Facebook Security Isn’t What You Think

A cautionary tale should you ever decide to use Facebook in a manner which requires Child Protection, Privacy or Business.

Facebook Scandals

We have all heard the scandals about Facebook security in the News, here is a quick reminder about four of the bigger headlines.

Facebook Chat Open To Everyone

In May 2010 it was reported that anyone could intercept anyone else’s Facebook Chat Conversations (NY Times). This flaw was known for months prior to being fixed by Facebook and allowed anyone to intercept and see your private message chat in real-time.

Facebook Groups Flaw

In November 2012 Facebook introduce a flaw that automatically re-joined thousands of people to Secure Groups which they had left years ago (Sophos).

The net impact of this is people who were banned, deleted, or left groups were re-added allowing those re-added users to see posts that they were not authorised to see by the Group owner.

Imagine having a Secret Facebook Group for your Company, an employee leaves, the remaining staff then post unfavourable comments about that ex-staff memeber, then that ex-employee is automatically added by this flaw.  Make a sentence using some of the following words: PR Disaster, Corporate Embarrassment, Litigation, Disaster.

Anyone Can Take Over Your Facebook Profile

In February 2013 a code hacker identified that Facebook allowed anyone to take complete control of your Profile (CNET) which included messages, pages, private photos, and videos.  Ouch!

Prism Backdoor

In June 2013 it was reported that a US Government program Prism and allows the US Government to backdoor into Facebook Accounts (BBC News).  Should not be a surprise to anyone, but yes the Governments have access to your Facebook account.

There is a pattern here.  Yes, Facebook cannot be trusted with your Privacy.

6 Millions Telephone Numbers Leaked

Again in June 2013 Facebook leaked the email addresses and personal telephone numbers of 6 millions users.  Yes that’s right, 6 million users had their email addresses and telephone numbers compromised.  More details on this security breach here (The Register).

Facebook’s Mantra – “Move fast and break things”

To quote Mark Zuckerberg’s Letter to Investors in Facebook (Wired):

Move fast and break things

- Mark Zuckerberg

Mark Zuckerberg’s message is that Facebook changes often and things get broken.  Facebook moves fast to add new features – and to remain the leading Social Network.

As a result – Facebook Developers break a lot of things.  Including Security.  Often.

Facebook Doesn’t Do What You Think

So with Facebook, sometimes things do not quite work out as you may expect, here are some examples of common misconceptions.

Facebook & Deleting Photographs

So let me ask you a question, do you know how long it takes for a photograph to be removed from Facebook when you hit the ‘Delete’ button?

Do you think it is more than 4 seconds, more than 4 hours, or more than 4 years, or never?

The correct answer is … between 4 years and never.

Bet you didn’t see that coming?

But but but, I hear you say, I hit delete and the photograph was gone.  Negatory my dear friend – that photograph is alive and well on Facebook’s Network – all you did is delete the ‘Story’ from your Facebook Page.

Those embarrassing photographs of the CEO screaming like a girl after being paintballed by the office juniors posted on your companies Private Facebook Group?  By all means phone Human Resources and get the story deleted.  But the photographs are still there on Facebook’s Server – I’m sure the shareholders of your company will be very supportive at the annual shareholders conference.

So Why Does Facebook’s Servers Keep Images?  Or Rather, Why Doesn’t Facebook Delete Images?

Well a bunch of reasons,

  • Deleting an image is expensive on server resources, Facebook have made the decision that is it more cost effective from a coding and server resource perspective to keep the image rather than delete it.  This makes absolute sense as thousands of images are uploaded to the Facebook servers every second of the day.  Deleting files slows everything thing down – and Facebook needs top performance in order to serve the 1 Billion users.
  • Your photo or image may have already been shared by someone else – know all those irritating pictures with the Internet Meme’s that crop up on your Newsfeed?  Well, when the picture is reposted to a wall – it doesn’t make a new copy of the picture, it links directly to first version.  Even if the first version is removed by the user’s wall, the photo remains.  This brings a huge cost saving for Facebook, a photo that is shared 100,000 times only uses the space of one picture, not 100,000 spaces.
  • For Child Protection & Legal Recourse – Facebook keeps everything so that if there is ever court against it, Facebook can trace their logs and they still have the picture. You know in the movies when the bad-guys delete everything on their computer as the cops are busting in the door?  Well that’d doesn’t happen on Facebook, the bad guys hit delete and the evidence remains!

So it makes perfect business sense for Facebook to retain user uploaded photographs.

No Photograph Security In Groups

Facebook has another really useful feature, Facebook Groups.  These are great, free to set up and very flexible.  We’ve even used a group for a Road Safety Campaign.  We love them, and used correctly they are brilliant.

Facebook Groups have these security settings,

Open – Anyone can see the group, who’s in it and what members post.
Closed – Anyone can see the group and who’s in it. Only members see posts.
Secret – Only members see the group, who’s in it and what members post.

So you may think – fantastic this is the perfect place to post those personal and intimate (ahem) photographs of me and my partner on holiday – and they will be safe from prying eyes!

Wrong! Stop! Do Not Pass Go!

Re-read the wording of the security settings above – it mentions Posts only, not photographs.  Only Posts are protected in the ‘Closed’ and ‘Secret’ settings.  Images are not protected at all, that’s why they aren’t mentioned.

Anyone can open the link to your photographs, they don’t even need to be logged in to their Facebook Account.

To be honest, you they don’t even need a Facebook Account.

Yep – the images are open for anyone and everyone to see.

Is this what you expected?

Nope, me neither.

Your Golden Rule: If you post a photograph on Facebook then the 2.5 Billion people of the Internet can view it.


So here’s a quick demo of a image in a ‘Secret Group’ being open to the entire internet.

So I set up my Secret Group:

Facebook Secret Group

Then I added my template plan for World Domination to my Secret Group.

Secret Plans

And then if you click here (opens in pop-up window) … you can directly access the photograph I stored in the Facebook Secret Group.

Although my future goals to take over the world could do with a bit more polish, Facebook’s Security needs a complete overhaul when it comes to Secret Groups and photographs.

Product Placement

With Facebook you are the Product.

Facebook makes money for their shareholders through Facebook Adverts and Facebook Games.

Have you ever noticed that Facebook Adverts match your interests, the places you have visited?  That is because Facebook reads every post you make, tracks your posting location and through profiling builds up a pattern of your activities to target Adverts that you are likely to click on.

It is in Facebook’s interest to get this right as they get paid extra from the Advertiser every time you click a link.  Do you imagine this is all done automatically, with no quality checking by a human to fine tune the automatic algorithm?  Don’t even think it for a moment.

Privacy: Doing it Right

If you need to post photographs and keep them private – do it right, build a secure website, or hire someone to do it for you, or sign up with an existing provider of a secure portal.

If you are a company, keep your company events and photographs in your Intranet Server.

If you are a Education Establishment, keep your kids safe – don’t post their photographs on Facebook.  Can’t find a solution, or can’t afford a solution?  Then do the right thing and keep the kids off Facebook.

Yes Facebook is cheap – it’s also huge fail and persistent liability when it comes to Privacy.

Just say no.

Make A Difference – Do Your Bit

You’ve read the stories, you’ve seen the evidence for yourself.  Share this information or hit one of the ‘Like’ buttons below to let Facebook know they need to fix this.

Do you have a comment to add to this article?


Leave a Reply

Your email address will not be published. Required fields are marked *