Stanford CIS

Facebook’s Failure to End ‘Public by Default’

By Woodrow Hartzog on

Co-authored by Woodrow Hartzog and Evan Selinger


Turns out, you can’t create an idyllic global village by fetishizing connecting people. In the most recent chapter of the book on why Silicon Valley still doesn’t get it, the New York Times recently reported that Facebook “removed 66 accounts, pages and apps linked to Russian firms that build facial recognition software for the Russian government.”

It’s unnerving, to say the least, that prime suspects SocialDataHub and Fubitech might have scraped enough user profiles to create “a mirror of the Russian portion of Facebook” so Putin could repurpose the information and weaponize it for authoritarian surveillance. From fake news to state-sponsored tyranny, we’re living through a moment where all kinds of bad actors have their eyes set on Facebook’s treasure trove of personal data. Even assuming the platform was ever reserved for our “friends,” it isn’t anymore.

Right now, users have little choice in the public exposure of their profile pictures. Every single one of them is set to “public” by default.

The Times writer wasn’t editorializing, so the coverage overlooked a critical part of the story. Facebook’s appetite for connecting users led the company to build its system in a way that made this kind of mass exfiltration of user data inevitable. Indeed, the platform could have gone a long way toward preventing this sort of thing from happening, just by making the single decision to protect users’ current profile pictures behind default privacy settings.

Right now, users have little choice in the public exposure of their profile pictures. Every single one of them is set to “public” by default. Even if you try to limit your current profile picture visibility using Facebook’s privacy settings for the individual photo, it will still be public. If you don’t want your profile picture to be public, the only winning move is to delete your account. That’s increasingly difficult to do these days, because not having a social media presence can limit your personal and professional opportunities and even raise the suspicion of authorities.

As a result, the company forces us to be vulnerable to hazards we should be protected from.

Zuckerberg and his team know full well that dangerous people and menacing organizations are tempted to extract the data, terms of service be damned. For these folks, our profile pics are an irresistible treasure trove.

Read the full piece at Medium.