Europe v. Facebook, an Austrian student organization that keeps tabs on Facebook’s privacy transgressions, recently discovered that Facebook’s latest timeline redesign allowed friends of friends to see the total number of Events a user has attended, even if that person’s privacy settings were set to only allow friends to see such events.
This screw-up allowed for unintended sharing of sensitive information, such as political beliefs and sexual orientation, the group said in a release.
From the release:
"Users were able to look through often times thousands of past events users were invited to, including demonstrations or gay parties."
Facebook’s timeline changes allowed unintended displays of information to friends of friends. Facebook’s View as function displayed such information as public, displaying it in batches of event activity under a heading called Events.
Facebook thankfully plugged the hole within hours of the group informing the company about the problem.
The problematic section, Events, disappeared from affected users’ profiles, after which the group could no longer access the data in question, Europe v. Facebook said.
When Facebook announced the redesign on March 13, the company said it be would rolled out over a few weeks.
Many users, not having been upgraded yet, were oblivious to the privacy hole, Europe v. Facebook said.
This is the latest of a string of challenges the group has put to Facebook over what it deems privacy violations in Europe.
The group has filed a total of 22 complaints with the Irish Data Protection Authority against Facebook’s European subsidiary in Ireland.
Those complaints were built on the work of meticulous document requester and researcher Max Schrems, who in 2011 extracted a pile of 1,200 pages that comprised his then-current personal-data Facebook dossier.
In fact, Schrems, the organizer of Europe v. Facebook, has been awarded the 2013 International Privacy Champion Award by the Electronic Privacy Information Center (EPIC) for his work, which has “inspired more than 40,000 users around the world to make similar access requests, helping to ensure greater transparency of internet companies”.
As reported by IDG News Service’s Jeremy Kirk, Facebook committed to changing how it retains data and altered some privacy controls following a critical audit by the regulator released in December 2011.
Unsatisfied, Europe v. Facebook has continued to keep the Irish Data Protection Commissioner’s feet to the fire.
This recent privacy hole is just the latest result of the group’s praise-worthy efforts.
The group is to be applauded for its vigilance. That vigilance is pricey, so if you care about privacy and want to support their efforts, you might want to consider contributing to their work at https://www.crowd4privacy.org/.
If you’re on Facebook and want to keep informed about privacy issues, scams and internet attacks, join the Naked Security page, where over 211,000 people regularly share information on threats and discuss the latest security news.