Private Facebook profiles aren’t quite as hidden as many users might think they are. Pages that are supposedly restricted are visible to anyone using searches based on religion, sexual orientation or relationship status.
Security researcher Christopher Soghoian announced the flaw on Tuesday. A quick search by Wired News for women in a major U.S. city who were interested in random hookups with men revealed the names and photos of two high school girls, including one ninth grader.
Like many social networks, the increasingly popular Facebook allows its users to mark their profile page as private, semiprivate or open. However, even if you mark your profile to be visible only by friends, that doesn’t change how you turn up in Facebook searches or whether your profile is open to indexing by search engines.
Instead, users looking for privacy must also change their preferences under search, else their profiles will be indexed by internet search engine spiders and their names, photos and personal data fields will be searchable by any Facebook member who is a fellow member of a “group” such as a school or geographic area that the user elects to join.
For instance, if you are a Facebook member of your college, you could run a search to see all the people who are Christian women who are lesbians, all the women interested in women or all the Muslim men into other men. Your search results will likely include people who thought they marked their information as private, but didn’t also change their search settings. (These links all require a valid Facebook account.)
Searchers still can’t click through to the full profile for members who chose to make the profile visible only to their Facebook friends.
Soghoian first discovered the discrepancy in September 2006 and revisited it after speaking with attendees at a privacy conference last week, who suggested that the setup could violate European privacy standards.
Soghoian, a graduate student previously known for disclosing holes in both airport security and Firefox browser extensions, contends that the number of people whose private profiles show up in search results is clear proof that Facebook’s options are too confusing.
“There is an easy way to fix this at the individual level,” Soghoian said. “But the fact that so many people haven’t done it easily demonstrates that opt-out privacy doesn’t work.”
Facebook is no stranger to privacy concerns. Last September, the networking site faced a minor riot from its members following a unilateral change in how other members learn of changes to a user profile.
A Facebook representative did not respond to a request for comment and Soghoian says his attempts to reach Facebook’s privacy person were foiled when a receptionist told him that the individual did not take outside phone calls. A company representative responded to an email to firstname.lastname@example.org by thanking Soghoian for his note and said that the company would “certainly keep it in mind.”
Facebook users who set their profile to private and want to keep their name and photo out of searches can do using the search preference page.
Story update: A Facebook representative responded to Wired’s inquiry after deadline June 27 with an announcement that it had changed the behavior of its privacy settings.
“Facebook offers sophisticated search and privacy controls and is constantly making improvements based on feedback from our users,” the spokesman wrote. “We have since updated the advanced search function so that profile information that has been made private by a user, such as gender, religion and sexual orientation, will not return a result.”
Story update, Oct. 9, 2007: The Facebook search flaw discussed above was first made public in a 2005 paper (.pdf) written by Carnegie Mellon University professor Alessandro Acquisti and Ph.D. student Ralph Gross.