How Facebook privacy failed me

At some point, I put extra email addresses on Facebook because I thought it was necessary for something, but didn’t want to show them, so in the privacy settings marked their visibility as “Only Me.” It turns out that right now, Facebook is blatantly ignoring that privacy setting, and instead showing them to the world.

Here are my settings:

Here is a fragment of my profile, viewed from a friend’s account half an hour ago:

I would complain to their customer service, but I can’t find a link from their Help Center page.

Obviously, this particular issue is a very minor concern for me. But it hardly instills faith in the system — especially considering that privacy bugs are ones that the affected user, almost by definition, can’t see. I’ve also had other weird issues where changes to privacy settings don’t seem to stick when I save then later go back to the page. It’s annoying and hard to verify these things — which is why important “social utilities” like Facebook have to be 99.99999% bug-free for things like this in order to deserve user trust.

Update #1: only by talking to a Facebook employee, I learned that if you search for “bugs” on the Help Center page, you get to the bug report form, and they place a high priority on privacy bugs. I guess this makes me feel a bit better. I’d be interested in knowing the incidence rate of privacy bugs like this. How often does people’s information get revealed without them knowing it? Does the general public of Facebook users have any way of knowing? This seems like territory a third-party consumer or privacy advocacy organization should work on (e.g. Consumer Union or EFF or something.)

Update #2: The bug seems to have disappeared from my friend’s view of my profile. They fixed the bug fast; this was seen about 30 minutes after reporting the bug. Great!

But still, I’m not going to trust Facebook’s privacy settings again, unless there is a credible argument and independent verification that they actually implement what they promise. Since even a low error rate is still bad, verification is hard (rare event detection problem), so I’m not sure what would be a convincing demonstration that privacy settings actually work…

Update #3: Apparently this was a brief but massive and wide-reaching bug. Maureen reports.

This entry was posted in Uncategorized. Bookmark the permalink.

6 Responses to How Facebook privacy failed me

  1. Ann says:

    I just noticed this on my account, did a search on twitter and found your post. Is this really a bug or is it another one of their ways to strip our privacy? I am getting really tired of this. Love facebook, but I dont know how much more of this I am willing to accept.

  2. Eric says:

    >>I’d be interested in knowing the incidence rate of privacy bugs like this. How often does people’s information get revealed without them knowing it? Does the general public of Facebook users have any way of knowing?

    There are plenty of Facebook haters out there on the Internet, and they surely delight in publicizing privacy bugs whenever they happen. A quick search for “Facebook privacy bug” on your favorite search engine will give you find the incidence rate.

  3. brendano says:

    I don’t care about the tone or who’s a hater or not. I’m interested in the probability a privacy bug happens. There are certainly well-publicized cases of several severe issues.

  4. Amber says:

    If your friends account was signed in on your computer, or more specifically using the browser that you had previously used then it could potentially be an issue regarding cookies rather than a ‘Facebook privacy fail’.

  5. brendano says:

    Actually, it was a real privacy bug, as I linked to in the post. Link again.

  6. We can never be careful enough on the web. You should never use your personal (internet provider) rather a Gmail or something like that