Horizon Nigh: Facebook employee talks about what goes on with your data

Thursday, January 21, 2010

❖

Facebook employee talks about what goes on with your data

Much of this should not be news to anyone, but still interesting to see someone talk candidly:

The Rumpus: On your servers, do you save everything ever entered into Facebook at any time, whether or not it’s been deleted, untagged, and so forth?

Facebook Employee: That is essentially correct at this moment.

Rumpus: You said they’re changing the policy of keeping all information.

Employee** :** No. They’re never changing that policy.

Employee: See, the thing is — and I don’t know how much you know about it — it’s all stored in a database on the backend. Literally everything. Your messages are stored in a database, whether deleted or not. So we can just query the database, and easily look at it without every logging into your account. That’s what most people don’t understand.

I can attest to that personally. When I first signed up for Facebook in 2005, when it was Thefacebook and the ‘wall’ was more like a wiki - but more to the point, when the site was much more closely-knit and less scary - I used a rather private AIM screen name that I usually only gave out to a select few people. I quickly realised this was a bad idea and changed it.

Three years later, an acquaintance was able to search for that screen name, and found my profile in order to ‘friend’ me. Now, this screen name wasn’t just hidden or anything - I had completely deleted it three years ago, as in, selected the text in the box, typed over it, and saved. There was no trace of it left in the user interface.

Now, the idea of ‘deleting’ something in the UI not actually being permanent is not new. I do this occasionally in the software I’m responsible for maintaining, in cases when we are dealing with financial transactions and a permanent audit trail must exist.

But the sticking point here is not whether they really need to keep something I’ve explicitly asked them not to; but that they were actually still making use of that data in a way that publicly affected me. I’m not sure what concerns me more: that it might have been intentional, or that it might have been a bug.

Which would be worse: that they’re using sensitive data maliciously, or incompetently? What other ‘deleted’ data might they be using in this way, whether they intend to or not?

Since then, I’ve been even more careful what I type, and of course, what I click:

Facebook Employee: … When you make any sort of interaction on Facebook — upload a photo, click on somebody’s profile, update your status, change your profile information —

Rumpus: When you say “click on somebody’s profile,” you mean you save our viewing history?

Employee: That’s right. How do you think we know who your best friends are?

Anyway, whoever this person is, they don’t sound like a very good engineer:

PHP is an example of a scripted language. The computer or browser reads the program like a script, from top to bottom, and executes it in that order: anything you declare at the bottom cannot be referenced at the top.

That is, of course, completely wrong.

Oh, and this is amusing:

When I arrived, a security guard handed me a non-disclosure contract to fill out, a requirement to enter the building. “Just making sure you’re not a Twitter spy,” he said.

Facebook seems even more paranoid about Twitter than Microsoft is about Apple and Linux combined. But really, what would Facebook possibly have that Twitter would even be interested in?