Facebook closes API loophole that let people see strangers' photos

Developers complain that change to Facebook API renders their apps useless, but Facebook says it's just aligning with users' privacy expectations.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

Facebook has changed its application-programming interface to close a loophole developers were using to write applications based on access to photo albums set to be viewable by everyone.

The move has angered some developers who built applications that offer the ability to view photos of people the user is not friends with.

For example, the Photo Stalker app, which CNET News wrote about in March, previously allowed people to see photos of strangers who may or may not know their photos are exposed to the public. Notified of the app, a Facebook spokesman said at the time that it did not violate Facebook's privacy guidelines and thus was allowed.

The default for photo albums is "Everyone," and many people did not realize that unless they manually changed the privacy setting, anyone on the Web could conceivably see their pictures. The Photo Stalker app enabled access that otherwise wouldn't have been possible to photos that people thought were private.

Photo Stalker

"They are doing this because they don't want applications like Photo Stalker to be able see albums marked 'everyone,'" Josh Carcione, Photo Stalker developer, wrote in an e-mail to CNET News this week.

"I created an application to further enhance the Facebook user's experience. Facebook has now changed their API to make my application useless. Why would anyone want to use Photo Stalker to view pictures of their friends? They wouldn't! The purpose was to view public photos," he writes. "I have invested a lot of time and money in the application just to have Facebook destroy it."

A Facebook spokesperson said the company made the change so the technology more closely matched users' privacy expectations.

"We made this change in order to ensure that users who have their profiles set to a privacy other than 'everyone' are not surprised by photos being exposed through the API," Facebook engineer Matt Trainer wrote in response to complaints on the developer forum site.

Carcione and a few other developers who complained about the API change say it eliminates the ability for people to make their photos publicly accessible.

But the Facebook spokesperson said the change does not affect the way users share links to their photos with others. Photos that are set to be visible by "everyone" can still be seen by anyone, on or off Facebook, according to the Facebook Help Center.

If an album is set to "Everyone" and a friend is tagged in it, that album will surface in your News Feed and you can view the album. You can also view it if the link is shared with you, if you are a Facebook user.

If your own album is set to "Everyone," you can share the link with people on and off Facebook.

So, although an app that made it ultra easy to see inadvertently public photos just by knowing someone's name or Facebook ID won't work anymore, strangers can still see your photos if the album is by default set to "Everyone." If you don't want anyone but friends to see your photos change the privacy settings to "Friends" or "Friends of friends."