Posted March 19, 2008 5:38 pm by with 2 comments

Tweet about this on TwitterShare on LinkedInShare on Google+Share on FacebookBuffer this page

As promised yesterday, Facebook has announced new privacy measures. The new features include long-sought for privacy controls based on friend lists (which were introduced in December). The blue privacy lock icon will denote areas that can have custom privacy options, which will include most of the site, apparently, from photo albums to contact information.

The privacy controls will even allow you to specify exactly which friends can and cannot see your photos and information, as well as allowing friends of your friends to see your information. Facebook states that this will be most beneficial “for people whose strongest social connections are not through the networks they’ve joined, but through the friends they’ve added.”

facebook adds privacy features to friend lists

However, all is not good news for Facebook’s new privacy features. CNET reports that they’re already seeing a problem with the new features. One of the feature’s options for college students is to only allow other undergraduates at their institutions, barring we “adults”—alumni, professors, grad students, etc.—from seeing their information, photos, etc. However, as CNET’s Chris Soghoian points out, any person who has an email address from the institution can set their status as whatever they like—a professor can claim to be an undergrad, a grad student can pose as an alum:

To test this out, I changed my own status at Indiana University to that of an undergrad, a staff member, and an alumni before switching back to being a graduate student. Facebook’s system didn’t complain once, and I was able to verify that the updated status was indeed reflected on my own profile.

This is a fairly significant security flaw in Facebook’s fancy new privacy controls, and frankly, there isn’t too much the company can do to fix it. In the real world, it’s perfectly possible for an administrative staff member to go back to school (and thus become an undergrad), or for a grad student to become a professor. The status controls need to be modifiable.

While on the whole, the new privacy settings are a good thing (which will finally convince me to use friend lists). But what do you think: would it be better for Facebook not to offer this last privacy setting at all?

UPDATE: In a statement, Facebook reminds us that “users have always had the option to make their profile visible only to people they add as friend.”