Facebook Private Profiles Not As Private As You Think They Are

[Sidepocket]

Facebook users who set their profiles to private aren't quite as hidden as they might think they are, according to security researcher Christopher Soghoian, who discovered that Facebook's advanced search features reveals people's names, pictures, religion and sexual orientation to people who don't have permission to see their profile.

Like many social networks, Facebook allows its users to mark their profile page as private, semi-private or very open.  However, even if you mark your profile to only be visible by friends, that doesn't change how you turn up in Facebook searches or whether your profile is open to indexing by search engines.

So for instance, if you are a Facebook member of your college or local area, you could run a search to see all the people who are Christian women who are lesbians, all the women interested in women or all the Muslim men into other men.  Your search results will likely include people who thought they marked their information as private, but didn't also change their search settings.

It's not as if Facebook doesn't give you the right to limit who can see your page, but common sense dictates that the vast majority of people who mark their pages as private don't want their information showing up in a public search.  Some might, but here Facebook could automatically remove "friends-only" users from search results, and let those who don't mind be found via searches yet want a private profile choose that option.

The long-and-short?  If you are a Facebook user but want it just to be a place for you and your friends to talk, get thee to to the search settings page today and turn that dial down.  Otherwise, lesbian Jewish high school sophomores who have "private profiles" will have their names and pictures displayed to any schmoo who signs up for a Facebook account and stumbles across the advanced search page.

More technical details on Soghoian's blog, where he also wonders if this 'feature' violates European data protection rules.

UPDATE: Threat Level just noticed that the advanced search lets one search for women who like men and who are looking for "random play."  Two of the private profiles displayed included the names and photos of a high school junior and a ninth grader.

http://blog.wired.com/27bstroke6/2007/06/f...ook-privat.html

[SomeoneE1se]

so the users didn't set their profile correctly, and that's facebook's fault?

[omega_ion]

It isn't Facebook's responsibility to make sure we're keeping our data private enough, they're not our nanny.  Still, it should be made crystal clear how to keep yourself private.

[mubix]

It isn't Facebook's responsibility to make sure we're keeping our data private enough, they're not our nanny.  Still, it should be made crystal clear how to keep yourself private.

Agreed.

http://park.facebook.com/profile.php?id=618331762

[twocs]

It isn't Facebook's responsibility to make sure we're keeping our data private enough, they're not our nanny.  Still, it should be made crystal clear how to keep yourself private.

Agreed.

http://park.facebook.com/profile.php?id=618331762

Mubix, your profile is private but your name is still visible. And your name is visible to anyone who searches for your group.

Now that facebook has fixed it so that profile information that has been made private by a user, such as gender, religion, and sexual orientation, will not return a result. So unless you change your settings, I'm left guessing to your private details.

At least I can see on Facebook that Mubix is listed as one of Darren Kitchen's 63 friends - he's more open minded and hasn't set his profile to private.  :-)

[jollyrancher82]

It's a social network... not very social if everything is private.

[twocs]

It's a social network... not very social if everything is private.

So it's like a network where you can get your social engineering degree?