I use pretty much every social media site out there, including Google Plus, Facebook, Flickr, WordPress, Tumblr, and Twitter.
A lot of what I post to these sites is private, however, or at least very limited in terms of access (usually limited to close family and friends). A lot of this private content includes photos and videos.
Based on the security settings of these various sites, I’d always understood that content privacy was consummate. If, for example, I post a photo, I expect that photo to be completely contained within that privacy model.
But that’s not so. It turns out that photos posted to every social media site are published to the web in a completely exposed state. Only if you attempt to access the file through the web site is it protected. If you try to access the media file directly, it’s open to anyone.
To explain where the privacy breakdown occurs, I’ll first describe the way the web works in terms of how it models pages.
At the base level of the web are HTML files. These are simple text documents. They never actually contain images or videos. They are just text. To the average user, however, web pages appear to contain things like images through a “sleight of browser” trick.
Within the instructions embedded into web page documents are references to those images, with instructions on where and how to place them. The images can, in fact, be anywhere on the internet. So the photos always exist outside of web pages, and the web page essentially instructs your web browser to, “go over there, get that image, and display it here on the page in this manner.”
So when files are put on the web, be they HTML documents or photos, they can be protected within a secure zone. That’s why you’re required to log in at Facebook or Twitter, or any other web site that promises to protect your data.
And there’s where the problem begins to occur: social media sites are building security fences around the web pages that you directly interact with. But they’re warehousing the other media components, like photos, outside of those fences, where anyone can go digging around.
That runs contrary to the common mental model we have of how social media providers take care of our stuff. Most of us would expect the photos we post to be protected within the walled garden of the social media environment, like this:
But that’s not actually how it works. Social media sites push photos through their private area to be stored in a publicly-accessible environment, like this:
To the average user, though, because of that “sleight of browser” I mentioned, those photos can seem to be protected. Because photos appear to be a part of the web page, they seem to be part of its security model. But they’re not. It’s a trick. They’re sitting there, exposed on the open internet, for anyone to see and republish.
That means that someone – anyone – can sneak around the private area and snag any photo that’s been uploaded through any social media site, like this:
I’ve tested this on the following popular social media sites and I’ve found this to be true in every case:
- Google Plus
I was surprised by what I discovered, but I was shocked that it was even true on Flickr, where I’ve long trusted that a significant portion of my photo library is safe.
To demonstrate the problem in action, I published a number of images to some of those social media sites with the most restrictive privacy settings.
Here, for example, is an image I published to Facebook with customized privacy setting that should allow only me to view it:
That image is being embedded into this page by a direct reference to the image on Facebook. It should be limited to my visibility only, based on what Facebook tells me about it, but it’s not.
And here is an image I’ve published to Flickr using that site’s most restrictive privacy settings; again, only I should be able to view it.
And here are a few more images I’ve published to some other social media sites using each site’s most restrictive privacy model that should limit access just to myself or to one or two friends who I’ve ascribed access to:
Here’s an image I published to a private account on Twitter:
Here’s an image I published to a private blog post on WordPress:
And here’s an image I published to an empty circle in Google Plus, which means it should be available to no one:
In all cases, the images are being served into this page directly from the social media environments themselves.
It’s worth noting that I’m not performing any super-awesome feat of hacking here to make this work. I’m just using the same skills that any kid with a basic understanding of HTML has. It’s fundamental HTML decomposition.
Delete Me (or not…)
But here, perhaps, is the kicker: you can’t get rid of these things.
Again, the social media site can let you delete an image within its HTML environment, but it leaves behind the detritus of your images on the public internet for all to see for evermore… or at least a long time.
Here, for example, is an image that I uploaded to Facebook, again using privacy settings that should restrict it to my view, and then deleted from Facebook:
Now I uploaded and deleted this image around lunchtime on Sunday, November 12, 2011. So at some point, presumably (hopefully?), it should be deleted from the public file server that’s storing it and the reference on this page should generate an error. I’ll be interested to see when that actually happens…
I didn’t test this anti-delete feature on all of the social media sites, I should mention, just Facebook.
Like a Lawyer
So social media sites are using the HTML layer of their sites to pretend to protect photos and other types of media that they are publishing in publicly-accessible data warehouses.
There is, in fact, a form of security present, but it’s pretty lame. It’s called obfuscation. The reference, or URL, to each photo that’s published is very long, very random, and very ugly. Here for example, is the reference to the photo I published privately to Facebook:
As you can see, it makes no sense for the most part, and would be hard to guess.
The reference to the file on Flickr is almost as yucky:
But it’s not always so bad. Here’s the reference to the image I published privately on WordPress:
Now that’s quite a bit easier to guess.
Should You Care?
That’s a valid question. Obfuscation might be enough for you (especially if you’re a lawyer).
But, let me paint you a picture…
You publish a photo of you and your current boyfriend to Facebook that’s super-private, and you share it with, well, just your current boyfriend because it’s that kind of image.
The next thing you know, your current boyfriend is your ex-boyfriend, in a nasty way. So you unshare the image. In fact, you’re so nervous, you go ahead and delete if from Facebook. And, as per your mental model of Facebook’s security, that’s the end of that.
But there’s that file reference to the original, publicly-available image. And, well, you’re ex-boyfriend took Basic HTML in grade 10 and figured out how to snag it. And he ruthlessly starts sharing it with his friends, and they share it with their friends, and, well, you get the picture.
And the sad fact of the matter at that point is: access to your image is out of your hands. You shared it privately on Facebook, and Facebook went and stored it in a public place.
So what’s the take-away from this? In a nutshell: images you upload to social media sites are only managed by the security model of that site when you access it within the context of that site. From anywhere else on the internet, your images are publicly accessible.
In other words, that mental model you have for the privacy of the stuff you publish to social media? It’s shit.
It’s a scary truth, and one that sort of chills me. I’ve been trusting several of these social media sites to keep my photos safe, some of them for years. Now it seems like I can’t trust any of them.