Saturday, May 1, 2010

Facebook Photo Sharing is BAD

It is up to you to decide how bad this is for you, but to me it looks like a typical case of BAD (Broken As Designed):

When you create an album and/or upload photos (or any other images) to an album on Facebook, no matter what the privacy setting for the album is, your pictures are public.


Let me give you a couple of simple examples:

The privacy setting for this profile album is set to "Only Me" (that's even more restrictive than "Only Friends" and kind of defeats the purpose of sharing pictures, but we are just testing here). Now, click this link: http://www.facebook.com/album.php?aid=-3&id=100001059529714&l=cfe0ebc055. Can you see it? And so can everybody else. (UPDATE: see the note at the bottom of this post.)

Not surprisingly, other (non-profile) albums behave the same way. Here is a link to a non-profile album whose privacy setting is "Only Me", but if you click here http://www.facebook.com/album.php?aid=2010&id=100001059529714&l=9ecc25aa6a, you will see for yourself that it's publicly accessible. And so are the individual images directly: http://www.facebook.com/photo.php?pid=26234&l=d3ef03496b&id=100001059529714 and http://www.facebook.com/photo.php?pid=26235&l=c4ef2895ba&id=100001059529714.

It is very unlikely that anybody would upload photos to Facebook and restrict the access to only him/herself. OK, let's simulate a more realistic scenario: you create an album accessible only by your friends, post some perfectly innocent pictures, but then one of your friends posts a comment that alludes to something you would rather keep just between you two. Guess what happens then. The incriminating comment becomes public together with the picture. Here is the album: http://www.facebook.com/album.php?aid=2027&id=100001059529714&l=96c310c5c4; and here are the individual pictures with comments: http://www.facebook.com/photo.php?pid=26392&l=ef4ab17124&id=100001059529714 and http://www.facebook.com/photo.php?pid=26393&l=2bd03e2fc0&id=100001059529714. Of course you can remove comments, but don't you have anything else to do rather than track comments of your dumb Facebook friends? Besides, who knows who might have seen or cached the comment before you deleted it.


Here is how it works:

Whenever you create an album or upload a picture, a random URL (which you can send as a link to anybody you want to share the album/picture with) is generated and displayed at the bottom of the page under the line that says "Share this album/photo with anyone by sending them this public link" (it says "album" under an album and "photo" - under an individual image). It is generated automatically whether you want to share the album/image with anybody who is not on Facebook or not, and you have absolutely no control of it. The Facebook people must assume that it's too hard for somebody to "guess" the URL. I wouldn't be so sure. "By hand" it may be quite difficult, but a computer program should be able to do the trick. "Security through obscurity" is never secure. The random (if it is, in fact, random) string in the URL is not that long, so, in theory at least, images posted by Facebook users can be accessed by those who are not supposed to or, rather, by those whom unsuspecting Facebook users do not expect to.


Conclusions

I do understand that there is no other way to allow an unauthenticated user access a secure resource (obviously, an irreconcilable contradiction) except by effectively making the resource not secure. I also understand that Facebook is trying to keep their users, some of whom probably want to be able to share their photos outside Facebook, happy. But I also believe that users should be able to disable generation of public URLs either for each individual image (probably too much pain) or for each album or for the account (the latter is, of course, the least flexible option that might make a lot of users mad). And let me make this clear: Facebook should not just "hide" the block that says "Share this album/photo with anyone by sending them this public link..." giving users a false sense of security, but actually make the non-public images inaccessible by unauthenticated users, i.e. requests of any album/image URL, except those explicitly publicly shared by users, must be redirected to the login page. On the user interface side, a checkbox (unchecked by default) to make the resource public (not public by default) should be added. I do realize that I am essentially suggesting yet another layer of access control in addition to the pretty complicated existing ones and that Facebook will most likely be quite reluctant to implement something like that, but the way it is working now is just plain wrong.

If you use Facebook, I suggest that, until this issue is resolved, you should consider possible "leaks" of your images, accompanying comments, as well as your name and account id number (the latter is a part of the autogenerated URL), into the world outside Facebook and then decide to upload or not to upload.


Note:
One year later.

Facebook seems to have changed something about the way profile albums are shared. It is possible that they have simply changed the way public URLs are generated.

This seems to be a minor improvement, but the root of the problem is still there.

My interest in Facebook is not strong enough to motivate me to thoroghly test it again... unless they pay me, of course ;-)

1 comment:

Anonymous said...

Great!

It's a good explanation about the Facebook behavior!