Facebook privacy settings said to be bypassed by Storify app

Late Thursday, AGBeat broke the story that through the Storify app, users can bypass privacy settings and publicly share Facebook status updates from private users as well as from within private groups. The story has technologists and laypeople alike considering the value of online privacy, some asking if the ability to publish private statuses crosses a line. We initially pointed out that private Twitter accounts cannot be “Storified,” but private Facebook updates could, in an effort to illustrate that the app has the ability to protect private status updates on another social network.

We also initially pointed out that this situation, regardless of fault, is a great reminder that there really is no such thing as privacy, that anything can be screenshot, but many have asserted publicly that the Storify app allows users to inadvertently share private status updates without permission from the original user, nor from a user marked as private.

“Screenshots are malicious. This can happen by accident. That’s the difference,” said Marc Lefton, who is known as a business network pioneer for his founding of Adholes.com, and is a partner at Half Fiction.

Facebook is now investigating

A Facebook spokesperson told Mashable that Storify is not getting any of the data through Facebook’s APIs, likening the process to a screenshot.

Meanwhile, another Facebook spokesperson told The New York Times that the social media giant is now investigating how to solve the problem, explaining that the browser extension allows a user leto intercept the message posted on Facebook and add it to Storify.

According to the Facebook Data Use Policy, information that is always publicly available includes a user’s name, profile pictures and cover photos, network, gender, username, and user ID. In that list of data points, status updates are not included, leaving some to question whether people who have posted status updates that were not deemed public are responsible for having put them on Storify, violating Facebook’s Terms of Service, or if it is the responsibility of Storify to make private information less accessible, like private Twitter accounts which cannot be Storified.

One technologist opined that users could request that Facebook provide more granularity to data sharing, but notes that making that a priority for Facebook is unlikely.

Storify calls it “an etiquette issue”

Storify Co-Founder, Burt Herman commented on the original story, “This isn’t a technology issue as much as an etiquette issue. Now that everyone has the power to easily publish to the whole world, we all need to think about how to use that power.”

Danny Brown, founder of For Bloggers By Bloggers, and author of The Parables of Business asked Herman, “Surely the etiquette should be for technology API’s to respect privacy settings and be unable to let users post private group updates, no?”

“It’s up to you to decide what to share online, and whether to trust the people who can see what you share,” Herman responded, adding on Twitter that “It’s no accident if you decide to publish something – you’re making a deliberate decision.”

Storify says privacy exists only when posting solely to yourself

Former journalist, and General Manager of Social Media at Internet Media Labs, Amy Vernon tweeted, “Things from private groups show up in your newsfeed. When you click on it, you might not realize it’s a private post,” which Herman responded by asking if something is really “private” if you can see it?

Vernon noted, “There have been many times I’ve seen private posts in my newsfeed that have startled me [because] I didn’t realize they were private,” later tweeting, “If you’re in a “private” group, anything you post there shows up in the news feeds of all the other [people] in that group. It’s easy to miss that it’s for that group and not public. The “Storify” link is right next to the “like” link.”

Herman retorted that “If you can see something, how is that “private”? Anyone could easily copy it. Private is posting solely to yourself,” adding that “again, you could easily copy it. It’s up to you as a writer to decide what you feel is appropriate to publish.”

Herman then took to the Storify blog to explain their position. “To clarify, we want to reassure you that Storify does not make anything public that hasn’t been collected by a user and published in a story. Also, Storify users do NOT have access to content on the web that they couldn’t otherwise see themselves.”

“We believe strongly in freedom of expression and democratization of media in the Internet age,” Herman stated. “Anyone can now easily and cheaply publish to the web and reach a global audience. That also means each of us with this power must consider how we use it.”

Web community reacts to Storify’s position

Julie Pippert, Founder and Director of Artful Media Group, responsible for originally unearthing the privacy dilemma said she is “disappointed with the tone and tactic Storify has adopted.”

“I was very emphatic and deliberate in stating we all have a responsibility and need to exercise caution as posters and sharers,” Pippert said of her original statements published on AGBeat. “However, the statement from Storify to “make better friends” is not very productive. Even good friends can make a mistake. A more constructive solution would be smarter and better.”

Marc Girolimetti, Founder of Red Raider Studios, with over 16 years of interactive and software experience said, “They’re focused solely on customer acquisition and not on a sound model, which is a result of a sound vision. If they’re acquired, it’s because somebody wanted the eyeballs, not the product.”

Brown, who was among the first to question the Storify Co-Founder, wrote in depth regarding how he believes Storify misses the point on protecting privacy, asking, “Instead of blaming the user, why doesn’t Storify take the higher road and have a filter/blocker in place (similar to the Twitter scenario) where a message pops up prior to the sharing that asks the simple question: “This content is from a restricted source – are you sure you wish to share?” Or, better still, simply change the way Storify scrapes network API’s and only allow sharing of clearly publicly available content. Of course, to do this would mean admitting Storify (and, by association, Facebook) have a problem. And no-one likes to admit they have a weakness…”

Vernon commented on Brown’s blog that, “I realized [Storify doesn’t] actually care what the privacy status of a post is and placed the onus completely on the user. I’m the first one to tell people that they should assume everything they do online (including private email to only one other person) could be made public. But that doesn’t mean that the tools we use should ignore the privacy settings that exist.”

CEO and Founder of Zoetica, Kami Watson Huyse, a highly regarded 17-year public relations veteran said, “I think the issue here isn’t really technology as much as it is attitude. It is clear that Facebook could restrict private feeds and Storify could choose not to accept any content from private or secret groups if it were using the Facebook API, but to meet the feedback with scorn is a [public relations] faux pas.”

A “legitimate” user concern treated with disrespect

Mickey Gomez, Executive Director at The Volunteer Center Serving Howard County echoed Huyse’s sentiment, stating “I wish the Storify folks had been more responsive and less defensive. Here is an opportunity to engage with users – many of whom legitimately appreciate the platform and use it regularly. They’ve come to Storify with an issue of legitimate concern only to have trite platitudes flung back at them. “Pick better friends.” “Nothing is truly private.” “It’s no worse than a screen shot.” And perhaps the issue is on the Facebook side of the house, but even so, it’s being exploited by a Chrome add-on from Storify.”

“Even if they can’t do anything about it,” Gomez concluded, “acknowledging that it’s a concern to at least some users would be a step in the right direction. Explaining the issues – challenges included – would also be welcomed. Posting with a decidedly defensive tone did them no favors and was a disappointment.”

A commenter called “Serenity” commented on AllFacebook.com, “I’m sad that Storify is taking this approach. You have an opportunity to say, “Hey, wow, thanks for pointing that out. That’s important for users to know and we’ll try to address it.” Instead you go with, “You can publish what you can see, so be careful.” I’ve absolutely raved about your service in the past, but your reaction to this issue – including calling the title of the post “provocative” – runs counter to everything I’ve ever witnessed or learned about responding to criticism.”

The takeaway

Storify is without a doubt, a useful tool that is extremely popular and serves as an unparalleled curation tool, and even if private status updates are added by a user, at least it is public knowledge which individual leaked private status updates from a private user or secret group. Even Pippert continues to sing the free service’s praises.

That said, the vulnerable person whose private status updates are being used publicly was never asked for permission, violating their user rights having entered a private network to share private information privately. If the user is responsible for purposely or inadvertently sharing private information, the least Storify could do is ask “are you sure you want to share this information marked as private?” prior to it going public, helping their user to understand the difference, many of whom do not.

Storify could simply address the technical difficulties in separating public from private, and maybe even throw it back on Facebook, but rather chose to blame the user, which history has proven is never a good public relations move.

Storify of Storify’s ability to publish private Facebook updates

Vernon compiled community reactions regarding the original story, including her interactions with Herman. It is lengthy and in-depth, so click “Read More” at the bottom right to load more updates: