Friday, 23 September 2011

Facebook friends lists are now less private

Photograph by D Sharon Pruitt. CC-BY 2.0
Today started with breakfast. A breakfast so good that I decided to tell my friends on Facebook about it. Rather than telling everyone about my breakfast habits, I have a friends list that I use for the purpose. Actually, I have dozens of lists, with people categorised by interests, social circle, location, shared experiences, personality type, programming language, and all manner of other criteria.

Telling my friends about my breakfast shouldn't have been a big deal, except when I selected my breakfast list, Facebook informed me that posting to lists has changed, and now users will be able to see who else can see a given post. The pop-up cheerfully informed me that they won't be told the name of the list they're on, so everything's okay, right?

Well, no... Firstly, I don't need to know the name of the list, I can infer it. Let's say I'm reading one of your posts: are you talking about a very personal experience? That's probably your list of close friends. Is your post in Klingon? These are probably your Klingon-speaking friends. Is everyone else in your list a family member? I'm guessing this is your family list.  Sometimes you might be sharing your most private and intimate fantasies and details...

Hovering over the cog gives the view above. Clicking on it reveals a complete list.
So, why is this a big deal? Well, I'm blessed with a fabulously diverse selection of friends, and many of them feel safe about sharing an awful lot of their life with me. Consequently, one of my biggest uses for lists is to record my friends' health and lifestyle choices. Cancer survivor? Sexual minority? Circus freak? Transgendered? Member of the Jarjar Binks appreciation society? Ethically flexible geneticist? Emacs user? Incurable stigmatising disease? Useful in a zombie attack? Illegitimate child? Chances are, I have you on a list.

In the past, I could cheerfully post relevant information to these lists, without fear of outing anyone. Of course, my friends could always out themselves, by commenting or liking a post, but those who chose to just observe remained private. That's no longer the case. To post to a list means outing everyone on that list, at least to each other.

It's not going to take long before the typical user starts encountering these issues. Am I in your list of close friends? Now, when you share a post with them, not only will I know that I'm special, but I'll know everyone else on that list, too. In fact, I can write a bot to regularly look at the audience of your posts, and see when you add a new person to your close friends list. More interestingly still, I can spot when you remove someone. You wanted me to have that information, right?

Amazingly, I don't want to share my list of close friends, not even with my close friends themselves. I consider my list of friends, but especially my list of close friends, to be pretty darn private.

Unfortunately, the workarounds for this change are pitifully few. Reading the documentation, we can see that smart lists reveal their names, but not their members. However they're primarily focused on clumping people by geography, and are automatically updated by Facebook, so the opportunity for surprise is rife.  The only thing I've found which works is negative inclusion.

Put simply, if you post to friends, but exclude certain lists, it still shows up as being posted to "friends".  So you can still retain privacy by posting to friends, and excluding all the ones without a Jarjar Binks fetish.  There might be other ways to hide the audience, but I'm yet to find them.

Needless to say, this isn't a good workaround, and it requires some seriously heavy-duty list management. If you have dozens of lists, you're going to have to produce the inverse of all them.  What's more, every time you get a new friend, you'll need to add them to all the inverted lists, too. That either means you need to be very patient and thorough, or have some sort of code assisting.

If you feel like writing your own bot, so you can watch to see which lists you happen to be on, then I suggest using the Graph API to monitor your friends' activities. To actually get the audience, you'll need to call as a logged in user (or clever bot) to see it, with the Facebook ID of the post attached to the end.

I'm hoping Facebook will decide this was a mistake and reverse the changes, otherwise I look forward to harvesting any friends lists you put me on. ;)

Flattr this


  1. You call yourself a privacy geek but you say you are storing information about people's health, sexuality and employment online - on a service with a less than perfect privacy record - presumably without their knowledge.

    Those who choose to disclose this information on their profile retain control over who can see it and can reasonably assume Facebook won't make it publicly visible, but you are presumably both storing information on people who aren't sharing this information, *and* you don't know if Facebook will at some later stage make your list names available to anyone who can see your friends list.

    You should delete the information and allow them to opt-in if they wish.

  2. Actually, the thought of Facebook making list names visible doesn't bother me anywhere near as much as making their members visible. The majority of my lists are geographical (Melbourne, Portland, NYC), or interest-based (Pirate, Steampunk, Perl). These are hardly controversial.

    Almost all my other lists use codewords, rather than actual descriptions. My primary concern here isn't Facebook revealing list names (although I'd have a field day if they did), but much more about preventing accidental disclosure should someone glance over my shoulder in meatspace. The names of the lists themselves are not revealing.

    Most of my heavy-use (non-geographic) lists that see a lot of activity are opt-in, with opt-out information accompanying any relevant posts; I don't want to be spamming people with information they don't care to see.

    In any case, asking me - personally - to delete my lists doesn't change the scenario for every other person out there who's been using them. If list names ever do go public (something which would make me very surprised), the only thing my naming system is likely to reveal is that I'm paranoid about their disclosure.

  3. One month later and I finally noticed this. Your blog is the only one I found that details this, as it evidently went over my head when they switched things up. What a pain in the ass.

  4. Hi, now i know this thread is already somewhat old. However, I actually only came across this post now and I couldn't agree more!! I really don't want my friends to see who I am including/excluding from a list... strangely enough this setting only changed for me (or at least I was only informed about it( around a month ago and it really upset me! I am just wondering if by now you've already found a way to work around this?? I was trying to and was searching the web high and low for this but couldnt find anth apart from using exclusion like you said (which is rather annoying though)... thanks for any answer!

  5. Unfortunately, except for exclusion, I *don't* have a good workaround. It is something I'd love to see, even if that something's a greasemonkey script, or a command-line tool.

    I'm travelling for the new few months, so realistically this is most likely to happen from me if someone drags me into a hacker-lab and shows enthusiasm for the concept.

    Alternatively, if someone else *has* made a tool, I'd *love* mention it here.