Facebook Notification Feeds: Not So Private From Blog Search, After All

Lisa Barone posted today about being surprised to discover that some of her Facebook activities were showing up in Bloglines. How? She’s friends with John Harmon, and his Facebook notifications feed was apparently submitted over there. The odd thing is, Facebook says these feeds shouldn’t show up in Bloglines at all. After poking at it more, that turns out not to be the case. Below, more about what happened and how it may be impossible to fully keep a feed private, which has implications for you and your Facebook friends.

If you’re a Facebook user, you have a notifications page that shows you what various people you are friends with are doing — have they written on your wall, tagged a photo of you and so on. Here’s an example:

Facebook Notifications

That page has its own feed. You’ll find it in the right-hand column under the "Subscribe to Notifications" heading:

Facebook Notifications Feed

The feed URL can be viewed by anyone who gets it. You don’t have to be logged into Facebook to view it. You don’t have to get pass any password barrier. If you know the feed URL, you can see everything in it — basically, everything you’d see on the notification page itself, just not as pretty.

So what about privacy? To my understanding, only you can see your actual feed URLs (you also have a feed for "Friends’ Status Updates" and perhaps others). If you don’t give out your URLs, then no one else can see them nor guess at them. That’s because while your feed URL will make use of your Facebook user ID number that isn’t hard to find (see Facebook Opens Profiles To Tap Into Google Traffic, While Google Grabs Facebook’s News Feed Idea for more on this), the URL also has a unique key number in it that no one’s really going to figure out.

Enter Bloglines. The purpose of the notifications feeds is so that you can keep up on Facebook when you’re not logged in. Give Bloglines your notifications feed, and then Bloglines can keep you updated with what’s going on while you’re "outside" Facebook.

Of course, if you give Bloglines a feed, then others searching on Bloglines can locate it, unless you mark it as private. Bloglines gives you this option each time you add a feed:

Bloglines Privacy Settings

Notice, however, that the default setting is "Public." That means it’s easy for people to make public a feed that they don’t really intend to be shared with others. This is probably what happened to Lisa. John gave Bloglines his feed URL, didn’t tag it as private, so the world can see what’s going on. Since Lisa had an activity that hit his feed, suddenly her "private" world inside of Facebook spilled out inadvertently to the web in general.

The puzzling thing to me was that I remember reading something at Facebook that was supposed to prevent this. Remember that "Subscribe to Notifications" section I mentioned above? Look at again at the screenshot:

Facebook Notifications Feed

See the "Subscription Help" link? That leads to a help page describing in particular how your feed is supposed to be kept private on Bloglines:

Won’t Bloglines and other similar services make my notes content searchable by the world if my friends enter the URL for my Notes feed into those services?

Atom and RSS feeds from Facebook include the Bloglines Feed Access Control extension, and we set the access parameter to "deny" for all of our feeds. We also indicate in our robots.txt that feeds should not be visited or indexed by bots. The major aggregators and search engines (Bloglines, Technorati, Google, Yahoo!) all appear to respect these directives. If you are very concerned about the possibility of someone seeing your notes that you don’t want him or her to see, we’ve added a privacy option that you can set on your notes privacy page which will prevent any of your Notes from being syndicated in any RSS or Atom feed.

Hmm. Was John’s feed somehow without the access deny setting? Nope. At the bottom of the feed, there it was:

<access:restriction relationship="deny" xmlns:access="http://www.bloglines.com/about/specs/fac-1.0" />

Odd. According to Bloglines’ own specs, that feed shouldn’t be showing. And yet, there it is. I’m checking with Bloglines about this [NOTE: see postscript below]. The only thing I can figure is that perhaps since the restriction element appears after the channel elements — rather than before them — perhaps that had an impact.

Of course, Open Social Web – Google + Feedburner Really Is Bad For RSS from Andy Beard covers how other web-based feed readers like Google Reader do NOT support the access restriction element. That means you can’t depend on it.

Facebook, as it explains, does make use of robots.txt to block these feeds from being indexed. Major search engines crawlers respect robots.txt, so Google itself shouldn’t be listing them (and in fact, if it was, something like this would bring them up. It doesn’t.).

Google Reader is different. It merrily blows past robots.txt restrictions, because as Google’s help files explain, it’s acting on behalf of a human request:

Feedfetcher requests come from explicit action by human users. When users add your feed to their Google homepage or to Google Reader, Google’s Feedfetcher attempts to obtain the content of the feed in order to display it. Since all requests come from humans, Feedfetcher has been designed to ignore robots.txt.

Now, unlike Bloglines, Google Reader doesn’t provide a way to search across all the feeds people are subscribing to. In fact, you can’t share a feed at all, from what I can tell. You can, however, easily share individual items from a feed or tag a feed or number of feeds with the same tag, then share that tag. So "private" Facebook feeds can be exposed.

Feeding, Facebook, and Privacy from eFoundations back in August has a bit more on some of the type of Facebook feeds there are beyond your notifications. It also notes how Bloglines had plenty of feeds exposed there (as you can see here, I can easily find over 500).

In short, you need to be aware that some of what you do on Facebook can indeed be seen outside Facebook, if your friends share feeds — even on Bloglines, which is supposed to not be listing these feeds. The only foolproof solution I can see is to switch your privacy settings down to restrict heavily the types of activities that might show up as notifications. I’ll also ping Facebook to see if they have any further advice to share.

Postscript: Bloglines has gotten back to me and said there was a bug in how it was handling feed access control in RSS 2.0 feeds, which is being fixed now.

Related Topics: Channel: Social | Facebook | Legal: Privacy


About The Author: is a Founding Editor of Search Engine Land. He’s a widely cited authority on search engines and search marketing issues who has covered the space since 1996. Danny also serves as Chief Content Officer for Third Door Media, which publishes Search Engine Land and produces the SMX: Search Marketing Expo conference series. He has a personal blog called Daggle (and keeps his disclosures page there). He can be found on Facebook, Google + and microblogs on Twitter as @dannysullivan.

Connect with the author via: Email | Twitter | Google+ | LinkedIn


Get all the top search stories emailed daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. Comments may also be removed if they are posted from anonymous accounts. You can read more about our comments policy here.

Comments are closed.

Get Our News, Everywhere!

Daily Email:

Follow Search Engine Land on Twitter @sengineland Like Search Engine Land on Facebook Follow Search Engine Land on Google+ Get the Search Engine Land Feed Connect with Search Engine Land on LinkedIn Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Search News Recap!

SearchCap is a once-per-day newsletter update - sign up below and get the news delivered to you!



Search Engine Land Periodic Table of SEO Success Factors

Get Your Copy
Read The Full SEO Guide