lunes, 7 de diciembre de 2009

Understanding Facebook Tagged Photos Privacy

We discuss how to enhance the privacy of Facebook when facing users tagging you in third-party pictures.

To understand the tagged photos privacy features of Facebook we design a Facebook usage lab. Our laboratory includes three individuals who graciously volunteered to be part of the tests. Bob is in Alice's contact list because he is her lover and Chuck is in her contact list because he is her official couple. Chuck suspects that Alice is unfaithful but he needs evidence to attract Alice into a vortex of unhappiness and sorrow.

Each of the users respectively uploaded one picture: PhotoB, PhotoA and PhotoC. The critical photo is PhotoB, uploaded by Bob, where Alice is included.
In Facebook, a user can tag photos with names. If the name belongs to a contact of the user the tag is linked to other public photos of that contact. The privacy features of tagged photos are centered around:

a) who can view the photos published by user A and
b) who can view the photos where user B was tagged.

We will discuss briefly the scenario where Bob tags Alice in his photo, with the default configuration.
By default, Bob's photos are only visible by his friends, in this case Alice and not Chuck. But if Bob one day needs to share something and changes his profile privacy from "Only Friends" to "Friends of Friends" (Settings > Privacy > Profile > Profile) then Chuck will notice in his Facebook feed that Alice was tagged in a photo owned by Bob. This is due to the default photo tagged visibility configuration of Alice, i.e. "Only Friends" allows her to view the photos where she was tagged. If Alice changes her tagged photos settings to "Only Me" (Settings > Privacy > Profile > Photos Tagged of You > Customize... > Only Me) then Chuck will not see the critical PhotoB.

To search for photos and test the visibility you can use "photo_search.php".

There you can view the photos "visible" by the user A who is logged right now. This photos can be from the user A profile, or from another user but tagged with the name of the user A whom numerical identification is USER_NUMERICAL_ID.

Join the privacy lab via Facebook (Alice, Bob and Chuck) or the Data Privacy Army if you want to contribute with scenarios or comments!