December 21, 2009 | By Tim Jones

Who Knows Who Your Facebook Friends Are?

As you may have heard by now, one of the biggest problems with Facebook's recent privacy overhaul was that it removed users' ability to hide their friend lists from the world. This was one of several changes that were met with substantial criticism and anger from the media and from Facebook users. The significance of the changes was eloquently explained by Joseph Bonneau, a researcher with the Cambridge University Security Group:

[T]here have been many research papers, including a few by me and colleagues in Cambridge, concluding that the social graph is actually the most important information to keep private. The threats here are more fundamental and dangerous-unexpected inference of sensitive information, cross-network de-anonymisation, socially targeted phishing and scams.

It’s incredibly disappointing to see Facebook ignoring a growing body of scientific evidence and putting its social graph up for grabs. It will likely be completely crawled fairly soon by professional data aggregators, and probably by enterprising researchers soon after. The social graph is powerful view into who we are—Mark Zuckerberg said so himself—and it’s a sad day to see Facebook cynically telling us we can’t decide for ourselves whether or not to share it.

Another aspect of the friend list controversy has been its impact on political activism in oppressive regimes. In an interview with PC World, Facebook seemed to claim that the new friend list policy would somehow aid dissident movements. A spokesperson said, "We believe that Facebook, as demonstrated during the Iran elections and events in multiple other countries since our inception, plays a critical role in allowing people to communicate, organize and stand up against oppressive regimes and there is real value of connecting and sharing, which is what we're trying to facilitate."

However, an anonymous ZDNet commenter offered an altogether different perspective:

A number of my friends in Iran are active student protesters of the government. They use Facebook extensively to organize protests and meetings, but they had no choice but to delete their facebook accounts today. They are terrified that their once private lists of friends are now available to "everyone" that wants to know. When that "everyone" happens to include the Iranian Revolutionary Guard and members of the Basij militia, willing to kidnap, arrest, or murder to stifle dissent, the consequences seem just a bit more serious than those faced from silly pictures and status updates.

Facebook, to its credit, responded to these criticisms by partially restoring users' previous control. Although their effort had a few false starts, users are now able to make use of a new checkbox:



By un-checking this, users can prevent most people from viewing their friend lists. (For a clear step-by-step guide, check out CNet's excellent tutorial.)

This is certainly an improvement, but it still falls short of the level of control that users had prior to the overhaul. Users are still unable to hide their friend lists from some or all of their friends, or from third-party Facebook applications which their friends install. In addition, the checkbox is in a counterintuitive and difficult to find location, entirely separate from most user privacy settings.

Facebook's ostensible goal in this overhaul was to give users more clarity, flexibility and control. But, with friend lists, they've accomplished exactly the opposite.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Join us for EFF's 25th Anniversary Party on July 16 in San Francisco! https://www.eff.org/25th-anniversary-party

Jun 30 @ 7:57pm

Calling all bloggers: @EFF wants you to apply to our new activist position. https://eff.org/r.2773

Jun 30 @ 7:55pm

This week's @PlanetMoney podcast explores the shocking levels of secrecy around trade deals like TPP https://eff.org/r.aas6

Jun 30 @ 4:49pm
JavaScript license information