Facebook may be making strides in some areas of privacy, but the company is still struggling when it comes to deleting user photos—or not deleting them, as the case may be.
We wrote a piece more than a year ago examining whether photos really disappear from social network servers when you delete them, and found that Facebook was one of the worst offenders when it came to leaving “deleted” photos online. We decided to revisit the issue recently when readers continued to point out that our deleted photos from that article were still online more than 16 months later. Indeed, this old photo of me remains on Facebook’s content delivery network (CDN) servers, despite being deleted on May 21, 2009.
When we originally inquired with Facebook in 2009 about this, the company tried to tell us that deleted images were inaccessible even though they were on the server (a statement that’s obviously false if you have a direct link to the image file, as we do). Simultaneously, Facebook told Ars that it was “working with” its CDN partner to “significantly reduce the amount of time that backup copies persist.”
The company, it turns out, is mostly sticking to that party line. “For all practical purposes, the photo no longer exists, and we wouldn’t be able find it if we were asked or even compelled to do so,” Facebook spokesperson Simon Axten told Ars via e-mail this week. “This is similar to what happens when you delete information from the hard drive of your computer.”
Facebook does acknowledge now that the photos are technically accessible by some people, but basically repeats the line about working with the CDN. “It’s possible that someone who previously had access to a photo and saved the direct URL from our content delivery network partner could still access the photo,” Axten said. “However, again, the person would have to know the URL, and the photo only exists in the CDN’s cache for a limited amount of time. We’re working with the CDN to reduce the amount of time that the photo remains in its cache.”
It seems we haven’t quite found the limits of that “limited amount of time” just yet—after all, 16 months is quite a while. The other social networks in our original report have all removed our images from their servers by now, and Facebook is the lone holdout.
We’ll keep checking up with Facebook to see if and when the situation gets improved, but in the meantime, we’re sticking with our original party line too: if you don’t want to give your enemies blackmail material, don’t upload questionable photos in the first place. If you’ve already uploaded such photos and tried to delete them, then keep your fingers crossed that no one has the direct URLs saved somewhere.
Update (Oct. 12): After widespread coverage of this particular problem, Facebook has apparently removed my “deleted” photo from its CDN server. However, as far as we’re aware, this problem is still in place for all other Facebook users who don’t have the privilege of drawing widespread attention to the problem like we do. I’ve deleted another couple of photos from my Facebook profile in order to keep watching the issue.
Update 2: Ars reader Andrew Bourke e-mailed to say that a family member uploaded a semi-nude photo of his son and then deleted it more than 2.5 years ago (we agreed not to link it directly for privacy reasons). The photo still remains on Facebook’s CDN servers today, despite repeated requests to Facebook to have the photo removed. Another reader named Filippo e-mailed to say that he deleted this photo in April of 2009, which also remains on the servers today.
Update 3: Facebook spokesperson Simon Axten checked back in with us after our latest updates above and said that the company is actively working with its CDN on this issue. “We’re currently working with the CDN on a fix that will delete photo and video content from the CDN’s cache shortly after it’s removed on Facebook,” Axten said. “The fix is already in place for videos, and we hope to implement it for profile pictures and photos in the coming weeks.”
Source: Ars Technica