Privacy implications of Facebook Places

Facebook just introduced what they think is a great new feature called “Places”. Places is about sharing your current location with your friends: “you can share where you are and the friends you’re with in real time from your mobile device.”

As soon as Facebook releases something new, this rises suspicion how the company deals with the feature security- and privacy-wise. To get a better insight, we used two different accounts to see what Facebook thinks are good default values for a new component. One freshly created account and one with tightened security and privacy settings.

In the fresh account, these settings are set as defaults:

The good news is that only Friends can see the current location by default. Nicely done this time, Facebook!

The bad news is that users are automatically signed in to this service as soon as they start the application. Preferably Facebook should have the default setting “deactivate”, though.

The same is valid for the option “Friends can check me in to Places”. It stays unclear what the setting “Select one” means – whether users then get asked each time before the location gets published or if it is necessary to choose one of the other settings.

Now, after seeing the default settings for an account which was just created, we have had a look at an existing account with more strict privacy settings – and now comes the surprise! They are exactly the same, despite the fact that everything was configured manually in order to have more privacy.

To stay in control about one’s privacy it’s recommended to choose stricter settings:

We recommend these settings as we think that privacy is a serious issue nowadays. Just think about these points:

• I want to be in control of what is shared about me on the Internet, may it be posted from friends or not.
• If I would want to share my position to someone, I would have created an account on sites like Foursquare, which do offer such a service for much longer time than Facebook.
• Over-sharing can have dramatic consequences for me and those I care about. What if a burglar gets this information and breaks into my house while I am away? And what if my family is at home while I am not?

Even if Facebook learned something from the past and chose already some privacy in the default settings, they should reconsider their attitude regarding that. Else they might face the same problems as Google currently does with its StreetView service in Europe.

Sorin Mustaca
Data Security Expert