5x12 pentomino tiling

Facebook and Security


Before I start today's posting here's a photo for you all to pause and look at to remind you that it will be the summer soon.

sweet peas in Milton Country Park
sweet peas in Milton Country Park

So why am I posting this? Well, today I posted on Facebook a scan of my new Maritime Radio Operator Certificate of Competence, Short Range Certificate which came in the post today.

Before doing so I checked the sharing settings I have set for photos as this was an official document and I don't want the world to see it. These were I noted "Friends only" (with some exceptions for a few people who although nominally "friends" don't get to see anything more than the most basic details about me).

Despite that I used The Gimp to blank out the certificate number and add "SAMPLE" over the issuer's signature. Which is lucky really as it turns out that Facebook will quite happily serve images uploaded to their server even when you're not logged in at all.

The photo above, which has exactly the same Facebook permissions as my certificate, illustrates that. If you look at the URL of the image it's being served by a server called a8.sphotos.ak.fbcdn.net which is one of Facebook's servers i.e. it's coming live from their server, not mine. They're relying only on the obfuscated URL for security.

So if I told you the whole URL of the licence scan you could view that too, even if you're not logged into Facebook or indeed don't even have a Facebook account.

I suppose you could argue that only my friends will easily be able to work out the URL of the photo above1 and they could just as easily copy the photo and then pass it on to someone else but it still makes me uneasy.

  1. http://a8.sphotos.ak.fbcdn.net/hphotos-ak-snc1/4969_101101776878_689621878_2490970_5891963_n.jpg

Tags: internet Written 07/03/11

Previous comments about this article:

On 07/03/11 at 12:22pm Dave Holland wrote:

My rule is "don't put anything on Facebook you wouldn't want the world to see" - works so far...

On 07/03/11 at 5:55pm Steve Hunt wrote:

Doesn't surprise me. The company run by a man who thinks privacy is history or whatever it was. Completely untrustworthy. (If I were you I would be tempted to obliterate the signature completely.)

On 08/03/11 at 10:15am Mary-Ann Johnson wrote:

The one useful thing about it is that you can share photos easily with friends who aren't on Facebook. If you're the owner of an album, there's a link at the bottom of the album page which you can send to non-Facebook people, to view the album. That's what tipped me off a little while back that it was only security by obscurity.

Comment on this article

You can follow these posts on Twitter at @Wibblings
I am currently reading:

Man of Iron by Julian Glover Blue Lightning by Ann Cleeves

Word of the Day: