friended on Facebook. I usually just accept any facebook friend requests that come my way. But one person I added as a friend, found my sister on Facebook, befriended her (my sister accepted because she noticed this person was my friend) and from there, it got a little creepy. Apparently this person started asking some pretty pointed questions about my niece. My sister, who would trust my friends, gracefully answered these questions. Later on, my sister casually mentioned this friend’s inquisitiveness to me and the fact that this person had asked about my niece. This made me extremely suspicious. I immediately blocked this new friend and asked my sister to do the same, but I believe the damage had been done at that point. This person probably has pictures of my family in her (or his) possession now.

Soon after that incident, I decided to create a “notfriends” facebook list. I’m not one of those egotistical people – I generally add everyone as a friend, and don’t think about who can see what on my profile. But since this incident, I realized I should control who sees what on my profile. Today, after going through a few more friend requests, I decided to ensure that my privacy settings were in fact working and to my surprise, I find out they are not.

1 – I created a new list called “notfriends”

2 – I edited Facebook’s privacy settings and added people who I didn’t know at all to the list “notfriends”. I edited my privacy settings to block ‘notfriends’ from seeing photos, videos and personal information.

3 – I impersonated a member of the “notfriends” list to see what they can see (used the “View Profile As” feature). And guess what, the privacy setting didn’t take. Maybe the impersonation setting was not working? (I’ve deleted the name of the person who I’m impersonating in the image below)

4 – So, I created a new dummy profile called “Art Ignor” and added this “friend” to my “notfriends” list. This friend is NOT in any of the Facebook networks I’m in. I also used another computer to test this (to ensure there were no IP caveats or browser cache issues that could tamper with the settings).

5 – Logged in as “Art Ignor” and viewed http://facebook.com/anandiyer. Guess what, Art Ignor can see all of my profile in spite of being in the “notfriends” list.

6 – I edited the privacy settings and explicitly denied “Art Ignor” permission to see my videos.

7 – Logged in as “Art Ignor” and checked out my videos. And, guess what:

I even waited several minutes (to ensure that the setting has ‘propagated’). No luck.

Facebook, what am I doing wrong? I’ve edited complicated ACLs using Cisco’s IOS CLI, and maybe that’s part of the problem that I don’t know how to use your UI. I don’t want to be an ass and “delete” friends I’ve met on Facebook (although I may not know them). As an evangelist I want to keep my channels of communication open (Dave Morin would empathize), but I want to restrict what some people can see. Please, please, tell me I’m doing something wrong and that your privacy settings aren’t actually broken.

PS: I’d twittered about this possible hole in Facebook time back when I was first tinkering with the privacy setting:

[ad]

Artificial ignorance » facebook

Are Facebook’s privacy settings working?