LAS VEGAS--A researcher has compiled a list of more than 170 million Facebook users and the Web address of their profile page on the site and released it on a file-sharing site, meaning it is making the rounds of thousands of computers instead of just being accessible via a search on Facebook.
Ron Bowes wrote a script to download all Facebook profiles listed in the social network's public profile directory, which only includes people who have configured their settings for Public Search Listings to be available on Facebook.
In a blog post earlier this week on Skull Security, Bowes said he downloaded information on 171 million Facebook users, roughly one third of the estimated total of 500 million. (The Skull Security site was inaccessible Thursday morning, but a cached version showed the contents.)
"I realized that this is a scary privacy issue," Bowes wrote. "I can find the name of pretty much every person on Facebook."
Bowes said Facebook users can change their settings so they do not appear in the public directory going forward, but even people who do that now will have their information available via Bowes' torrent file available on the file-sharing site Pirate Bay. There have been more than 10,000 downloads of the file.
"Once I have the name and URL of a user, I can view, by default, their picture, friends, information about them, and some other details," he wrote. "If the user has set their privacy higher, at the very least I can view their name and picture. So, if any searchable user has friends that are non-searchable, those friends just opted into being searched, like it or not! Oops :)"
To figure out if your name is on the list released by Bowes you can either download the file or check your settings on Facebook. To do that, click on the "Account" pulldown menu on the upper right of your Facebook page and click on "Privacy Settings." Then select "Basic Directory Information" and "View Settings." If "Search for me on Facebook" is marked for "Everyone," your information might be on the list.
In a statement, Facebook said that its members have control over their settings and the information collected on them they had chosen to make public.
"People who use Facebook own their information and have the right to share only what they want, with whom they want, and when they want. Our responsibility is to respect their wishes. In this case, information that people have agreed to make public was collected by a single researcher," the statement said. "This information already exists in Google, Bing, other search engines, as well as on Facebook. No private data is available or has been compromised. Similar to the white pages of the phone book, this is the information available to enable people to find each other, which is the reason people join Facebook. If someone does not want to be found, we also offer a number of controls to enable people not to appear in search on Facebook, in search engines, or share any information with applications."
Many Facebook members may not understand how they can configure their settings to avoid sharing more information than they would like to. Members have complained that they were forced to reset their privacy settings back to higher privacy when the company made changes to the site that undid their settings. The furor over privacy issues on the site has prompted protests from Facebook members in recent years.
Online services like Facebook and Google are reluctant to provide users with privacy-protecting mechanisms when opening up the data means more features and the possibility for more revenue, said Moxie Marlinspike, a researcher who gave a talk at the Black Hat conference here on Thursday titled "Changing Threats to Privacy: From TIA to Google."
Marlinspike said he is working on projects designed to allow people to anonymously use online services that are integral to work and social life now but that pose privacy quandaries. For instance, a Google Sharing add-on for Firefox that has been around for about six months allows people to use Google services anonymously, he said.
"Facebook isn't going to do this for us; we have to do that for ourselves," he said. "This is a solved problem (with cryptography)... it's just that these sites aren't going to implement it."