
Privacy restrictions on Facebook posts are visible to users - compsciphd
https://plus.google.com/110402443423554417660/posts/YgQGEZPWvPk
======
mkjones
Hey folks - thanks for the post. I'm an engineering manager at Facebook and
worked a bit on this issue earlier today. As some people have pointed out,
we've since pushed an update to the Graph API.

A bug in a recent update to our code caused this unintended availability of
some metadata about the audience of posts. Keep in mind, the intended audience
of the actual posts wasn't affected. So far, this is the only report we've
received about the availability of the metadata, and we addressed the
situation within a few hours.

As always, developers must abide by our Platform Policies, including
obligations that protect the information they access through our APIs. For
example, developers may not use someone's information outside of the
application without the person's permission. Additionally, people can control
whether applications have access to their information and posts through their
settings.

~~~
smokeyj
What kinds of systems are in place to make sure private information stays
private? Facebook invites so many people to spill their personal lives on the
internet, and many of them are under the impression they have privacy and
control over their data. When this trust is gone, everything about facebook
will go through a mental-filter consisting of "What happens when Facebook's
permissions bug-out, and my boss has full access to my profile?", and
conversations will go the way of small-talk. I guess that's what people should
be asking, but it seems only the tech-savvy realize there is no privacy.

~~~
autophil
Be assured that Facebook's permissions will bug out time and time again. Just
like when Facebook changes or adds a new feature - permissions get clawed back
to being public.

Why are people so forgetful about this? Maybe the answer is similar to why
some people stay in abusive relationships.

~~~
adgar
> Maybe the answer is similar to why some people stay in abusive
> relationships.

As someone who was in an abusive relationship for a couple years, who found
himself giving everything for nothing in return and not understanding why
everything sucked: I can sort of see your point. The bits and pieces are
there. But it's a really, really stretched metaphor.

Abusive relationships involve deeply personal manipulation and that's why they
get such a hold over you. Consumer apathy is not even close to being directly
convinced by someone you love - often using your own fears against you - to
stop caring about your own needs.

------
badclient
I am one of the biggest fan of facebook's privacy settings and bat for them
for providing such granular control. However, this has creeped the fuck out of
me! I make extensive use of this feature and am going back through a bunch of
posts reevaluating the settings knowing the person can see it.

Almost 100% of my posts in past 6 months have custom settings but there is no
way I can go through each one of them.

This is HUGE from my perspective. I am typically the guy to tell others
constantly bitching about fb's privacy settings to move on. But alas, the day
has come when I am officially scared to use facebook.

~~~
res0nat0r
> This is HUGE from my perspective. I am typically the guy to tell others
> constantly bitching about fb's privacy settings to move on. But alas, the
> day has come when I am officially scared to use facebook.

Um, what kinds of friends do you have on Facebook? Maybe you shouldn't be
friending these people in the first place.

~~~
smokeyj
Maybe privacy controls should offer privacy, instead of tricky-dick
shenanigans.

~~~
res0nat0r
This isn't "tricky dick shenanigians", it's an oversight of one team working
on one small part of the entire Facebook infrastructure. It is cool to hate
Facebook on HN now, because they make a lot of money and the audience here is
predominately trying to bootstrap a startup but that doesn't change the fact
that one of the most popular and largest sites on the Internet has an issue
which was developed most likely by a few engineers.

These amateur hour type comments which seem to always follow Facebook posts
anymore seem to say more about the fact that more and more HN commenters have
no experience working in an enterprise environment and believe their 10
instance AWS based startup they are currently involved with somehow is
comparable to the Facebook ecosystem.

~~~
smokeyj
Who's hating on Facebook because they have money? I'm hating on Facebook
because they can't secure a CRUD app, and don't really seem to care much
either. This isn't the first occurrence of a permissions snafu, which tells me
they should invest some more of their bundles into QA and testing. But then
again, click-bots probably offer a better ROI.

~~~
res0nat0r
They do care, note the top post of this story now is from a FB employee
stating they've fixed the error 7 hours after it was published.

Also Facebook is slightly more complex than a CRUD app.

~~~
smokeyj
Damage control != caring. Caring would be fixing their systems after the first
few privacy fuck-ups. Why are you so determined to paint FB in the best of
light?

Honest question. How many more breaches have to occur before you consider FB
reckless? Or is your allegiance unconditional?

~~~
res0nat0r
I'm not defending Facebook I just have actual experience working in real world
enterprise size companies. My previous gig was as an engineer for one of the
largest websites on the Internet. It employes thousands of engineers and
software developers working on hundreds of different small teams who all
release early and release often.

There isn't some magic wand that Zuck can somehow wave to prevent software
bugs from occurring. That's how things actually work in the real world.

~~~
smokeyj
You're evading the question. How many more privacy breaches have to occur
before you consider FB reckless? I'm not talking about security breaches, I'm
talking about code being pushed that breaks expected privacy functionality.

This is especially pathetic considering they're "enterprise". You would think
they engineered some kind of security test to check for these things. Why it's
not in the build-process points to negligence in my eyes.

------
badclient
While them showing the Except list may be a bug, them listing out individual
users you have made something visible to is a feature. I only started seeing
it yesterday and just went back to delete any individual user-only post that I
could easily remember having made. Here is what I see when I click on some of
the custom icons:

"These are other people who can see ----'s post. When you share with a
specific set of friends, they can see the audience. However, your friends
can't see when you put them on a list like Close Friends or Acquaintances."

This feature makes NO SENSE. Please remove this, facebook.

------
zzleeper
I think this may be already 'fixed', I'm seeing "privacy": {} in all of my
json results..

~~~
rhizome
Good thing Facebook has a rigorous and innovative hiring process that gets
them the best of the best.

~~~
human_error
You don't need best of the best to modify, most likely, one line of code. I'm
pretty sure anyone who can code would modify it correctly. You need the best
of the best who won't do this sort of issue in the first place.

~~~
badclient
I used to think I can tell fixes that require one line of code edit. But after
having worked on couple of somewhat complicated projects, even the smallest of
edits often impact at least some other system and even if they do not, because
of the possibility that they may, you have to do rigorous QA. So yes, while
this could easily be a 10 second fix for a new product with few users;
facebook likely spent several hours to implement a fix for this,

------
svachalek
I saw discussion of this a while back but unfortunately can't find the
original link. The essence of the argument boils down to the purpose of
privacy settings on postings; the concept of an "everybody can see this except
Bob" setting is completely stupid from a traditional security perspective, but
it makes sense if you're planning a surprise party. You don't expect Bob is
going to try to circumvent the security AT ALL because it's like punching
through a wet paper bag. It's like subtly tapping your watch at a party. It's
not an unbreakable code, it doesn't need to be, it isn't meant to be.

~~~
compsciphd
Let's say you're upset with someone, want to vent so say it anonymously and
restrict said person from seeing it, so you can vent publicly, and not
embarrass anyone (presuming people wont be able to figure out via the post
itself who you are talking about).

Because of this, your efforts might be wasted.

~~~
unreal37
As soon as that person sees your Facebook account using the mobile phone of
another friend of yours, the jig is up. Don't "vent publicly". Vent privately.

If you do this a lot, you will have publicly offended a lot of friends of
yours and it will backfire one day. One day someone will know who you are
venting about, and copy it and send it to them just for fun.

------
AustinGibbons
also added to the g+ but...

<https://www.facebook.com/whitehat/bounty/>

~~~
compsciphd
oh well, didn't know about that. This isn't really too complicated, I just
can't believe no one has looked at the json for the newsfeed before!

~~~
nikcub
I went through this as well, but it turns out that an outside perspective is
all that is required to noticing that something is unusual or not right.

Don't underestimate what you may consider to be normal or obvious, as it may
not be to others.

