Facebook Places Privacy Falls Short: Non-Authorized Check-Ins by Friends are Visible

[Readers might be interested in my follow-up post: Facebook Places Privacy Falls Short, Part 2: Opting-Out]

Facebook has finally launched its location-based service: Places. Places allows Facebook users to “check in” wherever they are (or pretend to be) using a mobile device, and let’s their friends know where they are at the moment.

Facebook has tried to do a better job addressing privacy with Places compared to previous launches of new “features”. Particularly, Facebook brags that “no location information is associated with a person unless he or she explicitly chooses to become part of location sharing. No one can be checked in to a location without their explicit permission.”

And while many applaud Facebook for the design of Places (the best design decision, perhaps, was to make check-ins visible to friends only by default, rather than everyone), there are some serious ways in which Facebook has fallen short in fully protecting user’s locational privacy.

The folks at EPIC, EFF, and DotRights have each done a good job outlining the primary concerns, and I don’t want to repeat them all here.

But as I’ve played around with the service, I’ve uncovered a problem with Facebook’s assertion that “no one can be checked in to a location without their explicit permission.”

While Places is largely an opt-in service — one needs to install and use it on a mobile device — anyone can be “checked-in” to any place by a friend. This can happen regardless of whether you use the service yourself. If you get checked into a place by someone, and you haven’t already authorized the service or these kinds of check-ins, you’ll receive an email asking if you want to allow check-ins by friends. Below is an email received by my wife when I tagged her as joining me at a local liquor store.

Given Facebook’s assertion that “No one can be checked in to a location without their explicit permission,” presumably my wife won’t be checked into this location until she clicks “Allow Check-ins” on this alert message.

She didn’t click, and hasn’t made any other changes to any of her Facebook settings. Yet, if any of my friends look at my Facebook feed, they’ll see the status update of my check-in at the liquor store, with my wife’s name there with me:

And her name also appears with my check-in on the location’s page automatically generated by the Places service:

So, where does this leave us?  My wife has not authorized me (or anyone) to check her into places. She doesn’t use the service. In fact, she wasn’t even at the liquor store at all.

Yet, I was able to tag her in my check-in, and all my friends now see her name linked with my check-in as if she was there. Granted, the check-in does not show up in her news feed, but it is there in mine, and I suspect if I had my privacy settings set to “Everyone”, then everyone would see my wife’s name as being checked into the liquor store.

UPDATE: I’ve tested having my settings on Everyone, and then looking at my feed from a dummy account I have (yeah, violating the TOS, I know). Here’s the screenshot confirming my wife’s name is visible alongside mine to the entire universe:

Recall Facebook’s claim that “no location information is associated with a person unless he or she explicitly chooses to become part of location sharing. No one can be checked in to a location without their explicit permission.” My wife did not explicitly choose to become part of location sharing. She did not give any explicit permission to be associated with this location. Yet, there her name is, and anyone viewing my feed can now associate her with being at this location. It is unknown whether this association between her name/account and this location is logged within Facebooks databanks, and thereby available to be shared with marketers, handed over to law enforcement, etc.

This is a serious problem. Names and linked user accounts should not be associated — in any way — with a particular location unless they explicitly consent to it. Facebook needs to listen to its own rhetoric and make the necessary changes to protect user’s locational privacy. I should not be allowed to tag someone in a check-in unless they’ve taken the positive step of authorizing check-ins from friends. Locational privacy needs to be fully opt-in, not opt-out.

[I haven't yet checked to see if my wife's name will disappear from this existing check-in if she takes the affirmative step to disallow friends from checking her into place. I'll post an update once that happens] See this post where I detail the steps it took for my wife to opt-out, and that her attachment to this particular check-in remained.

UPDATE: TechCrunch just posted a similar discovery, and they don’t seem all that worried about it, noting that “Facebook treats this as if you were tagged in a basic status update.” But there’s a meaningful difference between simply being tagged in a status update, and having your location unknowingly disclosed in a status update. And this is the critical issue that Facebook again has misunderstood: tagging someone’s geographic location is not something to be treated like every other Facebook activity.

UPDATE: There’s been assorted media coverage of my discovery and our subsequent discussion: MSNBC.com, MediaPost, SC Magazine, CBC News.

[Readers might be interested in my follow-up post: Facebook Places Privacy Falls Short, Part 2: Opting-Out]

Print Friendly

Tags: , ,

 refinansiering av lån uten sikkerhet . Hundehaftpflicht