reported this afternoon that its reporters were able to use an undisclosed method to access private photos on Facebook, including some from Paris Hilton at the Emmys and others from Facebook founding CEO Mark Zuckerberg's vacation in November of 2005. (They did not publish any of those photos, but Paris uses Facebook for real - confirmed!)The Associated Press
If that was Zuckerberg's last trip outside of work, he'd better not schedule more any time soon. Privacy controls have been the defining feature of Facebook's past success and are central to the company's plans for the future. Update: Some readers here and on Twitter are telling us that it's a simple URL edit that has exposed these photos for months, much like was the case with MySpace in January. It does appear that that particular method of accessing these photos no longer works.
The AP reported the security exploit to Facebook this morning and says the company appears to have patched it by late in the day. We found the story via social news site Mixx.
Privacy has been an essential, defining characteristic of Facebook's rapid growth and is something users defend loudly. Sometimes perceived privacy violations can be apologized for and quietly moved beyond, as was the case with the launch of the Beacon advertising platform, and at other times perceived privacy violations can cause a huge uproar that gets replaced with user acceptance - as happened with the Newsfeed.
Such will not be the case with today's breach. It appears to have been simply a technical inadequacy. The hole was discovered and shared with the AP by "computer technician" Byron Ng. (Incidentally, the AP says Ng lives in Vancouver but the only Canadian Facebook user by that name lives on the other side of the country. Or does he?) The AP says Ng was testing Facebook's even more powerful privacy features rolled out last week. (In fact, if the rumored URL hack is the method in question, it's all quite simple. Way to go Byron Ng for getting some serious publicity, though.)
When we interviewed Facebook CEO Mark Zuckerberg at SXSW he said that the company's key contribution to the important movement for Data Portability would be to nail down the privacy angle. He pointed out, and rightly so, that users will feel far more secure sharing their data online and across different sites, if they can do so with the assurance that they have control over who can see that data.
It's reminiscent of a story that was reported this January - about putting User IDs into the URLs of private photos on MySpace in order to view them. That breach was said to have been discussed around the web for months before MySpace did anything about it. If this was the same opening available at Facebook - couldn't someone have there have said "hey, you can do that here too?"
It's tempting to say that breaches like this are an obstacle to ongoing user adoption of online services. At the same time, how often are credit card numbers exposed? The convenience of online shopping mitigates the impact of those stories. The same may or may not be true with online social networking.
That's probably enough said on the matter. Just try to make sure it doesn't happen again, ok?