My colleague Kashmir Hill congratulated Facebook’s Mark Zuckerberg earlier today on his increasingly savvy approach to speaking out about privacy issues in public. It should be interesting to see him try to get out of this one.
The new “Groups” feature that Facebook rolled out yesterday allows users to slice and slice their friends into publicly visible clicks, recognizing that users don’t always want to share something with their entire friend list or just one recipient. But Sophos security researcher Chet Wisniewski points in his blog to a gaping issue in this feature: any user can add any of their friends to any of these groups without the friend’s approval, generating a status update indicating that the friend has been added to this group.
Mahalo CEO Jason Calacanis had complained in a open letter to Zuckerberg earlier Thursday that he was added to the same boyfriend group and offered some free privacy consultation to Facebook. “I’ve now been assigned to a group that advocates… well… ummm… you can research it, it’s very bad,” he said. writing. “If you want to run these new features by me before I launch them, I can probably save you a few privacy lawsuits every year. :)”
Although some have interrogates The story of Calacanis, that of Facebook own FAQ confirms that anyone can be added to a group without their consent: “Can I prevent people from adding me to a new group?” Is replied with “The functionality to approve a group membership is not available.”
Sophos’ Wisniewski argues the prank could have serious consequences. “Imagine traveling to the United States from overseas and your friends find it fun to add you to a group that seems related to terrorism,” he writes. “You might find a border patrol welcoming committee that you didn’t expect.”
In all fairness, however, the problem of ending up subscribed to a group that you’d rather not associate with isn’t new. As my colleague Kashmir points out, sometimes we all unintentionally find ourselves subscribed to an email distribution list that broadcasts our membership to all other members. Unlike email, however, Facebook groups are visible to friends who are not members of that group.
I reached out to Facebook to comment on this and will update if I hear from Facebook executives.
Facebook should be credited with avoiding the autofill feature Google Buzz used to generate friend lists from user activity when it launched last February. As Cashmere wrote, the company could have used this technique to automatically segment users into Facebook groups, but would likely have suffered the same privacy anger which Google was confronted with when its Google Buzz trick revealed who users chatted with most often without their express consent.
But Facebook Groups’ tactic of letting users create lists manually creates its own potential for embarrassment. Expect Zuckerberg to tweak the functionality to correct this design flaw, or find himself enrolled in many other clubs that are less than suitable for a CEO.
Do you see Facebook groups as another privacy issue for Facebook? Or is Zuckerberg making headway to overcome Facebook’s privacy criticisms? Let me know your thoughts in the comments below.