Yesterday I blogged about Facebook RSS feeds, where I made an assumption that the only feeds available were ones that displayed information which individual users of the social networking side had designated as public. Boy was I wrong.
Yesterday I blogged about Facebook RSS feeds, where I made an assumption that the only feeds available were ones that displayed information which individual users of the social networking side had designated as public. Boy was I wrong. Fellow ZDNet blogger, Denise Howell, having taken the time to fully explore Facebook RSS feeds in relation to a user's privacy settings, alerted me to the fact that many of the available feeds are publicly accessible regardless.
Status updates. These can be designated as only viewable by friends who are logged into Facebook. However, a second tick box (which is on by default) gives you the option to allows friends to subscribe to your updates too. If ticked, the result is a publicly accessible RSS feed of your Facebook status updates, which is viewable by anyone, not just your "friends" in the Facebook sense. This is clearly a breach of privacy waiting to happen purely through poor UI design. The word "friends" is used in two conflicting contexts.
Additionally, a second RSS feed is generated which aggregates all of your friends' updates (as long as they also have the box ticked), which is, again, publicly accessible. In both examples, information is being made public which users think they've only made available to authorized Facebook friends.
Notes. Despite making my notes accessible by my Facebook friends only, and ticking the box "Anyone who can see my notes can subscribe to my notes", which is on by default, a public RSS feed exists.
Posted items. There doesn't appear to be any privacy options for these, and once again, a public RSS feed exists.
As Denise writes:
So where’s the data leak? Here’s where. These feeds are public. All one needs in order to view and use them is the feed’s URI. There’s no requirement that a reader or user of the feed be the “friend” of individuals whose data is in the feed, or even that the person be logged into Facebook.
Whilst there is nothing wrong with giving users the option to generate publicly accessible feeds for any of these items, it needs to be better designed in such a way that privacy is still an option.