

Facebook considers your current IP address to be "public information" as well - ams1
http://jwz.livejournal.com/1234802.html

======
iamdave
Okay, this is getting out of hand. And by this, I mean everyone crying wolf at
Facebook. I'm none to pleased about the way the site is going these days
either, but IP addresses = "public information"? Did someone forget how email
headers _work_?

~~~
alanh
There is no reason any Facebook user (including hackers) would expect this
information to be available.

Scenario: I would like to know your IP. I sign up for a throwaway FB account
(perhaps through a proxy), send you a message designed to evoke a response
(even if it’s “Who is this?”). I have your IP.

Typically websites will only reveal users' IPs to administrators, moderators,
owners, and/or peers when direct P2P is involved.

I also highly doubt this practice is described in their privacy policy.

~~~
pasbesoin
I used to curate a small social site whose topic was somewhat sensitive. IP
address exposure became a significant concern with the population. An earlier
administration had left it on. Particularly as the site grew and became less
"cozy", and as the user base become more informed on the topic of IP
addresses, users including old-timers used to the extant exposure became
worried. When control started to be passed off to me and a few others, we
turned it off.

A significant fraction of the lack of concern in such situations is due to
lack of knowledge and understanding. Once users -- users in general, and not
just the "technophiles" -- become aware of the situation and potential issues,
a significant fraction DO have concerns are very explicitly DO NOT want the
"features"/exposure.

A specific example of the latter. Our site was, aside from IP addressing,
totally anonymous. Pick a pseudonym, create an account, and you were in. If
you caused problems, you would be warned and, if you didn't get a clue,
eventually banned.

There was, as there is in most populations, a subset of particularly
manipulative users, some with what I guess might be described as "borderline
personality issues". One of these went on a kick, including possible multiple
identities, causing me to dig in a bit. The combination of IP address -- with
attendant locality -- and a reference an unusual hobby -- meant that in under
five minutes, I could have driven up to her doorstep. (And, BTW, that would
have been in a rural location where help is not a few minutes away.)

Of course, I didn't use the information that way, but it was useful in
reminding her, in a suitably oblique and non-threatening but pointed enough
message, that her shenanigans were a bit more transparent than she might have
thought.

The premise that "privacy is dead" and that there is no real value for users
in maintaining it, is completely fallacious. I've personally witnessed, very
often, very significant, meaningful exchanges occur in the context of and
precisely because of such privacy and anonymity. There are sensitive issues
that you may NOT share in common with your neighbors, family, friends. Even
when some of those people are supportive, they may not share the actual
experience, nor be sources of useful information and counseling on how to
address it. And not infrequently, those people are actually the source of
problems. And they often know each other, so that if you speak with one, it
influences other relationships.

People on the community I curated did expose their real identities to each
other. But it was usually in private -- out of band -- via email, IM, and the
like. And it was after getting to know one another within the context of the
community and coming to trust each other enough to do so.

If a stranger walks up to you and asks you for your phone number, it's
unlikely you will provide it -- not solely on that basis. Online social
networks need similar contexts. You exchange personally identifiable
information if and only if it suits you and AFTER you've established some
trust.

ADDENDUM: Facebook, per its terms of service, does insist on a real name.
Depending on one's name, that is more or less unique. But it doesn't (so far,
at least) insist on your location (or maybe I've forgotten this, having
entered a very "vague" big city name, myself) nor necessarily expose it as
text. They turned off privacy for profile pictures, but as of this point at
least, you don't have to provide one or a picture that is of you.

Their message facility implies privacy. It's a principal means for
communicating with another user who is not a friend. Exposing IP addresses can
provide fairly specific locality. (Comcast DNS entries are one example I can
think of that narrow things down considerably.) The stalker potential is not
inconsiderable. (And, to bring the topic of forced public profile pictures up
again, combine this with a pretty picture, and you may have one source for a
potential problem.)

In the past, social communities have served specifically as a layer of
abstraction between users and IP addressing. Administrators had access to
addresses, and so one needed to establish trust for a site. But other users
did not. Kind of like going to a party. The host may have invited you, and you
might wear a name tag, but you don't write your address on the tag.

Have you ever gone to a party or meeting where they surprise you with an
attendee address list to be shared publicly? Feel a bit queasy when you learn
of this? Start trusting the host less? Just write down your name, or name and
a suitably large city name that you live in or near?

Actually, I recall something like that, a few years ago, having both U.S.
citizens and Canadians. The U.S. citizens coughed up their full addresses and
phone numbers. The Canadians almost all kept it to "Vancouver, BC" or similar,
and if they provided any specific means of contact, it was an email address --
mostly of the gmail or hotmail variety.

------
jacquesm
Interesting, of course your ip address is normally present in the headers of
your email anyway, but using a service like facebook (which has a pretty high
stalking potential) you might not want to give that much away, especially not
when you think that such info is safe.

~~~
jarek
Use a webmail service which doesn't purposefully append this information to
headers and your machine's IP never surfaces. Gmail is one, I believe.

------
rlpb
Many webmail providers put the originating IP address in the headers in order
to be able act later if the message turns out to be spam. Hotmail, Gmail and
Yahoo all do it - I just checked. As others have said, this is not news.

Correction: Gmail does not do it when submitting using webmail, only when
submitting via SMTP.

------
oscardelben
The difference between sending a message via facebook and via smtp, is that in
this case facebook is appending your ip address on purpose. I mean, if I
wanted to do the same with my web apps, I'd have to specifically tell my email
framework to include the ip of the user.

------
lukeqsee
Is there anything that Facebook doesn't consider "public information" anymore?

~~~
younata
Anything Zuck writes. Their code.

