Facebook Notification Feeds: Not So Private From Blog Search, After All
posted today about being surprised to discover that some of her Facebook
activities were showing up in Bloglines. How? She’s friends with John Harmon,
and his Facebook notifications feed was apparently submitted over there. The odd
thing is, Facebook says these feeds shouldn’t show up in Bloglines at all. After
poking at it more, that turns out not to be the case. Below, more about what
happened and how it may be impossible to fully keep a feed private, which has
implications for you and your Facebook friends.
If you’re a Facebook user, you have a
notifications page that
shows you what various people you are friends with are doing — have they
written on your wall, tagged a photo of you and so on. Here’s an example:
That page has its own feed. You’ll find it in the right-hand column under the
"Subscribe to Notifications" heading:
The feed URL can be viewed by anyone who gets it. You don’t have to be logged
into Facebook to view it. You don’t have to get pass any password barrier. If
you know the feed URL, you can see everything in it — basically, everything
you’d see on the notification page itself, just not as pretty.
So what about privacy? To my understanding, only you can see your actual feed
URLs (you also have a feed for "Friends’ Status Updates" and perhaps others). If
you don’t give out your URLs, then no one else can see them nor guess at them.
That’s because while your feed URL will make use of your Facebook user ID number
that isn’t hard to find (see
Facebook Opens Profiles
To Tap Into Google Traffic, While Google Grabs Facebook’s News Feed Idea for
more on this), the URL also has a unique key number in it that no one’s really
going to figure out.
Enter Bloglines. The purpose of the notifications feeds is so that you can
keep up on Facebook when you’re not logged in. Give Bloglines your notifications
feed, and then Bloglines can keep you updated with what’s going on while you’re
Of course, if you give Bloglines a feed, then others searching on Bloglines
can locate it, unless you mark it as private. Bloglines gives you this option
each time you add a feed:
Notice, however, that the default setting is "Public." That means it’s easy
for people to make public a feed that they don’t really intend to be shared with
others. This is probably what happened to Lisa. John gave Bloglines his feed
URL, didn’t tag it as private, so the world can see what’s going on. Since Lisa
had an activity that hit his feed, suddenly her "private" world inside of
Facebook spilled out inadvertently to the web in general.
The puzzling thing to me was that I remember reading something at Facebook
that was supposed to prevent this. Remember that "Subscribe to Notifications"
section I mentioned above? Look at again at the screenshot:
See the "Subscription Help" link? That leads to a
help page describing in
particular how your feed is supposed to be kept private on Bloglines:
Won’t Bloglines and other similar services make my notes content
searchable by the world if my friends enter the URL for my Notes feed into
Atom and RSS feeds from Facebook include the
Bloglines Feed Access
Control extension, and we set the access parameter to "deny" for all of our
feeds. We also indicate in our robots.txt that feeds should not be visited or
indexed by bots. The major aggregators and search engines (Bloglines, Technorati,
Google, Yahoo!) all appear to respect these directives. If you are very
concerned about the possibility of someone seeing your notes that you don’t want
him or her to see, we’ve added a privacy option that you can set on your notes
privacy page which will prevent any of your Notes from being syndicated in any
RSS or Atom feed.
Hmm. Was John’s feed somehow without the access deny setting? Nope. At the
bottom of the feed, there it was:
<access:restriction relationship="deny" xmlns:access="http://www.bloglines.com/about/specs/fac-1.0"
Odd. According to Bloglines’
own specs, that feed
shouldn’t be showing. And yet, there it is. I’m checking with Bloglines about
this [NOTE: see postscript below]. The only thing I can figure is that perhaps since the restriction element appears after the channel elements — rather than before them — perhaps that had an impact.
Social Web – Google + Feedburner Really Is Bad For RSS from Andy Beard
covers how other web-based feed readers like Google Reader do NOT support the
access restriction element. That means you can’t depend on it.
Facebook, as it explains, does make use of robots.txt to block these feeds
from being indexed. Major search engines crawlers respect robots.txt, so Google
itself shouldn’t be listing them (and in fact, if it was, something
like this would bring them up. It doesn’t.).
Google Reader is different. It merrily blows past robots.txt restrictions,
because as Google’s help files
explain, it’s acting on behalf of a human request:
Feedfetcher requests come from explicit action by human users. When users add
your feed to their Google homepage or to Google Reader, Google’s Feedfetcher
attempts to obtain the content of the feed in order to display it. Since all
requests come from humans, Feedfetcher has been designed to ignore robots.txt.
Now, unlike Bloglines, Google Reader doesn’t provide a way to search across
all the feeds people are subscribing to. In fact, you can’t share a feed at all,
from what I can tell. You can, however, easily share individual items from a
feed or tag a feed or number of feeds with the same tag, then share that tag. So
"private" Facebook feeds can be exposed.
Feeding, Facebook, and Privacy from eFoundations back in August has a bit
more on some of the type of Facebook feeds there are beyond your notifications.
It also notes how Bloglines had plenty of feeds exposed there (as you can see
can easily find over 500).
In short, you need to be aware that some of what you do on Facebook can
indeed be seen outside Facebook, if your friends share feeds — even on
Bloglines, which is supposed to not be listing these feeds. The only foolproof
solution I can see is to switch your privacy settings down to restrict heavily
the types of activities that might show up as notifications. I’ll also ping
Facebook to see if they have any further advice to share.
Postscript: Bloglines has gotten back to me and said there was a bug in how it was handling feed access control in RSS 2.0 feeds, which is being fixed now.
(Some images used under license from Shutterstock.com.)
Kick off each Monday with the best news and ideas in social media.