Hacker News new | past | comments | ask | show | jobs | submit login
Why in the world does Facebook let me do this? (facebook.com)
159 points by iamelgringo on May 12, 2010 | hide | past | web | favorite | 89 comments

Just to clarify. I don't have an app. I don't have anyone's permission to do anything. I'm just messing around with URL's in their search API: http://developers.facebook.com/docs/api

This is also what prompted my to try and start a discussion about privacy over here: http://news.ycombinator.com/item?id=1341227

From the search api docs:

You can search over all public objects in the social graph with https://graph.facebook.com/search. The format is:

https://graph.facebook.com/search?q=QUERY&type=OBJECT_TY... We support search for the following types of objects:

All public posts: https://graph.facebook.com/search?q=watermelon&type=post People: https://graph.facebook.com/search?q=mark&type=user Pages: https://graph.facebook.com/search?q=platform&type=page Events: https://graph.facebook.com/search?q=conference&type=even... Groups: https://graph.facebook.com/search?q=programming&type=gro... You can also search an individual user's News Feed, restricted to that user's friends, by adding a q argument to the home connection URL:

News Feed: https://graph.facebook.com/me/home?q=facebook

To be clear, this is only searching public posts. Its just that a large number of FB users either don't know, or don't care, what they are now broadcasting to the world.

There's a little lock button under the status box that lets you set your privacy settings for each post. They should expand it to put the actual label of your privacy setting on the button, so people would see "Everyone" on the button when talking about their rectal surgery. I honestly think most people don't mind posting their thoughts for everyone to see (cf. Twitter), but there is definitely a minority that is doing so accidentally, and that's easy to fix.

The lock is especially powerful if you combine it with lists. For the longest time I didn't know about lists because I didn't use FB's chat or any similar features that revealed lists to me. Being able to quickly block just "Family" or "Old Bosses" via lists and locks is one security change FB made that really works for me.

(one big problem, though, is that I don't think there is a way from Facebook mobile to use the lock's functionality.)

? Everyone on facebook can already make these searches. A much simpler way is to go to search, "posts by everyone", and type in watermelon.

edit: Clearer instructions: 1. Login to Facebook.

2. Type 'blah' in search and hit enter.

3. When it says no results found, click on "Posts by everyone" in the left bar.

Searching everyone's posts has been a feature on facebook for a really long time, it's just somewhat buried in the interface so I'm not surprised if no one noticed it.

I don't know if this distinction has been made yet or if it even matters, but you would have to be logged-in to crawl that data. Assuming you wanted to compile a dataset of Facebook user data, this is clearly the superior method.

I left a comment on your other post (http://news.ycombinator.com/item?id=1341519), but here's a proposal - why not make a privacy app for those who care about, that can monitor their as well as their friends' feeds and help them squash unintentionally public posts about personal details? I'd be willing to collaborate if you're interested.

At the level that the intention is to let you use facebook safely, yes. My feeling is that it would be far easier to convince us scared geeks to install a privacy app that helps our friends and family (with little effort on our part) than to get the unwashed masses to do anything about privacy violations.

If you use the Facebook condom, as it were, and as a part of that it synchronizes your data with some open source format, then you get safety and privacy, you move your data to an open format, and friends get transparency. Good for all, no?

I don't think it would be hard at all. Privacy could be the new anti-virus.

You can scare the general public pretty easily. All it takes is one example of what could go wrong and all of the sudden there is a boom.

Privacy is the new anti-virus.

The question is who is going to move into this area and claim a market.

So, not to be too PC, but the OP's example seems really uncalled for. These people are basically facing colorectal cancer, possible metastasis, and probable death.

I'd much rather pick up on people whose questionable (idiotic?) behavior combined with a mishandling of FB's privacy settings make them deserve the opprobrium:


How many of these people do you think actually realize that their boss can (and more and more do) read what they post?

edit: the first hit is spot on (hiding the name):

"from": { "name": (hidden), "id": (hidden) }, "message": "Oh fuck! Now my boss wants to come over on friday as well. Let's rob his ass!(jk) What do you think the chances are that he has a facebook account and he's readin this?", "link": "http://www.facebook.com/, etc...

If Twitter allows to search public statuses, then it's fine. If Facebook allows to search public statuses, then the world is doomed. Utterly nonsense.

If you don't like it, don't use it.

Just hoping that Flickr doesn't let me do that, not willing to find out.

Ok, so you wanted to mess around with their URL and you decided to search for "Rectal surgery"? I'm not going to judge, but... wait, no I am going to judge. That's just weird.

Right. This is the internet. That was a horribly tame example search - "anal prolapse" would have been far more entertaining.

Ok, who else just searched for "anal prolapse?"

So, not to be too PC, but the OP's example seems really uncalled for. These people are basically facing colorectal cancer, possible metastasis, and probable death.

I'd much rather pick up on people whose questionable (idiotic?) behavior combined with a mishandling of FB's privacy settings make them deserve the opprobrium:


How many of these people do you think actually realize that their boss can (and more and more do) read what they post?

The correct question is "Why is the default wall post set to 'Everyone'?"

Searching public posts is just fine. I just think that people should be more made aware of who exactly they're broadcasting to.

Surely if you write on someones wall, then all of their friends can see it. Trying to keep any sort of privacy there seems problematic.

It's called a wall for a reason :/

This is the same kind of logic Facebook is using to justify their moves to make everything public, and it's flawed. These are different kinds of public.

For example, with Facebook fan pages there used to be an option to hide which pages/groups you were a fan of. Now you can't do that — all of these are public. There is now no way to hide them without 'unfanning' them.

Yes, before the change if someone started looking through the many thousands (millions?) of fan pages they could have found you listed on one. But now it's just sitting on your profile page.

It's hard for me to see what the problem is there - it's like me putting a bumper sticker on my car then being worried that everybody might see it, right? Do many people really 'Like' fan pages that they don't want other people to know they like? If so, what's the point? If I like something that I don't really want people to know I like, I just don't 'Like' it on Facebook.

It's obviously very inappropriate to change the privacy settings in ways that deceive people or change privacy settings without users knowing (clearly, and well in advance) that they're going to be changed. But it's hard for me to foresee a coming Facebook diaspora over privacy when I don't think most people think of Facebook as being private... the incredibly vast majority of people that I know don't see privacy as a hierarchical set of access control lists that they're going to tweak to their contentedness: I think they see a particular site as either private (say, gmail) or public (Facebook) and treat their interactions on the site along that binary divide.

If you are a fan of Victoria Secret for their coupons do you want potential employers to see that on your public page?

My girlfriend cut out a couple of "fan pages" like that because now they are all public. That reduces value for the user because they will find other ways to follow these companies (twitter) and to the companies who lose users.

Caveat emptor

A bumper sticker on your car can only be seen by people who actually see your car (small subset of the world). A public post on facebook can be found by anyone who wants to search for it (potentially large subset of the world). I have no way of knowing if you have some crazy bumper sticker on your car, but if you posted something on FB then I can find it via search.

Indeed. But what bumper sticker am I gonna have that I don't mind the 3.5 million people in my city's vicinity potentially seeing but I'm worried about somebody on the other side of the world seeing? I'm sure some such items can be hypothesized (though I'd still ask the person why they're putting a bumper sticker on in the first place if there's anybody they don't want seeing it), but my point is that in practice this just doesn't concern most people and it's hard for me to see why it should.

edit: I think there's perhaps a distinction here between things like personal profile information (one might not one's psycho ex to see their phone number or even wall posts, while not minding sharing them with friends) and things like fan page liking. The former certainly needs privacy controls, and they should be clearer than they currently are; the latter is hard for me to get upset about, and I think it dilutes the message of privacy advocates to mention it.

The idea that some kinds of information are more or less suitable for privacy controls is nonsensical. Say some college kid Bob is gay, but he hasn't told his parents. Bob goes to some fan page for a local GLBT organization etc, and 'becomes a fan', because previously that didn't show up on his profile where his parents might see it, and his parents wouldn't be visiting that fan page anyway. Well, now FaceBook goes and makes fan pages visible on your profile, and suddenly Bob's parents have a lot of questions for him.

You may not find yourself in that kind of situation often, but it is a very real possibility -- there was even a study done where a computer could make a highly accurate guess of whether you were gay just by looking at who is in your friends list (also public), without any information from your profile. Everything on facebook is information.

I could give you an example where the bumper sticker is also relevant, but I think the example above is enough to prove my point.

It doesn't prove anything.

His parents could be fans of that page. His teacher could be.

Becoming a fan of a page, but wanting that to remain private seems contradictory to me.

If you've got an opinion that's fine, but if you post it on here, the least I expect is for you to back it up with reasoning rather than just 'seems contradictory to me'.

My point is, that people become a 'fan' of something, in part, if not often solely to announce to other people that they're a fan. It's inherently social.

Maybe if you're a fan of something deeply unpopular - Java for example, then you'd want to keep that as private as possible.

I think it'd probably just be best for facebook to make the leap and say "OK you privacy nerds, SHUT UP. From now on, everything is public apart from private messages. Now quit your incessant whining."

When I've "become a fan" of things on Facebook it's been because I was interested in those things and wanted regular updates about them. It was not out of some kind of weird desire to flash my tailfeathers at people.

That's exactly what they have said, in not so many words. And yet people are still whining incessantly.

As for 'becoming a fan' being inherently social, that's true. The issue is whether something that's inherently social is also inherently public. Going on a date with your girlfriend is social, but you may not want it inherently public (and keep in mind there's a difference between internet public and people seeing you together at a restaurant public.

I haven't heard of any real instance of someone who had their fan pages set to not show up on their profile and ended up in some sort of bad situation when they were made public on their profile. Everyone is assuming this was done surreptitiously, but the reasonable thing for Facebook to do would be to put a huge dialog on the screen saying "Hey, you had your fan pages set to show up on your profile, but fan pages are now going to be public for everyone. Uncheck the ones you want to remove." If there's no actual case of someone complaining about this, then we don't even know if Facebook did anything wrong. Quit complaining about things that might have happened to other people.

And I suppose you would have had us write down the Bill of Rights after we lose our freedom of speech and freedom of the press? I mean, the government might not want to limit that right? Your argument is BS.

(the point isn't about the extreme of freedom of speech, but your idea that we should only worry about things that have actually happened is total garbage)

Your analogy is just wrong. You were trying to argue that a change Facebook actually made could have hurt people, but your scenario only could have happened if Facebook made the change without making it clear what was going on. If the only aspects of your argument that were hypothetical were Bob's actions, that would be something worth discussing. However, you're making it seem like what Facebook actually did could have hurt Bob, when you have no idea if that's actually the case.

That wasn't my argument at all. I was responding to this claim:

"I think there's perhaps a distinction here between things like personal profile information (one might not one's psycho ex to see their phone number or even wall posts, while not minding sharing them with friends) and things like fan page liking."

My point is that fan page liking is personal profile information. Everything you put on facebook is personal profile information. The Bob example was merely to show that 'becoming a fan' of something can reveal profile information about the person. The fact that Bob could potentially be 'hurt' in the scenario was just to make Bob sympathetic (as opposed to the all too typical scenario where people post severely racist or homophobic content without realizing how public it might be).

Ok, thanks for clarifying. I agree with your point, though I don't think it makes what Facebook did wrong in any way.

>The idea that some kinds of information are more or less suitable for privacy controls is nonsensical.

Should comments on public blogs have privacy controls?

They already do: a comment is a response to the blog. You can post the response on the blog, which is moderately public, or you could email the author, which is more private. You could write a response on your own blog, which may be more or less private depending on whether you actually have readers, and you could conceivably go on television and broadcast your response to the whole world.

There's a difference between the kind of information (response), and the method of communication (comment on a blog).

I would guess more strangers have seen the back of my car than anything related to my Facebook account, easily.

I'm really really bored of this on HN.

There's no real evidence that anyone using facebook really minds the changes facebook makes.

Changes to their privacy are fairly moot. It's not like they're changing the color of a button, making it harder to play fishville or anything massive like that.

Can we get back to moaning about appstore policies now? Or iPad articles?

One of my philosophy professors posted something like, "I logged into Pandora and it showed me all my Facebook friends and what they were listening to, this is too much, Facebook will have to go on without me" last week. And then he deactivated his account.

Facebook users are noticing, the question is how many.

Just another example of how people misunderstand the word "public" when it is used on Facebook. You have control over what shows on your profile. Public means that the connection is owned by both parties; you may choose to hide your side of the connection from your profile, but the fan page, as the other owner of the connection, may choose to display the connection on their profile.

Privacy SettingsFriends -> Tags and Connections Current City, Hometown, Interests, Things I Like, etc. are all fan pages, and you can choose to restrict who can view them on your profile.

If you can't tell the difference between circa 100 people and circa 7 billion people then maybe you are just not very good at mathematics.

     "error": {
        "type": "OAuthException",
        "message": "Error processing access token."
Is that what everybody else sees?

I think the access tokens expire after a while.

EDIT: Apparently the access token isn't necessary, but it can break things if it's there. The URL of this submission should be changed to omit the access token parameter. If that still doesn't work, the instructions below will give you a URL with a Facebook-generated access token that will eventually expire as well.

1) Go here: http://developers.facebook.com/docs/api#search

2) Click on the link to search all public posts for "watermelon".

3) Alter the URL to say "rectal surgery" instead of "watermelon".

Looks like you need to be registered at facebook to make 1) work.

His access token has likely temporarily or permanently expired from either [overuse in too short a time period] or [they expire after a set time period]. Before it showed the latest public posts by all people on facebook which included the words "rectal surgery"

just remove all the jibberish after "type=post" in the url and you will see message contents.

Just remove everything after the &access_token= part and it'll work. The access token has expired, but it's not even necessary to search for public posts.

That's what I see.

Samre reason Twitter lets you do this:


(there is a difference, I guess, in that on Twitter it is "common knowledge" that everything is public by default - whereas on Facebook it is reasonable for an individual to realise how public their data might be on their current privacy settings)

At the very least, FB should make a distinction between 'Everyone' and 'Public'. Where the former means everyone on Facebook and the latter means everyone on the internet.

In practice, is there really a difference? Facebook has hundreds of millions of users and it's fast and free to sign up, so I'm not sure I see the distinction, other than maybe search engines...

I guess, but that point applies to just about every other API as well (including Twitters)

Cool example, but you really shouldn't publish your access token like that.

<humor> Facebook will be publishing it anyway next week :) </humor>

To bad you closed the humor element, otherwise all the comments below yours would have been funny as well.

Good call. It's pretty much a throw away account that I'm only using for api access and an advertising trial I did. Thanks, though. :)

I thought this was a rather humorous thing to search on: https://graph.facebook.com/search?q=facebook%20privacy

Mainly people warning about the privacy changes, yet have public status updates.

Nobody's complaining about the existence of public status updates - that's all twitter is. People are complaining about the subtlety of it and the general lack of knowledge about it.

Why in the world would you post about your rectal surgery on the internet using your real name or an easily traceable identity if you did not want the internet to know about it. Missing privacy education maybe?

Because you think, through no longer valid experience or through misunderstanding, that you're only communicating with your friends.

Email is a good example. You carry on a conversation about rectal surgery with email correspondents (maybe your doctor). You may have a vague idea that system administrators or men in the middle may be able to read those emails, but you have the conversation anyway because you assume (with some justification) those are unlikely circumstances. You have just posted about your rectal surgery on the internet (over which email travels).

If you were to find your emails publicly searchable you'd be rightly upset.

I originally thought my posts on facebook were only visible (using the English definition of visible, not facebook's co-opted definition) to my specific friends. Many people probably still think so, and it's not an unreasonable leap.

Or maybe, after having to go through something like that, privacy is not the first, or last thing on your mind.

After surgery, you are happy to hear the good news that things went well, you are on your way to feeling a lot better, and want to share that with everybody.

The list could be much longer than it is. Facebook has a large reach, and some people just aren&rsquo;t too bright: http://ryankuder.posterous.com/facebook-users-think-readwrit....

There are many cautionary tales of Facebook users getting into trouble, but, whatever you think of Facebook, there is only so much you can do to prevent people from embarrassing themselves.

These people must have their privacy set to 'Everyone'.

Facebook's Privacy Guide states that such information may be visible to everyone on the internet.

I believe you meant to say "These people must have had their privacy set to 'Everyone'.

> These people must have their privacy set to 'Everyone'

Yep - the way Facebook set it by default for them without them realizing. And then it fails to indicate anywhere in the posting UI that the post is going out to the entire universe unless they explicitly click a lock icon that is an standard internet icon for indicating that your content is already secure.

Because they couldn't care less about privacy.

This is...undesirable. People don't really understand privacy on the Internet very well to begin with, it isn't that they don't care about it. Facebook had the opportunity to set an example for how to handle privacy but they f'ed it up because they want to be more like Twitter. This is not the way to do it guys.

It used to be that your posts were set to private.

So of course everyone still assumes that when they post about their rectal surgery it's a private matter only their friends can see.

This is why changing your privacy policies and defaults is obnoxious.

Wait, these are the messages that are sent between two users? Does just one of them need to put their settings on "Everyone" to display both sides of the conversation?

Please tell me this is a bug/hack/exploit/mistake/error.

These are wall posts.

That makes more sense. Wall posts are meant to be public and apparently these people love to over-share.

What do the settings need to be in this situation? The recipient needs to have their wall set to "Everyone" and the poster needs to have their wall postings set to "Everyone"?

I would hope so ... I've not tested it though.

I would find this way more interesting if I could narrow this down to just people in my network. Knowing what everyone on the internet is doing is not all that interesting.

You can also search an individual user's News Feed, restricted to that user's friends, by adding a q argument to the home connection URL:

News Feed: https://graph.facebook.com/me/home?q=facebook

It's pretty interesting to marketers. Ill bet u could make some highly targeted direct mail campaigns on the cheap now.

You're searching the public timeline, much like http://www.kurrently.com

Did those people grant your app permission to read their stream? This would be really messed up if they did.

It's public posts, you don't even need an app to make that query.

It's weird getting a glimpse of people's lives, and the things they share opening with status updates to their friends!

I don't even know why people would tell half of their friends that.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact