It says leaving your full birth date is not recommended (identity theft). So I went to the info page and clicked "edit information" but instead of having edit boxes on the Info page facebook recommends me to convert are my movies, music, colleges itc. into a pages (so they can track it better.. or make it more unified?). It's very hard to navigate away from that page (for a normal user anyway) and when you select nothing and click save they threaten you there's going to be none of the information in those sections on your profile (wow! now I'm scared!). Seriously --- it's becoming worse and worse, how can they be so disrespectful to their users, how can they not fear losing them??
In the spirit of due diligence I started up a debugging proxy before I ran the scanner, so that I'd be able to tell if it collected any info.
Happily, it seems the only requests made are to fetch the javascript that does the scanning, and to various Facebook pages and associated content such as Facebook's CDN and "channels."
You can remove all of your boxes and delete the likes/interests facebook generates for you by clicking the delete button next to the avatar for the page.
For the source code, I wouldn't include the compressed jQuery if possible. Speed isn't as important here as transparency and it's quite difficult to scan to tell whether there are any issues. I know you don't want to take up a lot of room with jQuery but it really will help increase my ability to recommend to others if all the code is easy to read.
You might also want to put comments on slightly scary things like PARTNER_APPS to be sure people don't believe Yelp are YOUR partners or something crazy like that.
Some of these things sound paranoid, but I'd like people to feel 100% comfortable using your bookmarklet.
It worked great for me and identified some things I missed somewhere. Nice work.
I would use a CDN for the jquery, maybe http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min... - that way, people don't have to make sure you haven't hidden the maliciousness in your version of jquery, which most people might not want to verify.
Instead of copying and pasting jquery into your js, you could pull it from google's CDN, that way it would be cached for a lot of people and trustworthy. Well, trustworty-ish. :)
Yes, but the bookmarklet only contains one line of code, which fetches the remainder of the script from your server. So you could possibly replace it at any time with something evil...
Sorry for being paranoid. I very much like your initiative, but people are going to ask questions about these sort of things.
yea, I understand the concern, that is partially why I linked the source to my own github account (adds some accountability) and left everything uncompressed and commented. Unfortunately, it isn't possible to put the entire source into the bookmarklet itself due to browser length-limitations, so the remainder of the code will always need to be loaded separately.
Shame there isn't a way (in HTML) to say "the src of this <script> is at http://.... and it's SHA512 is a5872... or it's signed by GPG key 0x1276e...". That would solve that problem.
for any of the Javascript/HTML/CSS, you can just diff it with the GitHub code to be certain. Also, the backend Python code cannot do anything sketchy with your Facebook data since nothing is done using Facebook's API. And you have my word that I am doing my best to deploy to AppEngine after modifications are made in GitHub. I'm even considering putting up a postcommit hook when I have time.
This is great, but two things that I would really like to know about my privacy on Facebook are 1) which photos I'm tagged in that are publicly visible (even if I have elected not to display tagged photos to friends), and 2) which wall posts are accidentally tagged as everyone.
Those photos are indexed by Google and contain my name, even if I have chosen not to share photos I've been tagged in. I want to be able to see the list of public ones so that I can manually untag myself. Similarly, it would take too long for someone with thousands of wall posts to find the ones that might have accidentally been set to "everyone".
I think that it might have been better to wait until these were included before officially launching the tool, because the photo issue affects almost everyone on Facebook, and if people use this tool and everything checks out ok, they probably won't return again if you update it later.
I completely agree with you about photo privacy, and I was hoping to keep it soft-launched while I added photo and wall-post privacy checks (my free time is limited). Lifehacker and RWW wrote about it this morning though, so not much of a choice.
Facebook is constantly changing this stuff though, so I'm hoping that the Facebook page and Twitter announcements will keep people up-to-date and re-running new privacy checks.
Source code is open, think you might have free time to help add some of those checks in tonight?
I shared this on my wall and encouraged my friends to try it, and got a few responses that might be useful feedback for you as you improve it.
Basically, it was too hard to use. :-) I had to post very simple, step-by-step instructions as a comment to walk them through it, even down to the "click on the link and hold, then drag the mouse to the toolbar and let go" level. Several of them also didn't realize you needed to be on facebook.com to use it -- they tried just clicking the bookmarklet link on the original page.
The kind of people who can most benefit from a tool like this -- i.e., not the elite geeks who probably already have awareness of FB's privacy issues and how to address them -- need extremely straightforward, "don't-make-me-think" instructions to gain value from it.
These people aren't stupid -- they just don't have the same intelligences we have or assume others to have.
yea I had the same sense - thanks for that feedback. Maybe a screencast? I don't have much time to do a screencast at the moment, but if anybody makes one I will gladly post it up :)
also, a lesson: enable capacity billing on your AppEngine account ahead of time, you never know when you're going to wake up in the morning and find out somebody launched your project :)
luckily AppEngine made it really easy to spring back, so it should be fine now (hopefully donations cover costs)
I'm happy to donate money towards hosting costs; any intention of posting those numbers? (assuming you're not launching this as a money making venture).
right now I'm not sure what the numbers will be - AppEngine's estimate is currently fluctuating a lot because of the big traffic draw.
Haven't decided about other things that might make money in the future (maybe a Diaspora node?), but I fully intend to leave the current Javascript scanning functionality open and free :)
I tested setting all my contact information privileges to Everyone and then re-ran the scanner, and it still claimed that my settings were good, which doesn't seem right. Might want to look into that, since I think a lot of people would tweak a setting, re-run the scanner, and see how it changed.
I'd also suggest that you post a human-readable list of the assumptions that the tool makes, since providing source code isn't particularly user-friendly for non-programmers.
Nice work. If you don't want to drag a bookmark into your browser then check out this FB privacy checker: http://www.rabidgremlin.com/fbprivacy which I created over the weekend...
I can't help but think that this is completely ass backward. If you are worried about your privacy, close your FB account.
Facebook is not a necessity or a utility, it's still just a free service. I disabled my account years ago for privacy reasons. Unsurprisingly, I haven't lost a single connection or friendship that mattered to me. Facebook is not what facilitates relationships, its people. I'm really baffled by the extent to which people go to stick with this service when they clearly are concerned about what FB is doing to their privacy.
If you are serious about people getting to use it, consider putting the source directly on the site, along with comments suitable for the layman. I'm sharing this link and having people say "But what if it steals my info!" and while I can tell them it's open source and they can look at the code themselves, that's not something the majority of my friends can do.
Used it earlier and got the link from someplace other than here. Great tool, useful and should be great for people to use and help others with it as well. I'd been wary of Facebook's wacky features before all of the hoopla began, so I didn't have to change much but...I know lots of folks who just won't think about it. Well designed and easy to view, too.
I see friends' settings reported as insecure, and then asked the application to fix that, but those settings are still reported as insecure. Some more documentation on what that's about would be interesting to me.
Thanks for the great external links on your site. A very interesting application that I immediately told all my Facebook friends about.
My page view may be nonstandard, because I zoom in on most pages to favor my presbyopia. I don't see the link "(left of 'fix this')" to which you refer, and would appreciate tips on what manual changes to make in my own Facebook settings. Once you update that on your website documentation, I'll be sure to deep-link my friends to those same tips. Thanks.
P.S. Friendly general advice for web developers who use JavaScript elements that display on webpages: TEST those for users who have different font size settings or zoom settings to favor their own vision issues, lest links or other elements of your design overlap and become unreadable.
Lovely idea! That said, it failed on 'Instant Personalization' and 'Friends Share'--- spotted the problems displayed the fixing message, then the scanning message only to revert to the warning message...perhaps some sort of info on how to do it by hand if the attempted fix fails?
The pledgie tool is either v e r y slow or misbehaving; it shows 0 pledges even though there are believable comments that there are more than that. pledgie took my e-mail address, but I haven't gotten anything from them yet.
I just figured they wouldn't appreciate it because it 'harvests' data from facebook... in the same way they didn't like that firefox extension that converted the email address images into plain text.
It's a bookmarklet though, which means it's all client side javascript, which will make it pretty hard to block. It's basically a greasemonkey extension, and if you look at all the GM extensions available on userscripts.org, there are some that do pretty crazy things and are usually updated on the same day the site owner changes something that causes the script to break.
would it be long before facebook comes out with their privacy-blocking tool.
They may be anticipating many tools with these features, so doing accordingly?
as a thought game; I foresee facebook coming up with their claim-n-search-your-privacy app, which they would use to strengthen the privacy game. :)
Shall I just make a german version of the whole thing (the strings humans see, not the debug stuff) or do you plan for internationalisation (argh, what's the word) support? Don't do it just because I might do a translation, sometimes I lose interest in things. ;)
edit: It's mostly the htmlContent array and lines with the word "message" in them, correct? I don't know Javascript.
yes, that is pretty much all of the content. Probably easiest to copy it into a variable called "htmlContentInGerman" or something, and then translate it. I'll figure out how to switch languages later on. Thanks for helping!
I also checked out this link on your homepage: http://finance.yahoo.com/family-home/article/109538/7-things...
It says leaving your full birth date is not recommended (identity theft). So I went to the info page and clicked "edit information" but instead of having edit boxes on the Info page facebook recommends me to convert are my movies, music, colleges itc. into a pages (so they can track it better.. or make it more unified?). It's very hard to navigate away from that page (for a normal user anyway) and when you select nothing and click save they threaten you there's going to be none of the information in those sections on your profile (wow! now I'm scared!). Seriously --- it's becoming worse and worse, how can they be so disrespectful to their users, how can they not fear losing them??