If you chose the Facebook setting that hides your friend list from people who aren’t you friends, Irene Abezguaz has some bad news. Abezguaz, a vice president of product management at Quotidium, outlined a loophole she discovered at AppSecUSA 2013, a New York security conference — that friend list isn’t totally hidden.
If someone wants to see the friends of a Facebook user who hides their complete friend list from strangers, they can create a new dummy account and send a friend request to that Facebook user. Once the request is sent, even if it is rejected, Facebook will start sending friend suggestions to the dummy account — for users who are already Facebook friends or who have received a friend request from the person in question. In this way, even though there’s no complete friend list, someone looking for more information about a Facebook user will be able to compile at least a robust partial list of their Facebook friends. And while most people aren’t going to bother going out of their way to circumvent settings, the people who will — malware peddlers, spammers, and stalkers — are exactly the kind of users that people want to avoid when they select tighter privacy settings.
“Research of this issue has shown that most of the friends list, often hundreds of friends, is available to the attacker. In any case, even a partial friends list is a violation of user-chosen privacy controls,” Abezguaz writes in a blog post explaining the security loophole.
Facebook doesn’t see this loophole as any big deal. A spokesperson (vaguely) explains: “Our policies explain that changing the visibility of people on your friend list controls how they appear on your Timeline, and that your friends may be visible on other parts of the site, such as in News Feed, Search and on other people’s Timelines. This behavior is something we’ll continue to evaluate to make sure we’re providing clarity.” In other words, yes, the company acknowledges that part of your friend list becomes visible when a non-friend peeks at the “People You May Know” function, but because it’s not a direct part of the Timeline controls and because it’s an incomplete list, Facebook isn’t going to focus on this as a problem (besides perhaps clarifying their language to make it more apparent that the company does not believe this is a problem).
Facebook has been changing its privacy settings to encourage users to publicly display more information; it’s part of the company’s ongoing quest to transform into a “personalized newspaper” and discovery engine with Graph Search. The company isn’t going to stray from that strategy to backpeddle and provide greater privacy controls again, even if someone brings the flimsiness of the current settings to our attention.
This probably isn’t the only example of a roundabout way to access Facebook user information. But it is a very good example of Facebook’s attitude towards user privacy: the company is ushering users towards transparency and away from privacy, and it’s not going to bother accommodating people pointing out relatively minor privacy failings like this. Let this be another reminder that Facebook, while still useful/painfully addictive, is actively eroding your old privacy settings to prime users for a more public social network.