From the Oh I Am So Incredibly Surprised to Hear This—NOT files, Facebook has come under fire yet again for privacy concerns. Thanks to a programming error (since fixed), advertisers and third-party businesses may have had access to the profiles, photos and even chat logs of millions of Facebook users.
For several years.
The good news is that it isn't clear that the advertisers even realized they could pilfer your private data. The bad news is, you know, the part about Facebook leaking all your vacation photos and stuff.
Even the one where you're wearing a bikini.
Symantec Corporation, the security software manufacturer that released the report on Facebook's alleged privacy breach, issued a statement on its blog this week:
"We estimate that as of April 2011, close to 100,000 applications were enabling this leakage. We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties."
Access tokens can be used by applications to carry out certain actions for the user, or to access the user's profile. (Like how you have to approve a photo sharing app to post images on your Facebook account.) Each token is associated with a specific set of permissions, like reading your wall, accessing your friend's profile, posting to your wall, and so on.
Symantec says that some Facebook applications were leaking these tokens to advertisers, and that Facebook both confirmed the breach and fixed the problem.
Facebook, for its part, is denying any personal data was exposed:
"(Symantec's) resulting report has a few inaccuracies. Specifically, we have conducted a thorough investigation, which revealed no evidence of this issue resulting in a user's private information being shared with unauthorized third parties.''
Facebook's denial seems to be at least partially hinged on the argument that there are contractual obligations of advertisers and developers which prohibit them from sharing user information "in a way that violates Facebook policies."
So yeah, that's reassuring. Because Facebook certainly has no history of sending their users' data all over the damn place.
Symantec is suggesting that Facebook users change their passwords to close off any inadvertent access advertisers may have had, but I'd say you should take this thought process a few steps further. It's probably safest to assume anything you put on Facebook is not private, no matter what sort of settings and controls you have on hand. If you're using social media, you're exchanging privacy for calculated risk. Period.
Which is to say, only post that bikini photo if you're okay with sharing it with anyone—and I mean anyone—who cares to look.
Are you surprised to hear about this latest Facebook privacy SNAFU?
Image via Flickr/alancleaver_2000