‘Deleted’ Facebook photos survive online three years later

“How do I delete my Facebook photos?” is a common question I hear.

“You don’t,” is the correct answer.

True, Facebook maintains that you can permanently delete photos. Here are the company’s instructions on how to perform the ritual of killing, if not the literal killing itself.

Facebook advice on how to remove photos

The ritual might give you the fleeting satisfaction of feeling that you’ve cleaned up the visual panoply spawned by your more unprofessional and/or debauched history.

But as Ars Technica’s Jacqui Cheng reports, there are no guarantees in Facebook Land.

Some 2.5 years after Ars Technica first brought the issue up in 2009, Facebook has admitted that it’s still working on deleting photos from legacy servers in a timely manner.

Here’s what Ms. Cheng has to say about it:

The company admitted on Friday that its older systems for storing uploaded content "did not always delete images from content delivery networks in a reasonable period of time even though they were immediately removed from the site," but said it's currently finishing up a newer system that makes the process much quicker. In the meantime, photos that users thought they "deleted" from the social network months or even years ago remain accessible via direct link.

In July 2009, Ars Technica discovered that photos theoretically deleted from Facebook never go away if somebody has a direct link to the image file on Facebook’s servers. In 2012, Ms. Cheng found that those same photos, supposedly deleted nearly three years ago, could still be accessed online.

PolaroidUsers following Facebook’s deletion instructions will find that the image(s) disappear from Facebook’s main user interface, but a link to a .jpg will work just fine “for an indefinite amount of time,” she writes.

At the time, Facebook said it was working with its content delivery network (CDN) partner to significantly reduce the amount of time that backup copies persist. Contrast that with Twitter and Flickr, which both deleted photos within seconds.

It’s easy enough to test: Save a direct link to a .jpg you plan to delete. Delete the photo on Facebook. Then plug in the saved URL.

Whereas such direct links to photos broke after a quick hard refresh on Twitter and Flickr, photos on Facebook and MySpace persisted for, well, years, at this rate, in spite of both companies’ claims that deletions of user information happen immediately.

Facebook spokesperson Frederic Wolens told Ars Technica that the undeleted photos are stuck in a legacy system that never worked right to begin with:

The systems we used for photo storage a few years ago did not always delete images from content delivery networks in a reasonable period of time even though they were immediately removed from the site.

Mr. Wolens told Ars Technica that Facebook is working on a new system that will delete, as in actual destruction/lack-of-existence really really delete, the photos in a comparatively zippy month and a half. He said:

We have been working hard to move our photo storage to newer systems which do ensure photos are fully deleted within 45 days of the removal request being received. This process is nearly complete and there is only a very small percentage of user photos still on the old system awaiting migration, the URL you provided was stored on this legacy system. We expect this process to be completed within the next month or two, at which point we will verify the migration is complete and we will disable all the old content.

Well, that’s all right, then. If Facebook says it will have a system that works in the next few months, all this will be fine, because after all, we believe what Facebook tells us, right?

Right. Yea, right.

If you use Facebook and want to get an early warning about the latest privacy issues, malware attacks, scams and hoaxes, you should join the Sophos Facebook page where we have a thriving community of over 160,000 people.