Facebook has been left red-faced after having to admit that it hired a PR agency to plant negative stories with the press about privacy concerns on Google.
The irony is, of course, that Facebook is hardly a shining example of how an online firm should protect its users' privacy.
Here's what happened:
* Facebook secretly hired giant public relations firm Burson-Marsteller to seed stories in the media about privacy concerns with Google Social Search.
The Social Search feature of Google scours the web for publicly available information about you from sites such as Twitter, Yelp, Picasa, and FriendFeed, and displays it in the search results of your online friends.
* Facebook's plan backfired badly when Burson-Marsteller approached former FTC investigator and blogger Christopher Soghoian offering him the story, but refusing to reveal who its client was. An unimpressed Soghoian published the email exchange.
Amid much speculation, The Daily Beast news website revealed that the firm pulling Burson-Marsteller's strings was Facebook.
* Facebook confirmed it had hired PR firm Burson-Marsteller to promote the company's position against Google's Social Search facility and admitted that it should have presented the issues in a "a serious and transparent way".
This wouldn't necessarily have been a problem, if the PR agency had been up-front that it was representing Facebook when pitching the anti-Google stories in the first place. What is seedy is that Facebook's involvement was deliberately hidden.
This whole story reeks of poor judgement by Facebook and its PR agency.
And it's rather hypocritical for Facebook to point fingers at possible questions over Google's attitude to privacy, when its own house is in such a mess.
For instance, Facebook recommends that users adopt privacy settings that can reveal their personal data to anyone on the internet.
"Information set to 'everyone' is publicly available information, may be accessed by everyone on the Internet (including people not logged into Facebook), is subject to indexing by third party search engines, may be associated with you outside of Facebook (such as when you visit other sites on the internet), and may be imported and exported by us and others without privacy limitations."
"The default privacy setting for certain types of information you post on Facebook is set to 'everyone.' You can review and change the default settings in your privacy settings. If you delete 'everyone' content that you posted on Facebook, we will remove it from your Facebook profile, but have no control over its use outside of Facebook."
In other words, if you make your Facebook information available to "everyone", it actually means "everyone, forever". Because even if you change your mind, it's too late - and although Facebook say they will remove it from your profile they will have no control about how it is used outside of Facebook.
If Facebook really cared about your privacy online, wouldn't it recommend more privacy-conscious settings and not default to sharing your profile information with search engines?
If you're interested in being safer on Facebook, read more about the security and privacy challenges that exist for Facebook users. You could also do a lot worse than follow the advice in our step-by-step guide for better security and privacy on Facebook.
And, if you're a regular user of Facebook, be sure to join the Sophos page on Facebook to be kept informed of the latest security threats.Follow @NakedSecurity
Full disclosure: Parts of Sophos, although not Naked Security, use Burson-Marsteller on some PR projects.