Europe v. Facebook, an Austrian student organization that keeps tabs on Facebook’s privacy transgressions, recently discovered that Facebook’s latest timeline redesign allowed friends of friends to see the total number of Events a user has attended, even if that person’s privacy settings were set to only allow friends to see such events.
This screw-up allowed for unintended sharing of sensitive information, such as political beliefs and sexual orientation, the group said in a release.
From the release:
"Users were able to look through often times thousands of past events users were invited to, including demonstrations or gay parties."
Facebook’s timeline changes allowed unintended displays of information to friends of friends. Facebook’s View as function displayed such information as public, displaying it in batches of event activity under a heading called Events.
Facebook thankfully plugged the hole within hours of the group informing the company about the problem.
The problematic section, Events, disappeared from affected users’ profiles, after which the group could no longer access the data in question, Europe v. Facebook said.
When Facebook announced the redesign on March 13, the company said it be would rolled out over a few weeks.
Many users, not having been upgraded yet, were oblivious to the privacy hole, Europe v. Facebook said.
This is the latest of a string of challenges the group has put to Facebook over what it deems privacy violations in Europe.
The group has filed a total of 22 complaints with the Irish Data Protection Authority against Facebook’s European subsidiary in Ireland.
Those complaints were built on the work of meticulous document requester and researcher Max Schrems, who in 2011 extracted a pile of 1,200 pages that comprised his then-current personal-data Facebook dossier.
In fact, Schrems, the organizer of Europe v. Facebook, has been awarded the 2013 International Privacy Champion Award by the Electronic Privacy Information Center (EPIC) for his work, which has “inspired more than 40,000 users around the world to make similar access requests, helping to ensure greater transparency of internet companies”.
As reported by IDG News Service’s Jeremy Kirk, Facebook committed to changing how it retains data and altered some privacy controls following a critical audit by the regulator released in December 2011.
Unsatisfied, Europe v. Facebook has continued to keep the Irish Data Protection Commissioner’s feet to the fire.
This recent privacy hole is just the latest result of the group’s praise-worthy efforts.
The group is to be applauded for its vigilance. That vigilance is pricey, so if you care about privacy and want to support their efforts, you might want to consider contributing to their work at https://www.crowd4privacy.org/.
If you’re on Facebook and want to keep informed about privacy issues, scams and internet attacks, join the Naked Security page, where over 211,000 people regularly share information on threats and discuss the latest security news.
10 comments on “Facebook plugs Timeline privacy hole”
That's why Facebook should NEVER be used to share anything even remotely personal or private. Once it's out in the "Cloud", you've lost all control over it, regardless of any promises made by vendors to keep it safe.
Yeah yeah. For the rest of us in the real world with active social lives and friends across multiple time zones, it's the only way to stay in touch with people over the years. Facebook is an application like any other and will have bugs. To their credit, they haven't had any password hacks (yet). That's a lot better than Twitter, Evernote, torrent sites, etc.
Interestingly, I live in the real world, have an active social life, and have friends around the world. I've never had a Facebook account. Sure, I might not be fully up to date on what all my friends are doing until I make intentional contact with them (or they with me), and my methods for staying in touch vary from person to person, but my life is still fully packed with events without adding Facebook into the mix.
I see nothing wrong with using social media sites like Facebook, Twitter, Evernote, etc., but you do need to recognize what you're giving away when you use them, and that they aren't actually a requirement for having healthy relationships with other human beings.
Exactly. Having the ability to stay in touch with family, friend and acquaintances is a great use for Facebook, and to share tidbits or memories or whatever, but it doesn't require sharing sensitive personal information (nor bodily functions or the results thereof.)
We have to remember that the Internet DOES NOT FORGET. So those childish indiscretions that are so cockily shared when we're footloose and fancy free will always be around, somewhere, to haunt us when we assume a mantle of more mature status. Likewise, personal and private tidbits will be in the same category. Once published, they remain in cyberspace for anyone with enough savvy to glean them. And given how clever authors of malware have become, not to mention groups like Anonymous, there is already a lot of savvy hard at work collecting.
How did they contact Facebook? I've been trying for ages with no response! I guess my trivial issue isn't controversial enough!
I think it helps to contact the Irish Data Protection Commissioner. Maybe more so if you’re European!
Does anybody have any data regarding how many people are closing Facebook accounts vs. how many are opening them?
I opened mine three years ago and have visited the site maybe half a dozen times since, usually around my birthday when FB sends me an email saying a friend wrote on my wall and once a warning telling me my account had been hacked by a mobile device just outside Hanoi and I should change my password.
I've really found very little use for Facebook and I've often wondered what still draws people to it especially after all the security flaws and unpopular policies they have adopted over the years.
My guess is that only Facebook have accurate stats for how many accounts are active, and how many people are erasing their old accounts.
WHACK! This is how i found out about all the events in the area from promoters pages…. now im limited to just the ones they sponsor -_-
you are an ass , the whole event pages are gone because of your stupidity