Are Facebook’s privacy settings working?

A couple of weeks ago I had an incident with someone I friended on Facebook. I usually just accept any facebook friend requests that come my way. But one person I added as a friend, found my sister on Facebook, befriended her (my sister accepted because she noticed this person was my friend) and from there, it got a little creepy. Apparently this person started asking some pretty pointed questions about my niece. My sister, who would trust my friends, gracefully answered these questions. Later on, my sister casually mentioned this friend’s inquisitiveness to me and the fact that this person had asked about my niece. This made me extremely suspicious. I immediately blocked this new friend and asked my sister to do the same, but I believe the damage had been done at that point. This person probably has pictures of my family in her (or his) possession now.

Soon after that incident, I decided to create a “notfriends” facebook list. I’m not one of those egotistical people – I generally add everyone as a friend, and don’t think about who can see what on my profile. But since this incident, I realized I should control who sees what on my profile. Today, after going through a few more friend requests, I decided to ensure that my privacy settings were in fact working and to my surprise, I find out they are not.

1 – I created a new list called “notfriends”

2 – I edited Facebook’s privacy settings and added people who I didn’t know at all to the list “notfriends”. I edited my privacy settings to block ‘notfriends’ from seeing photos, videos and personal information.

3 – I impersonated a member of the “notfriends” list to see what they can see (used the “View Profile As” feature). And guess what, the privacy setting didn’t take. Maybe the impersonation setting was not working? (I’ve deleted the name of the person who I’m impersonating in the image below)

4 – So, I created a new dummy profile called “Art Ignor” and added this “friend” to my “notfriends” list. This friend is NOT in any of the Facebook networks I’m in. I also used another computer to test this (to ensure there were no IP caveats or browser cache issues that could tamper with the settings).

5 – Logged in as “Art Ignor” and viewed http://facebook.com/anandiyer. Guess what, Art Ignor can see all of my profile in spite of being in the “notfriends” list.

6 – I edited the privacy settings and explicitly denied “Art Ignor” permission to see my videos.

7 – Logged in as “Art Ignor” and checked out my videos. And, guess what:

I even waited several minutes (to ensure that the setting has ‘propagated’). No luck.

Facebook, what am I doing wrong? I’ve edited complicated ACLs using Cisco’s IOS CLI, and maybe that’s part of the problem that I don’t know how to use your UI. I don’t want to be an ass and “delete” friends I’ve met on Facebook (although I may not know them). As an evangelist I want to keep my channels of communication open (Dave Morin would empathize), but I want to restrict what some people can see. Please, please, tell me I’m doing something wrong and that your privacy settings aren’t actually broken.

PS: I’d twittered about this possible hole in Facebook time back when I was first tinkering with the privacy setting:

[ad]

Random Posts

February 17, 2005 -- log4net for logging (0)
January 8, 2009 -- Windows 7 Beta now available to BizSpark startups (0)
September 18, 2008 -- Do you like apples? (0)
February 16, 2005 -- IE 7.0 – coming right up… (0)
February 27, 2008 -- Yelp valuation too high? Oh please… (0)
December 17, 2007 -- KO gets the OK (0)
December 4, 2008 -- BizSpark in LA and SF (0)
March 18, 2009 -- Say hello to the Microsoft Web Platform (4)
August 24, 2009 -- Hello. I’m a Windows Phone (9)
January 16, 2008 -- (my) we all need conditioning coaches (0)

Tags: facebook, privacy

This entry was posted on Saturday, June 20th, 2009 at 4:52 pmand is filed under facebook, privacy. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Guest

I am having the same problem with facebook so-called privacy settings! Yesterday I posted to my wall a question asking for parenting advice, I clicked on the little "lock" icon next to the share button and a dialog box came up and had two settings "Make this visible to" and "Hide this from" and you could select names from your friends list. I selected about 10 old friends who did not know my daughter as i did not want to post it to everyone and embarrass her. My husband was not on the list as I only asked the question to moms...and my other daughter was not on the list, nor were any of her friends. Just 10 people on the "make this visible to" list...it posted to EVERYONE on my friends list news feeds!!!!!!!! Apparently, I am thinking I have to use the "hide this from" list for ALL FRIENDS I DON"T WANT TO SEE IT and I don't know what the he[[ the "make this visible to" list is for then??? Be VERY careful when using that setting - it is not reliable!
Mara Alexander

You're so very right....they aren't working. Silly me, to assume ANYTHING on Facebook works as they claim it does. My bad.
Kernc

Yup, the same goes the other way around.

I have nearly all settings set to 'Everyone', but neither "&viewas=Everyone" nor my other non-friend account display any of the additional tabs besides Wall and Info.

That's a shame. :/
Elizabeth McCoy

many ppl probably have this problem but dont' know it. Scary! Seems like there is no response from facebook resolving this issue and explaining what is going on. Lots of posts in help with no answer.

I had to individually edit EVERY application on my facebook profile to block my limited profile group. That includes photos, groups, and other FACEBOOK apps??? Weird why won't the universal privacy settings resolve this?

Even after that WHICH DID HELP I found that my wall still isn't protected??? WTH???
Cadill

I have the same problem - people and groups who have been explicitly denied access to view my "Wall" are still able to see it. Did anyone ever figure out an answer to this problem?
Name

Thanks for posting this. I finally signed up for Facebook this week and started locking things down and testing. I set up my friends, work and family lists and had photos of various things set up and ready to go. When I tried to set privacy on albums, I can't even get the selection menu to work. Your testing process saved me quite a bit of time. Thanks for saving from a horrible mistake.

I'll still use Facebook but I can not and will not trust it with pictures of my daughter or wife. Pretty much, it it will be used to hear about random parties with casual friends and I can post pix of concerts or something but that's really about it.

In my mind, after what I've heard, the Facebook brand and platform are forever crap and will be regarded as such.

You're my hero.
Nina Anthony

Hi Anand. I just conducted a search on Google using the search phrase: "limited profile privacy function on Facebook does not work" and your post came up. I, too, have discovered that Facebook's privacy settings don't work. I was horrified to learn that everyone can see/read everything on my wall and everyone can see my photos.
I had even instructed my daughter on how to set her privacy settings so that her teachers who had asked to be her friend couldn't see everything. I had created limited profiles for casual acquaintances and work colleagues. I thought everything was working just fine until one day, a friend who was on a list without access to my wall posts, suddently commented on a photo that I posted on my wall. Alarmed, I asked my daughter to put me on a limited profile list and I did the same with her. To our surprise, the limited access settings we customized did not work. I have also tested privacy settings with friends. Again, they do not work. So, for those of trying to conceal things from your boss or your mom, or your teachers, BEWARE. They can see everything!
boni sainti

WOW!!!

I can't believe it..

I've been trusting using facebook privacy settings to protect my privacy all along.

Then after reading all the fuss, I decided to test it using 2 dummy test accounts..

BAM!!

I'm having the same problem!!

I've created the dummy accounts, then put them on a limited profile list. But those accounts can still see my photos, wall post, etc!!

Shocking!

This is a major privacy breech!!

Facebook truly needs to fix this ASAP before the word spreads!

People aren't going to trust using facebook anymore, if this doesn't get fixed!!
unixfg

{deleted}
Stephanos Anton Ballmerfeld

The settings could be better, we will work more closely with them when they let us "invest" more!
Dbalasu

Wow, I had noticed this earlier (about a year ago) but I thought it was just me, doing something wrong. I'm glad someone else noticed it and wrote about it -- I think it might have pushed facebook to do something about it asap? Either way, I hope to try again soon(when I work the time to mess around on fb) and have it working! thanks for bringing it to light -- especially after reading your post about your niece and then some of the comments, I was pretty creeped out!
Cathi

It's August 6, I just spent hours doing just what you did as illustrated above based on an e-how posting. I was so happy! But when I tested it as you did, my settings were absolutely no differant than before I did one single thing. I have no answer- I'm just frustrated too!
Natasha

I just spent a few hours thinking I was crazy for having this problem... Thanks for the step by step, I was doing the same thing and feeling stupid since it wasn't working! I'm so glad I'm not alone, and infuriated that facebook (a company I respected) would let such a MAJOR problem continue for this long. This is horrible.
Name

i tried to do this with coworkers whom i dont know

i also created a new Coworker friend list

both individulally and the list iteself are blacklisted from every possible category (and saved) and yet they can still see EVERYTHING

WTF
Dale

I recently found the same thing. I have photos of my kids reserved for just family and close friends. I had created a limited, and very limited profile, where both were added to no longer view photos and some to not view my contact information. I recently found with a test of adding a friend to each list to verify that it makes zero difference, everything is open to anyone in my friends list.
As far as I am concerned this is Fraud on Facebooks behalf, they make it look like you have security, but in fact you have none.
So to sum up, the following limited profiles that have been added to the no longer view list options on countless sections on facebook, do not work for anything, not for photo albums, not for contact information, not for wall posts, nothing. I have edited each individual photo album I create and added in both limited profiles in the no access section, but it doesn't work.
Jasper

Actually, I think you have not uncovered a bug and all works as designed. But that's the problem, the design is confusing and ambiguous.

You changed the "Videos tagged of me" privacy setting but then write: "I edited the privacy settings and explicitly denied “Art Ignor” permission to see my videos." That is not so, you just made the one link to "View Photos/Video of me" hidden. The question mark besides the privacy feature explains: "Use this control to decide who can see the list of videos of you that you or your friends have tagged." So, it doesn't control access to the videos, it controls access to that specific list. If you want to limit access to a specific video, you have to edit the visibility of each individual video (or photo album) by editing it.

There is a similarly confusing option:
http://www.facebook.com/editapps.php?ref=mb
It lets you make the profile box for photos/videos hidden on your profile. But just like the tagged-of-me list, hiding the profile box itself doesn't change access to the actual media. It may still publish an article on your wall, or a mutual friend (i.e. someone who is tagged or comments) may provide a link to the media indirectly.
sswathi dharshana naidu

hello Mr. Anand Iyer
its really embarrassing me. Do u think i m a fool or crazy? what is this? I was shocked, after reading the article i m really confused. R u crazy?. I m a student (BTech IT in national engg college) I studied in Indian school, Salalah. I lived there for 10 years. i belong to a good family. but u r spoiling my name and behaviour. What do u think of urself?i m a tech researcher and a writer too.I write about people and there achievements. I have written about Neil Patel, Kulveer Taggar,, harjeet taggar, gokulram, ram shri ram and the list of 25 indo-Americans,I was happy when i saw you with mike(tech crunch) and started searching about u on net, i got a answer and an idea on developing Evangelist. i want everybody to read ur history, so i went on writing an article about the famous ppl in a college article it made me to write on a magazine. So i wrote in kumudham(weekly tamil magazine). As i was in facebook, i started a group for you (http://www.facebook.com/pages/ANAND-IYER/86180082038) its is not only for you, it is for ppl who ask me an inspiration stories. i had written more on more ppl. The only reason i went on chat to ur sister is bcoz she also studied in Indian School and another reason is that she is your sister. As i am an enterneur, i was happy to see u growing large. Just ask ur sister did i told anything, we just had a usual chat. If u think that i didn't any thing wrong, just u can clap on my face. You and ur post(blog) really pushed me under thones. This is the first time in my life to hear a bad opition on me.You r not the only person, who i write, You may be the 200th or something. I'ven't meet such a wrong critics,on me. What u said "mentioned this friend’s inquisitiveness to me and the fact that this person had asked about my niece" what is this? If ur sister is a geek i can ask about that, If ur sister is a writer i can ask about that, But ur sister is a friend to me and all she is ur sister, When i went for ur pic to paste it on the facebook group, i saw ur niece, so i asked about her. Do u think i m a terrorist or something like that? please reply me. This is really hurting me. I m a ordinary girl, i m ready to prove,who i m ? and what i m?
Its my mother's promise that i m nothing, and I didn't do anything wrong . Anand please Reply me. If you think that i have done anything wrong or my work had made you feel bad, then millions of sorry sorry sorry.......... you r really brilliant and great, keep doing the same.Pls don't mistake me. Please reply me, so that it will relief me.Please, Please.
BOTTOMLINE: its a promise that i don't have any of ur families picture, if anything lies, then i will delete it.
thank u,

your's faithfully,
swathi dharshana naidu
email= littlecircus-sdn@hotmail.com
cloudsonstreet@yahoo.com
Travis

I think it's just videos that are the problem. Privacy settings seem to work for walls/personal info/photos, but for some reason videos are exempt. Still bad, but not as bad as them not taking effect at all.
Nicolas Sauvage

I confirm this is not working! Just did the test with my wife. Shocking for a company that claims to take privacy so seriously...
Kurt Brockett

It's all good and fine until the niece gets brought into it. Call me extra paranoid now that I have a 17 month old daughter. 99% nothing comes up from Mr. Creepy. But even at 1% it's worth tracking this down. Please, please be sure to keep the post updated as you learn more.

Thanks!
nathantuggy

I am shocked -- especially since I just verified it for myself.
I always assumed that my (moderately stringent) privacy settings were taking effect, mostly because I never had the chance to check on them. To find out that there is no privacy guard against someone you've added as a friend is horrifying! How much else have they gotten wrong?

I'm beginning to have my doubts about Facebook, honestly....

EDITED TO CORRECT: Apparently, I misread the labels on my friend list privacy settings, and thought that I had barred a particular list (semi-friends) from seeing something, when only Limited Profile had been prevented from seeing that.
With that fix, FB privacy settings seem to be working again (I have not verified my privacy settings from another account, only used the impersonation function, so take this with a grain of salt). Perhaps a fairly short-term bug on FB's part, corrected some time between your post and my test just now?
(BTW, all, sorry for that amazing mistake on my part. No excuse for seeing it wrong. I deeply apologize.)
sriks7

Can't believe there are no comments on this!!
Good article Anand , I have been having some doubts my self on this since last week.
When some of my friends could see some comments I had set for them not to in Fb
Katherine LaRochelle

This is seriously disconcerting! I play the Mafia Wars game and added a bunch of people tha tI don't actually KNOW simply for the game. I created a group specifically for these people and added them all into it and did the same things that you describe so that they cannot see my personal informaiton and photos, etc. Now I am seriously concerned that they and anyone they know can see EVERYTHING on my profile! Disturbing to say the least, espcially consider what that creepo was doing WRT your neice!

Artificial ignorance

Are Facebook’s privacy settings working?

Random Posts

Lifestream

Recent Posts

Recent Comments Gravatars

Archives

Meta