Flaws emerge in Facebook's new privacy controls

Facebook launched a bunch of new privacy controls today, and has received a significant amount of positive press as a result. The praise is perhaps not so deserving--as the new privacy controls can be easily evaded.

The new privacy settings allow users to customize which friends can view specific details in their own profile. Users can lock down specific bits of information to their friends, friends of friends, or even particular individuals.

There is, however, a significant design flaw present in this new feature. Facebook users can select which types of strangers can view their profile. That is, a student at Stanford University can decide to allow other undergrads to view their profile, while specifically forbidding staff and professors who have not been made a friend from viewing it.

This sounds like a great idea, and should be a significant benefit to those students who find that their Facebook-advertised parties were busted by police who found out about the events through the social-networking site.

The primary problem is that Facebook has no way of determining what someone's university status is. The company is only able to verify that the user has a valid .edu e-mail address, which could mean that the person is a student, staff member, professor, or alumni. As a result, Facebook asks users to self-report this information.

Given an example situation where a student doesn't wish for the Facebook-using professors at their university to be able to view their profile, it would be trivially easy for a professor to log in, and change his or her own status to that of an undergrad.

To test this out, I changed my own status at Indiana University to that of an undergrad, a staff member, and an alumni before switching back to being a graduate student. Facebook's system didn't complain once, and I was able to verify that the updated status was indeed reflected on my own profile.

This is a fairly significant security flaw in Facebook's fancy new privacy controls, and frankly, there isn't too much the company can do to fix it. In the real world, it's perfectly possible for an administrative staff member to go back to school (and thus become an undergrad), or for a grad student to become a professor. The status controls need to be modifiable.

At least under the old controls, Facebook users (in theory) knew that their profiles could, by default, be viewed by any other Facebook user at the same university. This new system provides little in the way of real additional protection, yet may give users a false sense of security, leading the millions of users to post even more stupid and embarrassing things to the site than they currently do.

I spoke with a Facebook spokesperson shortly before press time, who told me that she could not comment on the specific issues I raised.

Disclosure: I am a part-time technology policy fellow at the Electronic Privacy Information Center, where one of my projects involves social-networking privacy issues.