Private Facebook Pages Are Not So Private

Security researchers announced a privacy flaw in Facebook.

ByABC News
February 10, 2009, 8:28 AM

June 28, 2007 — -- Private Facebook profiles aren't quite as hidden as many users might think they are. Pages that are supposedly restricted are visible to anyone using searches based on religion, sexual orientation or relationship status.

Security researcher Christopher Soghoian announced the flaw on Tuesday. A quick search by Wired News for women in a major U.S. city who were interested in random hookups with men revealed the names and photos of two high school girls, including one ninth grader.

Like many social networks, the increasingly popular Facebook allows its users to mark their profile page as private, semiprivate or open. However, even if you mark your profile to be visible only by friends, that doesn't change how you turn up in Facebook searches or whether your profile is open to indexing by search engines.

Instead, users looking for privacy must also change their preferences under search, else their profiles will be indexed by internet search engine spiders and their names, photos and personal data fields will be searchable by any Facebook member who is a fellow member of a "group" such as a school or geographic area that the user elects to join.

For instance, if you are a Facebook member of your college, you could run a search to see all the people who are Christian women who are lesbians, all the women interested in women or all the Muslim men into other men. Your search results will likely include people who thought they marked their information as private, but didn't also change their search settings. (These links all require a valid Facebook account.)

Searchers still can't click through to the full profile for members who chose to make the profile visible only to their Facebook friends.

Soghoian first discovered the discrepancy in September 2006 and revisited it after speaking with attendees at a privacy conference last week, who suggested that the setup could violate European privacy standards.

Soghoian, a graduate student previously known for disclosing holes in both airport security and Firefox browser extensions, contends that the number of people whose private profiles show up in search results is clear proof that Facebook's options are too confusing.