That seems rather over the top.
I can't really see this ruining anybody's life.
It isn't letting me search for specific peoples comments. I don't know any of these people, nor am I likely to meet them.
This website reminds me of being outside, with people, and hearing little snippets of conversations from strangers. Nobody goes to a park and then complains the council that strangers where able to hear their conversations.
Hmmm, I hope this doesn't sound facetious. I feel like I'm missing the point with the facebook privacy hype. There are so many reactions that seem totally strange from my perspective that I feel like I've got something wrong.
The way it sits in my mind is:
Facebook is a service provided for free.
I've given facebook some information about myself so that it can be displayed to people who are interested.
My friends do the same and so we can communicate and share things such as photos.
Some people start to get angry at the fact facebook doesn't do what they want, namely provide this service in a private manner.
I have yet to see anyone personally upset by this. Mostly people seem to disagree with the principle, and go and get angry on behalf of others.
Thanks, that makes sense.
When you add to that the internet's characteristic does of indignant shouting about anything and everything, than I can start to see why these reactions are coming up.
My grasp of facebook privacy has always been pretty simple: anyone can see anything I do, except one on one messages. I know this is /way/ over simplistic, but it would explain why I don't feel scandalized that other people can see my wall.
We briefly added these measures, but after thinking it over we've decided to disable them.
From a technical standpoint they're a fig leaf. This isn't a complex server-side app, it's a minimal UI on top of the JSON results Facebook returns for these searches: http://graph.facebook.com/search?q=control+urges&type=po... . This is frankly the least scary use of this data. For example, it would be trivial to start crawling this data and building your own indices to enable far more invasive searches.
Our goal is to draw attention to this so that people become outraged and Facebook changes their privacy settings. The security community has been having this conversation for a while (more info: http://en.wikipedia.org/wiki/Full_disclosure ) and the only reason not to disclose a security or privacy problem is to give the company involved time and resources to fix the system.
This is not the case here. Facebook made this privacy-affecting change quite deliberately, and I think it's clear that they did so with full knowledge of the implications. If there is not an outcry, this will not be fixed. Right now, from Facebook's perspective, the system is working as intended. The longer it stays this way the worse the privacy breach becomes.
Our goal is to draw attention to this so that people become outraged and Facebook changes their privacy settings.
Your link to your project is the most fascinating thread I have seen on HN since the thread about how HN was hacked, one of the all-time top karma submissions. But, amazingly, after playing around with your tool for about half the three hours that have elapsed since you posted it, I'm LESS worried about Facebook than I was before. Pretty much since I joined Facebook I have been posting links (including yours today) to my profile about Facebook privacy. Among my circle of Facebook friends, it is cool to have carefully considered privacy settings, and to be circumspect in what to post online. I have good conversations about interesting links on my profile and on my feed (much like HN), and didn't turn up ANYTHING by searching on my own name, my son's name, keywords strongly associated with my friends' interests, or anything else likely to turn up something we wrote out of turn. Now I'm actually beginning to trust Facebook privacy settings again--at least for smart users--after using your tool and the new Give Me My Data app
"Full disclosure" is a discussion about the ethics of publishing an exploit. Publishing exploits is customarily done in a descriptive manner -- I've never seen it done by publicly sharing the spoils of using that exploit.
Did you try publicizing it without the full identifying data available and measuring the response? Did you consider a strategy of escalating outrageousness, instead of going straight for this course of action?
What about automatically contacting the affected users first, and attempt to rouse them to action?
I'm sorry to be so harsh in a public forum, but when someone takes it upon himself to say that the affected lives are going to suffer for a good cause, then he'd better accompany the resulting campaign with a very thorough -- and thoroughly-vetted -- piece of argument explaining exactly why the ethical balance is in his favor. Two guys deciding they'd get more pageviews by going with plan A, and leaving the moral debate for blog commenters after the fact is not a thorough vetting.
There were already numerous forces at play which could potentially result in FB getting things straight. Your app won't have accomplished anything that wouldn't otherwise have been accomplished, except perhaps to cause a few more people to suffer.
Let me put it another way: we all have a problem right now that we're trying to solve, which is that FB is screwing people. Your clever idea is screwing them worse, with no foreseeable gain for ethics either now or long-term that another demonstration couldn't provide.
If you really care about the problem, deactivate your project and come up with something more clever that also takes the moral high ground.
This argument just doesn't make sense. Its trivial to make this search, the OP just put a nice wrapper around it. There are two possible choices he could have made:
Something shocking, like "playing hooky", that could get people in trouble. In this case, people will get in trouble, because someone will find out they were playing hooky and report them. However, because people are directly being effected, a shit-storm will be caused, and people will accept that this is a problem faster.
On the other hand, the examples could have been something trivial, such as "Weight". It may get people annoyed about it, but no one is going to lose their job. And since they won't lose their job, they won't be pissed, and Facebook can drag their feet.
The best part is, anyone with malicious intent could make these searches on their own. Exposing it to the public just forces someone to take action.
To someone with the proper technical skills, it's trivial as you say. But until you do something like what these guys have done, it's dishonest (or geek-myopic) to say that it was trivially available before. When you package it up like this to inject into a receptive media channel, you make it "available" to an audience that would not have had access to this information before.