Facebook Places Privacy Falls Short: Non-Authorized Check-Ins by Friends are Visible

[Readers might be interested in my follow-up post: Facebook Places Privacy Falls Short, Part 2: Opting-Out]

Facebook has finally launched its location-based service: Places. Places allows Facebook users to “check in” wherever they are (or pretend to be) using a mobile device, and let’s their friends know where they are at the moment.

Facebook has tried to do a better job addressing privacy with Places compared to previous launches of new “features”. Particularly, Facebook brags that “no location information is associated with a person unless he or she explicitly chooses to become part of location sharing. No one can be checked in to a location without their explicit permission.”

And while many applaud Facebook for the design of Places (the best design decision, perhaps, was to make check-ins visible to friends only by default, rather than everyone), there are some serious ways in which Facebook has fallen short in fully protecting user’s locational privacy.

The folks at EPIC, EFF, and DotRights have each done a good job outlining the primary concerns, and I don’t want to repeat them all here.

But as I’ve played around with the service, I’ve uncovered a problem with Facebook’s assertion that “no one can be checked in to a location without their explicit permission.”

While Places is largely an opt-in service — one needs to install and use it on a mobile device — anyone can be “checked-in” to any place by a friend. This can happen regardless of whether you use the service yourself. If you get checked into a place by someone, and you haven’t already authorized the service or these kinds of check-ins, you’ll receive an email asking if you want to allow check-ins by friends. Below is an email received by my wife when I tagged her as joining me at a local liquor store.

Given Facebook’s assertion that “No one can be checked in to a location without their explicit permission,” presumably my wife won’t be checked into this location until she clicks “Allow Check-ins” on this alert message.

She didn’t click, and hasn’t made any other changes to any of her Facebook settings. Yet, if any of my friends look at my Facebook feed, they’ll see the status update of my check-in at the liquor store, with my wife’s name there with me:

And her name also appears with my check-in on the location’s page automatically generated by the Places service:

So, where does this leave us?  My wife has not authorized me (or anyone) to check her into places. She doesn’t use the service. In fact, she wasn’t even at the liquor store at all.

Yet, I was able to tag her in my check-in, and all my friends now see her name linked with my check-in as if she was there. Granted, the check-in does not show up in her news feed, but it is there in mine, and I suspect if I had my privacy settings set to “Everyone”, then everyone would see my wife’s name as being checked into the liquor store.

UPDATE: I’ve tested having my settings on Everyone, and then looking at my feed from a dummy account I have (yeah, violating the TOS, I know). Here’s the screenshot confirming my wife’s name is visible alongside mine to the entire universe:

Recall Facebook’s claim that “no location information is associated with a person unless he or she explicitly chooses to become part of location sharing. No one can be checked in to a location without their explicit permission.” My wife did not explicitly choose to become part of location sharing. She did not give any explicit permission to be associated with this location. Yet, there her name is, and anyone viewing my feed can now associate her with being at this location. It is unknown whether this association between her name/account and this location is logged within Facebooks databanks, and thereby available to be shared with marketers, handed over to law enforcement, etc.

This is a serious problem. Names and linked user accounts should not be associated — in any way — with a particular location unless they explicitly consent to it. Facebook needs to listen to its own rhetoric and make the necessary changes to protect user’s locational privacy. I should not be allowed to tag someone in a check-in unless they’ve taken the positive step of authorizing check-ins from friends. Locational privacy needs to be fully opt-in, not opt-out.

[I haven’t yet checked to see if my wife’s name will disappear from this existing check-in if she takes the affirmative step to disallow friends from checking her into place. I’ll post an update once that happens] See this post where I detail the steps it took for my wife to opt-out, and that her attachment to this particular check-in remained.

UPDATE: TechCrunch just posted a similar discovery, and they don’t seem all that worried about it, noting that “Facebook treats this as if you were tagged in a basic status update.” But there’s a meaningful difference between simply being tagged in a status update, and having your location unknowingly disclosed in a status update. And this is the critical issue that Facebook again has misunderstood: tagging someone’s geographic location is not something to be treated like every other Facebook activity.

UPDATE: There’s been assorted media coverage of my discovery and our subsequent discussion: MSNBC.com, MediaPost, SC Magazine, CBC News.

[Readers might be interested in my follow-up post: Facebook Places Privacy Falls Short, Part 2: Opting-Out]


  1. Prof. Zimmer,

    Thanks for your attention to Facebook Places. As with many new technology services, there has been some confusion about how Places works exactly. We’re adding new materials to the site to explain things more (here is a video that was just posted: http://www.facebook.com/video/video.php?v=697692691093) and we appreciate your help in that effort.

    Generally, people have always been able to tell others where they’ve seen friends. If I see friend A at the mall, I may tell friends B and C of that fact in a face to face conversation, letters, phone conversations, email, blog or, more recently, through Facebook, MySpace or Twitter. Other than the social norms that have developed over this sharing, there aren’t any checks that require me to have friend A’s permission to tell others or to even verify that I did see them at the mall.

    We wanted to mimic these real world interactions. That’s why you have always been able to mention where you’ve seen or been with friends on Facebook. Many, many people have done this. Initially, you could just name the person and, about a year ago, we launched status tagging (http://blog.facebook.com/blog.php?post=109765592130), which enables you to link that mention to a friend—and only a friend’s—profile. It was observing this behavior in status updates (e.g. “Saw a great game at AT&T park with @John Smith”), that prompted us to develop Places. What’s new about Places is not mentioning you or your friends’ location, it’s associating you and them with a Place.

    Thus, you are correct that you can mention your wife’s location to your friends through Places. Again, you have always been able to do that. However, she is not checked-in. You can never be checked into anywhere without actively allowing friends to check you in. In your example, your wife is not associated with that Place in any way that is different than if you had @mentioned her in a status update saying, for example, “@my wife and I are at Fenway Park”. The only differences are actually the extra protections we’ve associated with the newsfeed stories related to Places. When you have neither allowed nor disallowed friends to check you in, stories where your friends check-in and @mention you don’t appear on your profile, as you noted, until you allow it. Further, these stories are defaulted to only friends of the person who has checked in.

    I saw that you showed your wife in the Recent Activity part of the place page even though she hadn’t approved the tag. Recent Activity is basically an amalgamation of all the newsfeed stories a particular person has the permission to see, as related to a particular place. It is as if I went back into the newsfeeds of my friends and gathered all the stories related to Fenway Park. The visibility of those stories doesn’t change just because they are displaying to you on the Place page instead of your newsfeed. The recent activity section will look different to every single one of the 500 million people on Facebook, as it is governed by the unique set of permissions given and granted to any one individual. In your example where your wife has not approved the tag, you are seeing the post there because you have permission to see your posts. However, anyone who is not your friend—even if they are your wife’s friend—would not see that post anywhere on the place page.

    In addition, there are a number of protections built into location tagging that weren’t available in the previous mentioning or status tagging—and certainly not available in the other pre-Facebook methods to mention the location of others. Specifically, only confirmed friends can try to tag you (this check has worked well in status tagging), we provide additional notifications of tags, you can remove the tag from the web or phone (you cannot remove a status tag), the tagger must be checked-in (they also have to let their friends know they are at a questionable place), the tagger must be at that physical location (I can’t check in to a questionable place from across town and then try to tag you there), and, finally, you can turn off location tagging completely. If you disable friends from checking you into places, then they cannot tag you in any way through the places product. Again, this represents a further protection that we built into Places as you can’t turn off status tagging.

    Finally, I think it’s important to reiterate that we don’t share check-ins, tags or any Facebook information with advertisers or sell this information to anyone.

    Again, we appreciate your help in explaining things. Let me know if you have additional questions or if you’d like to talk through any of this live.


    Barry Schnitt
    Director, Policy Communications

  2. Sounds like FB again may not fully understand the typical user. The user-experience and adaptation rate will be hurt because FB does not understand that location tags are a completely different beast than status update tags. The perception that a location tag creates far outweighs a word-of-mouth conversation or status update tag. Many users are being exposed to LBSs for the first time and any muddling of the technology or its implementation is a real disservice. It’s good that FB at least defaulted to ‘Friends Only’ but obviously users are going to see the holes and potential harm in FB’s official stance.

  3. Hard to see a location check-in as very different from a typed update which identifies a second person at a location, considering Michael’s wife’s presence in this location update was his own word-of-mouth inclusion. Facebook notes this inclusion exactly as it would an @ mention, but does not independently check her in based on Michael’s word alone. It simply shares with Michael’s friends what Michael knowingly expressed. Sounds right to me.

    Remember, status messages already have timestamps. Named second persons already link. Place names already feature in electronic maps, not to mention the collective consciousness. And – brace for this one – inhabitants of this planet can and do speak of each other without permission.

  4. Agreed that ‘technically’ the two types of tags are very similar in function. However, the perception is VERY different. Those of us who have been around the LBS block understand the differences but the user-experience should not be designed solely with that in mind. Those who are new to this feature will have a general expectation (one based more on common sense rather than technicalities) on when their username should be included in a location tag. The common interpretation of a location tag will be that a username tagged in a check-in post will mean that user was also at that location. It carries more weight than just a status update or photo tag and with greater implications. Location is a sensitive subject that Facebook understands to some degree based on their added notifications and privacy settings. However, their implementation fails to recognize how a typical user will interpret location tags and how much more viral they can be than a word-of-mouth conversation. Status update tags can be applied in any context but location tags have an implied meaning tied to a location. They can reach far more sets of eyes. If my name is tagged in a status update, it can mean anything. If my name is tagged in a location, it carries the implied meaning that I was at that location. More eyes will focus on that implied definition than on what a status update tag ‘could’ mean. Actually FB makes it explicit with the way that the check-in tag is worded.

  5. Agreed that perception trumps technicality. No doubt there will be plenty of clashing perceptions around location tags, most of all because they surface as a new kind of mediated expression. It calls to mind early Like misgivings, and the semantic differences between clicking it and replying “I like this”.

    At bottom, though, location tags are still fallible, voluntary expressions with motivations largely bound to how people talk about places and activities. Typing “having fun with [person] at [location]” reveals no more or less than pinning two avatars on a map widget. That words have far wider expressive capacity than map widgets is not a case for restricting map widgets where we wouldn’t restrict words.

    If a service misrepresents what somebody shares, or attributes it to the wrong source, or broadcasts it further than anyone intended, or compels oversharing, that’s bad. But with Places I have yet to see evidence of facebook doing those things. Even after a lot of squinting.

  6. Thanks, everyone, for this helpful dialogue. Generally, I agree with teaneedz’s point that location tagging is inherently different than “normal” status tagging. It implies more accuracy, and allows for more precision.
    Barry Schnitt is also correct when he notes above that users often tag others in their status updates, referencing a shared presence at a location. But with Places, there’s now an official and automated means of sharing someone’s location, where users can now be systematically linked to a specific set of coordinates and potentially logged into a database. That’s the additional concern Places brings, and what should bring additional care.
    In the end, my primary criticism is that Facebook’s insistence that “No one can be checked in to a location without their explicit permission” isn’t a fully accurate statement. The fact that unauthorized check-ins don’t appear in the person’s own news feed is helpful, but not sufficient to eliminate concerns over unauthorized disclosures.

  7. I am not sure what the difference is between tagging someone with Places and saying you are somewhere with someone in a status update. It seems to me it is the same thing and we should be equally concerned with both.

  8. I understand and agree with the point that automated location information is different from simple status updates, primarily because of the easier potential for data-mining and subsequent use. However, I do not worry that much about it because the technology and information are somewhat self-limiting. I offer two analogies: First, take wikipedia which still suffers severely in terms of credibility because of early abilities to manipulate entries. A relatively few isolated incidents of patent falsehoods and joke-entries quickly crushed the credibility and worth of all entries. Despite years of studies validating the credibility of wikipedia as a whole, the site is still mocked as a research resource. This same situation could play out with FB Places. It would only take a few incidents where someone attempts to rely on a Places fact (such as an employer) to the detriment of another (such as employee) and is exposed for falsely/carelessly using Places information, before the public generally disregards Places information as lacking credibility altogether.
    The second analogy, albeit much more morbid, applies to mass information like Places, or google searches generally: nuclear weapons. Their extreme usefulness renders them effectively useless. Once one is used, the whole jig is up so why use it in the first place. Large compilations of ‘private’ data are controlled to some extent in the same way. Once you spend the data once, all the data loses its worth.

  9. @Tim: Thanks for the comment.

    I agree that the quality of data in Places could become compromised. But bad data makes the concerns even worse, because some might still rely on it to make decisions about a person (in personal life, professional life, etc); I don’t think there will be a wholesale debunking of the data, just as my students still rely heavily on Wikipedia.

    Further, Facebook must maintain the appearances that Places-related data maintains full integrity, otherwise the product (and the lucrative location-based advertising that will inevitably derive from it) will fail.

  10. This is truly scary!!! I am in the middle of a seperation/divorce and people need to imagine this cause it could be me and others who go thru exactly this: my husband and I are locked in a divorce battle – we both have mutual family and friends on our lists, big surprise right?!.. What if he posts that I am with him at a liquor store (or worse places)- as he is a proven alchy it is plausible he is there, but what about me? I don’t drink and rarely frequent bars/liquor stores/etc…. And then the question arrises as to who does the driving since my argument is that he drives to get liquor after already consuming. He can use this places tool to make me look complicite in his behaviors in order to downplay my role as a protector of my kids in wanting his rights constrained to disallow him to drive with my children for visitiation! He can lie in posts about me already – sure – but why give him more ability to do harm?! Worse harm?! Things posted on FB and myspace are frequently used as “evidence” in divorces and work related firings and various other legal proceedings. The places feature is going to be accepted more as “proof” or given more credence than a status update posting the same lie, and I for one don’t want anyone given that power- friend, family, friend of friend, etc! This posting of the wife’s location – without her knowledge and consent is HORRIFIC, and can be EXTREMELY hurtful to others. FB should be looking to thier legal reps as to what they will face when an angry mom like me has this stuff used against her in court – goes thru hell to get it proven a lie – and then comes back to sue FB for putting her in that position in the first place!!

  11. Mr. Schnitt’s observation that Facebook is simply taking ‘the next step forward’ in providing locational information already inherently a part of social interactions (telling friends B and C that you saw friend A at the mall) neglects to take into account the very nature of Facebook’s back-end: ostensibly a searchable database of information about individuals, collated by their acquaintances, aggregated in a nice neat format. The difference between telling friends B and C that you saw friend A at the mall and what Facebook is attempting to promote as just the present-day variant of that experience is that friends B and C were likely not compiling a huge database of information about friend A that could either 1) be used and abused by the highest bidder at some future date or 2) cracked into and disseminated all over the internet by nefarious types.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s