
3 years later, Facebook still can't delete photos correctly - Karunamon
http://arstechnica.com/business/news/2012/02/nearly-3-years-later-deleted-facebook-photos-are-still-online.ars
======
Karunamon
Of all of Facebook's behavior online, the advertising, the tracking, the
privacy snafus.. this is probably the one that bugs me the greatest.

How this was not made a priority zero, drop-everything-and-fix-this-crap-
yesterday internally is beyond my comprehension. I hate to think of the
condition of their internal systems if they can't even get files deleted from
their CDN in a timely manner.

3 years is not a timely manner. A month and a half (their target, FTA) is not
a timely manner.

A few seconds to a minute would be great, thanks.

~~~
tybris
You generally don't delete files from a CDN. They just get evicted when they
are the least recently used, which may never happen if the URL is still in
circulation.

Facebook may have set near-infinite Expires/Cache-control headers on their
static content, since it never gets overwritten. In that case, the CDN never
goes back to the origin to check if the file is still there. The CDN they are
using probably does have the ability to explicitly remove files (e.g., to
respond to DMCA take-down notices), but probably doesn't have the ability to
do this at Facebook picture deletion scale.

In other words, Facebook probably can't do much about it unless they get the
CDN provider to make a big investment, build their own CDN, or switch to
another provider that does support it (usually a costly decision).

~~~
Karunamon
Doesn't Facebook run their own CDN, though? (At least that's what the URL's
would suggest).

And in the case of major CDN providers like Level 3, removing assets is _dead_
simple. They provide an API for you to pass assets to expire immediately. Or
barring that, having a person spend 5 seconds on the keyboard to log into the
control panel and paste in the URL to kill.

It _is_ possible - the author of the Ars article had his pictures erased after
writing the article.

~~~
SoftwareMaven
"""having a person spend 5 seconds on the keyboard to log into the control
panel and paste in the URL to kill"""

Few people, even technologists, can grasp what it means to have 800 million
users. Anything involving individuals just logging in is a non-starter.

~~~
Karunamon
Not on a one off "Hey FB support, this image needs to be really _really_ gone,
make it happen." basis.

Even Google can provide that level of support.

------
getsat
Do people really think a company whose engineers wrote a PHP-to-C++ compiler
because PHP is slow as balls are incapable of solving this engineering
problem?

This is either advantageous for them (somehow) or the cost to make it happen
it isn't worth it.

~~~
Groxx
The cost to make it happen is developer time (money). The benefit to making it
happen is... appeasing a few geeks? They haven't lost many users because of
this, and they probably never will; I doubt their value from doing this will
_ever_ justify the expense.

Not to imply they shouldn't do it, merely that they have little motivation to
do so, aside from it being a good thing they should do.

~~~
rickmb
How about if you replace " _appeasing a few geeks_ " with " _adhering to the
privacy laws in most countries Facebook is active in_ "?

~~~
bigiain
Really?

There are privacy laws somewhere that cover the case of "you published a
photo, and sometime later changed your mind and decided you didn't want it
publicly available any more."?

I'm not only not-at-all surprised at this, but I'm somewhat amazed that
anybody even thinks it's a thing worth commenting about. You upload a photo to
a website and make it public (or allow the defaults to make it public) - it's
now out of your control. Changing your mind later is _exactly_ the situation
the phrase "close the stable door after the horse has bolted" was coined for -
and the used of stables and horses in that idiom shows at a minimum how old
the type of problem is.

I love hating on Facebook as much as the next privacy-concerned-geek, but I
find it hard to feel any sympathy for people who are calling this a problem -
any more than I'd feel sympathy for people who want to unscramble their eggs.

~~~
rickmb
Privacy laws in most Western countries outside the US (at least all of Western
Europe) are based on the principle that you _own_ your data.

The rest simply follows from that. If you tell Facebook to remove your data,
they are, within reason, obliged to honor that request.

Now that photo may still be out there if it has been copied (of course when
then come into the realm of copyright and such), but Facebook should no longer
have it in their dataset, let alone be publishing it.

The privacy angle isn't about the photo being public, it's about Facebook
having it in their database along with all the other stuff they have on you.

This is why American companies like Google and Facebook tend to run afoul of
European privacy laws: even if the data they collect comes purely from public
sources, doesn't mean they have the right to collect, and especially collate
it. At least not in the European concept of privacy.

------
Bud
“It is difficult to get a man to understand something when his salary depends
on his not understanding it.”

    
    
                         --Upton Sinclair

~~~
falling
“There are only two hard things in Computer Science: cache invalidation and
naming things.”

    
    
        -- Phil Karlton

~~~
revorad
There are two more actually: off by one errors.

------
tlb
I don't see how it makes much difference. Removing the link from the site
means that nobody will discover the photo. People who discovered the photo and
saved the link could equally well have saved the file, and in fact I think
saving the file is more common.

~~~
darxius
I doubt that. If the image is being removed, say because it contains an
embarrassing picture that was accidentally posted, you can bet someone copied
the link and shared it or posted it somewhere. Also, image lookup services
like tineye could also grab a hold of them unless they are gone for good.

Don't get me wrong, I still believe that posting ANY picture on Facebook you
don't want the whole world to see is just plain stupid.

~~~
v0cab
Let's remember that it's not only the people in embarrassing pictures who
upload them. Sometimes rude friends or colleagues take pictures of us without
even telling us, and upload them.

------
tantalor
As a point of reference, Amazon CloudFront charges $0.005 per file to
invalidate, after the first 1000/month.

 _No additional charge for the first 1,000 files that you request for
invalidation each month. $0.005 per file listed in your invalidation requests
thereafter._

<http://aws.amazon.com/cloudfront/#pricing>

------
darxius
I'm currently an undergrad in Computer Engineering. As an engineer we are
taught to look ahead when designing software and to do it with the "good of
society" in mind.

I find it VERY hard to believe that Facebook did not plan ahead and implement
an efficient method of photo deletion. If they truly did not, I seriously call
upon their skills and insight in creating software for the public.

Come on Facebook ... it's deleting a damn image! This should be top priority
in the modern age of personal privacy.

~~~
jerrya
Facebook is proud of their hacker culture.

Sometimes a hacker is one who is expert at programming and solving problems
with a computer.

Sometimes a hacker is someone who hacks particularly, one who cuts with rough
or heavy blows.

In the race to the deadline, the next release, the IPO, a lot of good
engineering fails by the wayside.

~~~
lnanek
I heard someone say their policy is "Move fast and break things". :)

------
dotBen
In social software you, the operator of the service, never delete anything.
Everything is a datapoint - valuable now and potentially further valuable in
the future.

The contract a user makes with most social sites is that the social site can
monetize the user's data and that the user gives them a non-exclusive royalty
free license to use that data.

Well, when the user then ask them to 'delete' the photo, they are saying that
_they_ no longer have any interest in that photo sticking around. That doesn't
mean that Facebook (or whoever) shares the same view that said piece of media
is now useless.

They have no moral or legal reason to delete their copy of the media just
because the user no longer needs it.

"Don't hate the player, hate the game" - and if you don't like it, don't
upload your media to social sites like Facebook.

~~~
dasil003
Social contracts and morals are not defined solely by corporations and their
interests. We have a right and responsible to declare our opinions to converge
on a mutually acceptable standard.

------
buddydvd
The response headers indicates photos are set to expire in exactly 14 days.
Does Akamai not honor cache-related headers from the origin URL? If it does,
couldn't Facebook just generate URLs that includes an rolling expiration date
so that when the CDN pulls from the origin URL again, Facebook may send a
file-not-found placeholder image?

------
bconway
The article doesn't make it clear, are these direct-link photos still subject
to the permissions set on them? Would setting a photo's permission to "Only
Me" prior to deleting it work around Facebook's failure? If they _aren't_
subject to the photo's permissions, that's a giant security hole, or am I
misunderstanding?

~~~
tantalor
I don't think permissions apply since the files in question are served from a
CDN.

~~~
tantalor
For example, this photo is only visibly by me,

<http://www.facebook.com/photo.php?fbid=706480749906>

You can see it if I give you the special link which skips the permission
check,

[http://www.facebook.com/photo.php?fbid=706480749906&l=a5...](http://www.facebook.com/photo.php?fbid=706480749906&l=a526510db3)

Or on the CDN, which doesn't know about permissions,

[http://a7.sphotos.ak.fbcdn.net/hphotos-ak-
ash4/432125_706480...](http://a7.sphotos.ak.fbcdn.net/hphotos-ak-
ash4/432125_706480749906_15500496_34073701_1120627926_n.jpg)

------
keeptrying
This is the genius of Zuckerberg. He had a clear idea as to what was important
and what was not.

Or rather when something was good enough.

Of course if your building a probe for outerspace you cant do this but Mark
knows exactly what he can punt on and what needs to be done.

The absolutely most necessary skill in a CEO.

------
JoachimSchipper
I am not a lawyer, but this seems to be a solution. Did I miss something?

1\. Find a friend.

2\. Write "I, Mr. Me, hereby transfer the exclusive right to publish the
attached image online to Mrs. Friend, for the consideration of $1." Sign it
and have your friend sign it and pay you. (At least in the US, consideration
is required!)

3\. Hand your friend a filled-out DMCA takedown request. Have them sign it and
send it to Facebook. (If you're not in the US, figure out the local equivalent
and do that.)

It is _possible_ that you violate Facebook's ToS in (2), but Facebook doesn't
look too closely at DMCA requests - and losing your account might be worth it
anyway. Facebook is obviously not going to fight a takedown request on your
behalf, so this almost certainly does get the photo removed.

It is ridiculous that one would need to do this, of course.

~~~
rmc
_If you're not in the US, figure out the local equivalent and do that_

I don't think any other countries have anything like the DMCA with it's safe
harbour and take-down requests.

I'm also pretty sure that once you upload a photo to facebook, you give them
copyright on the image, and hence you are unlikely to be able to claim
copyright infringment,

~~~
JoachimSchipper
Honest question: aren't ACTA and the like all about cross-border copyright
enforcement? I can't say I'm an expert, but...

Note that it's your friend claiming copyright infringement, with an exclusive
license in hand. Legally, the question is whether you can actually give an
exclusive license after uploading a photo to Facebook (the ToS has been
challenged and changed on similar issues), but that is not between your friend
and Facebook.

Google "facebook dmca": Facebook will happily take pretty much any page down
(e.g.
[http://www.techdirt.com/articles/20101007/01244411320/facebo...](http://www.techdirt.com/articles/20101007/01244411320/facebook-
fails-at-the-dmca-promises-to-restore-counter-noticed-content-but-doesn-t-
updated.shtml)). Do you really think that Facebook is going to risk a court
case where it has to prove (on its own dime!) that you actually did have
copyright on the image when you uploaded it, risking its DMCA safe harbor
status?

~~~
rmc
I'm also not an expert, but we've had cross border copyright enforcement for
over 100 years with the Bern Convention. The UK will recognise and enforce USA
copyright that happens in the UK.

Facebook has to take down DMCA requests to stay with the DMCA and the safe
harbour rules. However that's a US law. I don't know if non-USA people can
invoke it.

------
disposable1984
I don't mean to sound snarky, but: that's because they hire people who know
how to merge linked lists or reverse words in a string or (insert interview
problem du-jour) ; they don't hire people who can really solve real-world
problems.

I may sound old when I say this, but my impression of interviewing there was
that they're just a bunch of kids who like working on 'cool' or new things,
and don't really care much about the real-world impact.

No, this is not sour grapes; I was recruited for my skillset, but was really
disappointed to be tested on bullshit problems; I pointed out specific issues
with their site that needed fixing and how they could be fixed, but it didn't
really matter to them.

~~~
dasil003
> _...and don't really care much about the real-world impact._

Except Facebook is one of the places where your software work has the most
impact on the world.

Also if you don't want people to think it's sour grapes than don't even
mention the word.

~~~
disposable1984
Letting people poke each other is having the most impact on the world?

~~~
dasil003
Your post is heavy on snark, but name one other product that has as many human
hours invested in using it.

~~~
disposable1984
Television?

------
sbierwagen
Surprised that Ars didn't jump to the most obvious conclusion: a legal
compliance issue.

Presumably, five or six years ago, someone from the DOJ or FBI told Facebook
it would be really handy if they stored user images indefinitely, and
Facebook, not being a company that insists on seeing warrants or subpoenas,
said "Sure, why not."

~~~
rmc
Are you advising that a site just make up conspiracy theories about the cops
spying on people?

Where is the evidence?

------
rkda
Can't or won't?

------
WayneDB
Also they don't let you edit comments or posts, which is super annoying to me.

------
perfunctory
Can somebody remind me why we use facebook again? The argument that it's
somehow more convenient than other communication channels is utter bull shit.
It's just herd behaviour.

~~~
rmc
I use Facebook because it's the only way to communicate with lots of people
who are important to me and my life.

Social networks are the definiton of a network effect. They are boring and
simple technologically, but are phenomenally valuable when lots of people I
care about use them aswell.

You cannot beat facebook with technical solutions, only social solutions.

