Facebook public profiles a ‘disturbing privacy issue’

Cambridge University researchers claim that publicly available profile information on Facebook is difficult to keep secure from phishers, and can even be used by the police and intelligence agencies.

A newly-released report centres on public search listings' on Facebook, which have been around since September 2007, designed to encourage visitors to join by showing that their friends were already members.

The problem was that a public listing would include user names, photographs and the names of 10 random friends - which decreased to eight in January.

Facebook has also added public listings for groups, and affiliations with organisations, causes or products were also listed, according to researcher Joseph Bonneau's blog.

It was a "disturbing" privacy issue because showing a random set of friends on each request would allow a web spider to repeatedly fetch a user's page until it had viewed all of that user's friends.

Bonneau said: "Public listings aren't protected by crawling. In fact they are designed to be indexed by search engines."

He said: "In our own experiments, we were able to download over 250,000 public listings per day using a desktop PC and a fairly crude Python script.

"For a serious data aggregator getting every user's listing is no sweat. So what can one do with 200 million public listings?"

The research said that Facebook was developing a track record of releasing features and then being surprised by the security implications.

He said that like security-critical software where new code was tested and evaluated, social networks should have a formal privacy review of all new features before being rolled out.

He said: "Features like public search listings shouldn't make it off the drawing board."

Facebook has not directly got back to IT PRO with comment, but Dark Reading quoted Facebook chief privacy officer Chris Kelly as saying public search listings were for members of the social network who wanted to have "limited elements" of their profile to be searchable online, and that they are able to configure their own public search listing.

He was quoted as saying: "Changes as to the presence or content of a public search listing may be made easily by any user on the privacy settings page."

IT PRO recently reported on the researchers claiming Facebook broke its rights' promise, while the government could employ legislation to force Facebook in keep customer data.