Philip Turpin

What with all the hype on Google’s Buzz, just recently, my attention was drawn to my Facebook posts that seemed to have escaped into the public domain – uninvited.  Essentially my Facebook Notes and Links had been published onto FriendFeed and then aggregated again in Google Buzz.

Further investigation has revealed there is, what appears to be, a bug (oversight?) in the Facebook Notes and Links RSS feed option.

Firstly, let’s take a look at the offending URL in question:

http://www.facebook.com/feeds/share_posts.php?id=xxxxxxxxxx&viewer=yyyyyyyyyy&key=zzzzzzzzzz&format=rss20

In this example I’ve replaced the 10 digit alphameric codes with x, y and z for privacy reasons.

The X represents the ID of the person’s posts you want to view.  The Y represents the viewer of those posts and Z represents a unique key generated when you click on the Subscribe to Notes link on Facebook.

Their has to be a friend connection between X and Y in order for the Notes / Links RSS feed to display but you, yourself, don’t necessarily have to have a connection with either of them – what’s important is that THEY have the connection.

Z is a unique key that’s generated for the X Y relationship.  It can also be an X X relationship (as I found out on my FriendFeed settings) but the unique key is still generated.  This means that you can’t just find a profile, decipher the numerical user ID then inject that into the URL – you still need the Unique code which can only be obtained by clicking on that user’s ‘Notes Subscription’ link and if you’re not friends with them you can’t get to it.

I have tried other manipulation of various, other, URLs associated with Notes and Links and the security seems to be holding up.

Although there is little impact in terms of a security risk the implication of this is that someone could easily take the URL for a friend’s notes and publish it.  Then, regardless of the privacy settings of that user, their notes and links will always be publicly viewable in an RSS feed.

What can we do about it?  As yet, nothing.  I have been unable to find any security or privacy settings that address this issue.  It would seem that this is a piece of system architecture rather than a bug.  I’d, therefore, say it was more an oversight on Facebook’s part.  It has been reported to Facebook.

OK, for starters, I just tried to update my status on Facebook voicing my displeasure at how atrocious Facebook has become only to be given the following message:

Here is the original status…

…is disappointed that Facebook is becoming such a challenge to use.

I don’t wish to have to constantly worry about Privacy settings, who sees what, what info is publicly available vs. what isn’t and what is being indexed by BBG (Big Bad Google).

Not only are Facebook insistent with constantly, unnecessarily, updating the UI, they have to mess around with other ’stuff’ that just really doesn’t need it.

With the web having evolved into what it is, things are supposed to be easier, not harder.  Patience and tolerance get considerably shorter and yet FB make it harder?  I wonder how long before FB user numbers start to drop (‘when’ not ‘if’)?

I, for one, have already deactivated one FB account and I’m seriously considering deactivating this account too.  I’m definitely using it less already.

My feeling on this is that it’s going to be easier to break out and use different services for different functions.

• Status updates?  Twitter / philipturpin.com
• Photos?  Flickr.
• Videos?  Youtube / 12 seconds.
• Content (links, posts etc)?  philipturpin.com

At least I know that anything I post here is publicly viewable, there is no confusion, and I can simply RSS the content into Facebook, thus still maintaining a presence, without being directly involved.

At least this way I’m not reliant on solutions by somebody else – I’m totally in control.

Incidentally, I can be found here:  http://facebook.com/philipturpin