

Rally HN: help build an independent Privacy Scanner for Facebook - mjpizz

Right now I have some code started for a bookmarklet that runs on Facebook and scans some of the most common privacy holes that are enabled by default.  It shows a summary and has "one-click fixes" to lock down those privacy settings.  Check it out here:<p><pre><code>      http://www.reclaimprivacy.org
</code></pre>
I started this project last weekend on my flight back from Michigan to the Bay, and I just don't have enough free time to really make it solid.  The bookmarklet needs better cross-browser testing (I works well in Safari 4, and mostly okay in FF3), and there are plenty of important privacy checks that it still needs to do (wall-post privacy settings, photo privacy settings, etc).  A few of the checks can be wonky at times, especially the ones that scan the privacy dropdowns.<p>So...join in!  If you want to contribute, just fork it on GitHub:<p><pre><code>      http://github.com/mjpizz/reclaimprivacy
</code></pre>
...I'll check pull requests periodically and redeploy the latest patches.  The project is contained in an AppEngine app since that was the easiest thing to throw up on a Google domain this morning.
======
mikeknoop
I like it, and works as advertised. Don't be surprised if you get a C&D if
this becomes popular though, Facebook hasn't taken nicely to Javascript
hacks/scraping in the past (<http://www.chocolatesoftware.com/firefox/>).

~~~
mjpizz
yea, I'm considering changing some of the "one click" fixes and just directing
the users to the relevant privacy settings. The main goal is to be able to
give this to my less-technical friends and family, so they can fix up their
privacy settings without getting confused by all the deep navigation.

~~~
mikeknoop
That's an excellent goal. How sensitive are the Javascript checks? You can
also pull in some privacy settings (around default settings for posting and
maybe more) via their API. Though in it's current state it's pretty awesome.

~~~
mjpizz
thanks! The checks aren't too sensitive, but the one-click fixes can be flaky.
FF3 periodically has issues, haven't had time to delve into it yet. I'm hoping
some other Javascript pros take a look at the code.

------
aristus
I make no comment on the purpose of this tool, but I _strongly_ recommend
serving your Javascript, if not the whole site, under httpS. If you are going
to tell everyone to run arbitrary Javascript in the context of their Facebook
sessions, at least take precautions that this code will not be modified in-
flight.

~~~
mjpizz
I considered SSL. However, Facebook already serves all of their own pages over
plain HTTP, so serving the bookmarklet on HTTPS won't add any security AFAIK.

~~~
aristus
Please reconsider. Also reconsider serving data from olark.com and, generally,
try to reduce your attack surface. There are too many "javascript viruses"
running around already.

------
stcredzero
One thing that might shortly be of tremendous use: some sort of application
that scrapes information off of Facebook, namely one's local friend graph.
(And ToS be damned! That's _my_ information!)

A greasemonkey script would do, but a standalone Windows app would be much
better. (OSX and Linux as well.) Something with a very simple UI, with a login
screen and one button, which would yield an XML or JSON file. Preferably, it
would simulate the browsing speed of a real user, with randomized parameters,
so it would be undetectable. If it ran in the background, it would still be
relatively painless.

Why this would be so useful: I'm envisioning a counterpart program that can
upload such information into something like Diaspora. I'm _not_ advocating
that Diaspora create such an app. Someone else should do it. Someone who might
like to develop a rep as an outlaw. (A beneficial one, however.)

~~~
ptarjan
It should be incredibly simple to build with the graph API if you are
interested. Here is your friends:

[https://graph.facebook.com/me/friends?access_token=222747086...](https://graph.facebook.com/me/friends?access_token=2227470867|2._kM3cX5RaCFseVWGBQANTA__.3600.1274126400-218471|6y8AhZH4q3oZb-
QRy6efo6jNUX8).

docs here:

<http://developers.facebook.com/docs/api>

Facebook isn't as tight with your data as you would expect ;)

------
indigoviolet
Aren't you also imposing your "morality" about sharing on users who use this?
Would you be comfortable if Facebook were to do something like this, with
[good] pointing to "sharing something with everyone"?

------
expertcs
<http://www.reclaimprivacy.org>

Clickable

------
price1
I tried clicking your bookmarklet when logged into your site
(<http://www.reclaimprivacy.org)--> that is to say, I ignored your directions
on purpose, just to see what would happen. It wedged up my firefox and I had
to kill it off.

So, maybe some error checking there? Mozilla/5.0 (X11; U; SunOS i86pc; en-US;
rv:1.9.2) Gecko/20100329 Firefox/3.6

When logged into facebook, it worked fine.

------
trhaynes
It cautions me when I have the setting that "Everyone" can friend request me
... maybe be lenient on that one?

~~~
Ixiaus
I'm not. I am now receiving friend requests ala MySpace from completely random
people with 3,000 friends...

If they want to be friends, they need to message me or know one of my other
friends (most of my friends are friends with other friends anyways).

~~~
synnik
I concur - the "caution" is good, as it forces people to re-think their
settings. I decided not to change the items I was cautioned on, but it was
beneficial to see them called out, allowing me to make a conscious choice.

------
mattheww
For me, scanning personal information and scanning friends, tags, connections
information ... both seem to take a long time (now been ~20 minutes).

I'm running Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.2)
Gecko/20100316 Firefox/3.6.2

------
aw3c2
This is very nice. I thought my profile was rather private but some
information was fully public.

Tested successfully in Midori.

Once you give the "ok, it's polished enough", I'll share it with my friends.

------
jayair
"scanning friends, tags, and connections information..." and "scanning
personal information..." did not finish for me on Firefox 3.6.3 OSX.

------
bcl
Very nice! Works just fine in Chrome on OSX. Found a couple of settings that I
would swear I had previously set to just friends.

------
kashif
This is time well spent mjpizz. Some of the one-click fixes dont do anything.
But awesome :)

------
jhrf
Two of the scans didn't complete for me. Anyone else?

------
obsaysditto
nice work... _Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.19)
Gecko/2010033100 Iceweasel/3.0.6 (Debian-3.0.6-3)_

------
Indyan
Ran it on chrome and finished successfully.

------
joshto
Awesome!

------
drivebyacct
<http://imgur.com/ZtcnY.png>

It never changes from this...

Oh, it helps if you mention that it has to be clicked and executed while
actually on facebook.com. You should alter the bookmarklet to reflect that.

Also, please make it easy to copy/paste the bookmarklet. I do not have a
bookmark bar and don't enjoy digging through the source of the page to get the
necessary bit of javascript.

For those in a similar situation: <removed>

Also, your src attribute is missing a closing apostrophe, unless HN scrubbed
it earlier. Never mind, it is HN's fault. Sorry folks, you have to go source-
diving yourself as well.

------
jlcgull
Excellent!!! Thank you! Used and recommended to friends and colleagues.

