Graham's Blog

I now have a new blog, Graham Thinks.

None of Your Facebook, Twitter or Google+ Photos are Really Private or Limited (Report)

2 years ago    


We all love Facebook, don’t we? Champions of our privacy, never mislaying our data around this vast Web! Actually, we all know that’s not exactly true; after suffering through our email addresses being changed, our inboxes meddled with, our old, buried data being surfaced under the name of Timeline and numerous other misuses of our data. It appears Facebook - and others - has done it again.

In mid-2010, Facebook introduced a new feature to increase privacy within their social network. They provided the option to choose who you shared anything from contact details to photos to specific status updates with, in addition to the already present restrictions keeping content to only approved Friends. This made people feel safer, in the knowledge that if they didn’t want their acquaintances to see something, or wanted to keep something to themselves, they could do so. 

Facebook feels safe, is my point. There are so many privacy settings available that we feel we are perfectly hidden from those we do not want to see us. But, is this vast board of levers and knobs just a façade, keeping us from the truth of our privacy on Facebook?

In the pressing example today, the answer to this question is, unfortunately, yes. 

Photos. We all have at least some photos on Facebook, whether that’s just a profile picture or everything we’ve ever snapped. It’s a place to share them, so why wouldn’t we? But, the granular privacy options often come in useful, and we do rely on them to choose who to share photos with.

It seems there is a flaw in Facebook’s system for storing photos on its servers. When a photo is uploaded, it is saved somewhere on a server. The photo page on Facebook then loads the image and displays it directly within the frame. This means that anyone who has access to a photo can easily find its location on Facebook’s servers and then use that link to share the photo on to those who it was not intended for. Anyone can access any image you post directly without needing any explicit access from you. Surely this isn’t proper security implementation.

So that the scary bit’s over, I’ll cover the limitations of this hole in Facebook’s Photos. Firstly, the link to the photo must come from someone who the photo has been shared with initially. A person can’t find a direct link from your Facebook profile, or search for your images in a search engine, as these pages aren’t crawled. To add to this, any photo you can see on Facebook can be downloaded - and then shared manually if you so wish.

While I can see why people would say it is fine for these images to be shared, because they can be downloaded, I don’t believe this. If Facebook actively promotes that the photos are secure and shared with ‘Only You’, ‘Friends Except Acquaintances’, etc. that should be true. Marking photos as private when they can be easily made publicly is just not good practise by Facebook. It should be fixed.

What do I suggest to fix it? Hiding the image within the photo page. Much like what Instagram photo pages on the Web, I suggest the image link URL is hidden. The image is rendered in a way that it cannot be interacted with directly. See an example here -—cwGcDL. To find the image, one must open the source code of the page and find the correct JPEG (it happens to be the sixth one down). While I believe the Media tab in Firefox can extract images from the source, at least this would keep the image from the majority of people. It’s not that hard to do!

Another solution would be to make the user log in in order to view the image URL. It is blatantly obvious that this should have been the case from the start.

Importantly, Facebook are not alone in this! It is true for both private Twitter accounts, and photos published to Google+ to limited circles. See all the so called private examples below:

Facebook - link

Twitter - link

Google+ - link

These images should not be branded as private or limited when they (not a downloaded copy, ‘they’, the actual on-line file) are clearly available publicly to anyone with the link. This is not proper protection of your data, and it should be sorted. Fix the security or fix the branding, you choose - Facebook, Google, Twitter, I’m talking to you!

Now, what should you do if you want to keep your photos entirely private? Stay away from the Internet, frankly. It is best to believe that anything you publish on-line is public and will be seen by everyone.