Connect with us

Social Media

Facebook private status updates made public by Storify

Private status updates on Facebook by private users and in secret or private groups are never private, especially with the help of Storify.

Published

on

facebook groups

facebook groups

Private social media updates made public through Storify

Julie Pippert, Founder and Director of Artful Media Group, known speaker and communications expert shared with AGBeat how she discovered what she believes to be a flaw in the popular service, Storify, making selected private Facebook status updates from personal profiles, private and secret groups visible to anyone and completely public.

Storify is a free content curation tool wherein users can pull social elements like photos, videos, and status updates from social networks, combining them into one single embeddable widget that is perfect for bloggers and digital publishers, telling the story of an event in its entirety through social reactions. It’s a clever and popular service that brags, “streams flow, but stories last.”

Unfortunately, that has been proven true of private Facebook status updates, no matter a user’s privacy settings, as using the Storify app to grab updates immediately pulls not only the quote from the status update, but the user’s profile picture which is linked to their account, the timestamp of the original status update on Facebook, and the original link.

Below is what a user with the Storify Google Chrome Extension sees on an update I posted in a Secret Facebook Group (note the word “Storify” which is the mechanism that immediately pulls all of the aforementioned data into Storify):

storify

When published in Storify, it appears like so (embedded using the Storify code provided by the service):

This is an example taken from a Secret Facebook Group comprised of a handful of very close friends, where we talk about sensitive health issues each of us have, which would obviously be detrimental for the public to see.

Now, if you are not a member of the secret group, you cannot see anything else inside of the group or who the members are, you do not have additional access to other status updates, but my face and name are now associated with a sensitive topic that the public can see, should another group member have innocently pulled the update as they saw it in their timeline, not realizing it was from the group, or simply not thinking Storify would authorize such a move.

Storify users can only pull status updates from people they are connected with socially, but their privacy settings matter not, and they can pull in status updates from private groups to which they belong, and while none of this offers a window into those users’ accounts or into the secret groups, the Storify tool can turn private Facebook updates public, even if only one at a time.

The discovery of the ability to bypass privacy settings

Pippert discovered this bypass through what she calls a “faux pas accident” by using the Storify app, sharing a friend’s Facebook update who felt her privacy settings were as private as they could possibly get, surprising both women at how easily a private account could become public, even if it was only one status update.

“I felt so terrible about what happened that I started digging and checking,” Pippert said, “and I figured out that although anything can be copied, screen captured or otherwise shared, anyone who installs the Storify app can do it with one click, even if it is marked or otherwise set to be private.”

Pippert explains that she shared a friend’s update about Superstorm Sandy which was very heartwarming, but when she notified her friend, both were alarmed that it could be used publicly, and no matter the content, her friend did not want her name used publicly, which is often the case for executives or government employees whose contracts forbid them from commenting publicly to the press or otherwise.

No notification, reminder, or restriction

Neither Storify or Facebook offered any notification that the content was in any way restricted or private, and there is no way for users to opt out of their content being shared on Storify, even if implied via their ultra private settings on their Facebook account.

“I really like storify and it is so useful, especially with the Chrome app, for capturing content for my job and topics that matter in my work. It’s incredibly efficient,” said Pippert. But she notes that “End of day, you just have to be prepared to have some of your content used beyond in your little sphere. But the people using it have a responsibility too. What that is isn’t exactly clear in every case. We do all have to be responsible with content we put out through social media, even privately. My friend put out great content that reflected well on her. But she didn’t want her name out there publicly.”

“Storify enabled me to nearly bypass that, against her wishes,” Pippert said. “After we talked, I offered to remove her quote.”

What about private accounts on Twitter?

When a Storify app user clicks “Storify” next to a public Twitter user’s update as a means of adding that update to their Storify stream, the following appears:

storify

And when a user attempts to Storify a private user’s update, it doesn’t offer any explanation or notice that you cannot do such a thing on a private user’s account, rather it turns the screen black like so:

private twitter update

Secret Facebook Group updates no longer secret

We noticed some major differences between how Storify reacts to private Twitter updates and Facebook updates, with users being able to read Facebook status updates in a Storify stream that would otherwise be private.

If your company has a Secret Facebook Group where you collaborate, your prayer group has a Private Facebook Group where you share personal intentions, or your friends have a Secret Facebook Group to talk about their abusive husbands, all of that is private within Facebook, but Storify grabs the information, and it becomes a Storify update with all of the attached data.

Take note that the embedded status update above has actually been deleted from Facebook, yet you can still see it on Storify. That is troubling. Here is a screenshot in the event someone at either company tweaks something and it disappears.

It’s time to look at the connection between Storify and Facebook

While there is not likely any malice by Storify here, or even Facebook in how they structure data differently than Twitter, the ability to inadvertently share private information is all too easy with Storify, and Facebook, who is famous for keeping data on their servers even after users delete photos and the like. It’s not in Facebook’s interest to get rid of any data points, as their bread and butter is ad dollars based on aggregated data, and it is not in Storify’s interest to get rid of data points, as they paint an accurate picture of a user’s status update, unfiltered.

Pippert concludes, “It might ultimately be a human problem to solve: capture content from others mindfully and use it thoughtfully, with good communication. Let others know you’re using the content and make sure you are clear to friends your preference about your content being redistributed.”

This is yet another reminder that anything you say anywhere on the web, private or not, is always subject to being shared via third party apps, screenshots, or good old fashioned copy and paste, so never say something online that you wouldn’t say in public, because there really is no such thing as privacy, which is sad and unacceptable, but true.

Regardless of human behavior, the connection between Twitter and Storify proves there are ways to actually protect private information, so it is clearly time to examine the connection between Facebook and Storify.

[pl_alertbox type=”info”]

More reading:

Storify Co-Founder implies nothing on Facebook is private
[/pl_alertbox]

Lani is the Chief Operating Officer at The American Genius - she has co-authored a book, co-founded BASHH and Austin Digital Jobs, and is a seasoned business writer and editorialist with a penchant for the irreverent.

Continue Reading
Advertisement
19 Comments

19 Comments

  1. Scott Baradell

    January 18, 2013 at 9:23 am

    Excellent, Lani and Julie!

  2. AmyVernon

    January 18, 2013 at 9:26 am

    So glad you wrote about this and Julie tested it out. It once again shows that nothing you write online is truly private. As Julie rightfully pointed out, anyone could screenshot or otherwise share a post at any time, but it takes extra effort and would have to be done purposefully. But with the way the newsfeed is set up, you could easily Storify something that shows up in your newsfeed, not even realizing it’s not public.

    I don’t blame Storify for this – they’re using the API Facebook gives them. Facebook needs to shore this up.

    • Erika Napoletano

      January 18, 2013 at 9:39 am

      Here, here, Amy. Another Facebook privacy issue — when will these be a thing of the past?

    • Julie Pippert

      January 18, 2013 at 4:34 pm

      Yeah, Facebook needs to recognize we’re going to want to use third party apps. I don’t want Storify blocked; I do want better collaboration tat lets it be in line with FB settings.

      That’s exactly what happened — I easily Storified something from the newsfeed, not knowing it was not public.

      I learned my lesson and try to be cautious, and I still use and am a fan of Storify. I just want my confidence back in respecting privacy settings.

  3. Burt Herman

    January 18, 2013 at 11:50 am

    Thanks for the post and I very much agree with your conclusion — anything posted online in a way that others can see it could be copied, so you should think carefully what you write online. (Or even in an email, for that matter, that could also be easily copied).

    This isn’t a technology issue as much as an etiquette issue. Now that everyone has the power to easily publish to the whole world, we all need to think about how to use that power.

    • Danny Brown

      January 18, 2013 at 12:01 pm

      Surely the etiquette should be for technology API’s to respect privacy settings and be unable to let users post private group updates, no?

      • Burt Herman

        January 18, 2013 at 2:51 pm

        It’s up to you to decide what to share online, and whether to trust the people who can see what you share.

        • Danny Brown

          January 18, 2013 at 3:56 pm

          Right. And when it’s to me, I choose to be part of a Facebook Group that’s private. So, it should now be up to any technology scraping feeds to recognize and respect private settings. Maybe something for you guys and Facebook to work out…

          • Burt Herman

            January 18, 2013 at 4:20 pm

            We don’t show anything to people who can’t see it already on Facebook. Only other people in that group can see it, so it’s up to you whether you trust them not to share what you post more widely.

          • Danny Brown

            January 18, 2013 at 4:26 pm

            You’re missing the point here, Burt – you are showing it to people who aren’t part of that private Facebook group, because you’re allowing these posts to be shown in a public Storify stream. I trust the people I’m part of a private group with – i don’t trust technology that ignores privacy settings who say “Don’t blame us if we post private stuff because someone in the group shared it.”

            API’s can recognize privacy settings (why do you think social scoring tools primarily have to use public Twitter feeds for their scores versus private conversations and communities?). It’s easy to shift blame, it’s less easy to do the right thing and build technology that filters private settings and blocks sharing. But the reward for any companies doing this is more than worth the effort.

        • Julie Pippert

          January 18, 2013 at 4:29 pm

          Not that simple IMHO. We get used to Facebook restricting us from sharing private content. You can trust people and trust privacy, yet accidentally or innocently share. I learned a lesson the hard way. There’s a point to that.

      • Julie Pippert

        January 18, 2013 at 4:26 pm

        That’s a great point, Danny! The tools do need to respect the privacy settings. We can use caution–such as choosing words wisely, setting privacy, being in private groups, etc. But as in this article, even a really good statement that reflected well on the person was not okay with her to share. She shared it in perceived privacy and public share could have negatively affected her job. Not because she said anything wrong, but because she was not able to make a public statement.

  4. Ike Pigott

    January 18, 2013 at 9:43 pm

    I would enjoy Storify so much more if it had more privacy options of its own.

    For example, it’s a great tool for curating a cross-platform, extended conversation. But what if I want to share that compilation with a limited group? Storify has no “Unlisted” option, like YouTube and Posterous have to great effect.

    Until it has that feature, I can’t afford to use it.

  5. Nick

    January 22, 2013 at 11:58 am

    Is this news? A friend can publish your content with storify or they can take screenshot of your post. Where is the difference?

  6. christof_ff

    January 23, 2013 at 5:45 am

    I don’t get what the problem is – they could just as easily take a screenshot, or publish private printed correspondence.
    Surely the lesson is don’t trust you innermost thoughts with stupid people who are likely to share it with the world??

  7. Edward Cullen

    March 8, 2013 at 12:35 am

    Nice post. I am fully agree and satisfied with your conclusion.

  8. Pingback: Your Private Facebook Posts Can Be Publicly Shared Through Storify | Live Shares Daily | Sharing Updated News Daily

Leave a Reply

Your email address will not be published. Required fields are marked *

Social Media

Deepfakes can destroy any reputation, company, or country

(MEDIA) Deepfakes have been around for a few years now, but they’re being crafted for nefarious purposes beyond the original porn and humor uses.

Published

on

deepfakes

Deepfakes — a technology originally used by Reddit perverts who wanted to superimpose their favorite actresses’ faces onto the bodies of porn stars – have come a long way since the original Reddit group was banned.

Deepfakes use artificial intelligence (AI) to create bogus videos by analyzing facial expressions to replace one person’s face and/or voice with another’s.

Using computer technology to synthesize videos isn’t exactly new.

Remember in Forrest Gump, how Tom Hanks kept popping up in the background of footage of important historical events, and got a laugh from President Kennedy? It wasn’t created using AI, but the end result is the same. In other cases, such technology has been used to complete a film when an actor dies during production.

The difference between these examples and that latest deepfake technology is a question of ease and access.

Historically, these altered videos have required a lot of money, patience, and skill. But as computer intelligence has advanced, so too has deepfake technology.

Now the computer does the work instead of the human, making it relatively fast and easy to create a deepfake video. In fact, Stanford created a technology using a standard PC and web cam, as I reported in 2016.

Nowadays, your average Joe can access open source deepfake apps for free. All you need is some images or video of your victim.

While the technology has mostly been used for fun – such as superimposing Nicolas Cage into classic films – deepfakes could and have been used for nefarious purposes.

There is growing concern that deepfakes could be used for political disruption, for example, to smear a politician’s reputation or influence elections.

Legislators in the House and Senate have requested that intelligence agencies report on the issue. The Department of Defense has already commissioned researchers to teach computers to detect deepfakes.

One promising technology developed at the University of Albany analyzes blinking to detect deep fakes, as subjects in the faked videos usually do not blink as often as real humans do. Ironically, in order to teach computers how to detect them, researchers must first create many deepfake videos. It seems that deepfake creators and detectors are locked in a sort of technological arms race.

The falsified videos have the potential to exacerbate the information wars, either by producing false videos, or by calling into question real ones. People are already all too eager to believe conspiracy theories and fake news as it is, and the insurgence of these faked videos could be created to back up these bogus theories.

Others worry that the existence of deepfake videos could cast doubt on actual, factual videos. Thomas Rid, a professor of strategic studies at Johns Hopkins University says that deepfakes could lead to “deep denials” – in other words, “the ability to dispute previously uncontested evidence.”

While there have not yet been any publicly documented cases of attempts to influence politics with deepfake videos, people have already been harmed by the faked videos.

Women have been specifically targeted. Celebrities and civilians alike have reported that their likeness has been used to create fake sex videos.

Deepfakes prove that just because you can achieve an impressive technological feat doesn’t always mean you should.

Continue Reading

Social Media

Can you legally monitor your employees’ online activities? Kinda

(SOCIAL MEDIA) Are they ways you are monitoring your employees online even legal? Did you know there are illegal methods? Yep.

Published

on

remote workers

Edward Snowden’s infamous info leak in 2013 brought to light the scope of surveillance measures, raising questions about legality of monitoring tactics. However, the breach also opened up broader discussion on best practices for protecting sensitive data.

No company wants to end up with a data breach situation on their hands, but businesses need to be careful when implementing monitoring systems to prevent data loss.

Monitoring your employee’s activity online can be a crucial part of safeguarding proprietary data. However, many legal risks are present when implementing data loss prevention (DLP) methods.

DLP tools like keystroke logging, natural language processing, and network traffic monitoring are all subject to federal and state privacy laws. Before putting any DLP solutions in place, companies need to assess privacy impact and legal risks.

First, identify your monitoring needs. Different laws apply to tracking data in transit versus data at rest. Data in transit is any data moving through a network, like sending an email. The Electronic Communications Privacy Act (ECPA) requires consent for tracking any data in transit.

Data at rest is anything relatively immobile, like information stored in a database or archives. Collecting data at rest can fall under the Stored Communications Act (SCA), which typically prohibits unauthorized access or disclosure of electronic communications.

While the SCA does not usually prevent employers from accessing their own systems, monitoring things like Gmail accounts could get messy without proper authorization.

Who you’re tracking matters as well regarding consent and prior notification. If you’re just monitoring your own employees, you may run into disclosure issues. Some states, like Delaware and Connecticut, prohibit employee monitoring without prior notice.

The ECPA also generally prohibits tracking electronic communication, but exceptions are granted for legitimate business purposes so long as consent is obtained.

Monitoring third party communications can get tricky with wiretapping laws. In California and Illinois, all parties must be notified of any tracking. This can involve disclosures on email signatures from outbound employee emails, or a broad notification on the company’s site.

Implied consent comes from third parties continuing communication even with disclaimers present.

If you’re wanting to install DLP software on personal devices used for work, like a company cellphone, you could face a series of fines for not gaining authorization. Incorrect implementation may fall under spyware and computer crime laws.

With any DLP tools and data monitoring, notification and consent are crucial. When planning monitoring, first assess what your privacy needs are, then identify potential risks of implementing any tracking programs.

Define who, where, and why DLP software will apply, and make sure every employee understands the need for tracking. Include consent in employee onboarding, and keep employees updated with changes to your monitoring tactics.

Protecting your company’s data is important, but make sure you’re not unintentionally bending privacy laws with your data loss prevention methods. Regularly check up on your approaches to make sure everything is in compliance with monitoring laws.

Continue Reading

Social Media

How to spot if your SEO, PPC, social media marketing service provider is a con-artist

(BUSINESS) When hiring a professional, did you know there are actual questions you can ask to spot a con-artist? Too often, we trust our guts and go with the gregarious person, but too much is on the line to keep doing that with your business.

Published

on

con-artist

In this day and age the cult of positive thinking and “the law of attraction” are still very much alive and well in the business services industry. Here are a few simple questions that you can ask prospective business service providers to help you gauge if they are the real deal or just caught up in the fad of “say yes to everything,” or “outsource everything” being populated online by countless “thought leaders” and cult gurus.

Lots of people will ask, “What’s the harm of people trying to make something of themselves?”

Well, I’m here to tell you there is a huge harm in taking risks with a client’s money and manipulating people into trusting their “expertise” when they have none.

Business owners: Due diligence is more important than ever these days.

There are whole communities of people helping to prop each-other up as experts in fields they know nothing about while outsourcing their tasks with little or no oversight into the actual work being done on your behalf.

It is nearly impossible for you to tell if this is even going on. Don’t worry. I am here to help you avoid a con-artist.

How? By showing you how to weed out the bad actors by asking really simple questions.

This set of questions is perfect for people who need to distinguish if the expert they are talking is really just an expert in bullshit with a likeable personality.

Why do these questions work? Because people who are into this kind of stuff are rarely hesitant to talk about it when you ask them direct questions. They believe that what they are doing is a good thing and so they are more open to sharing this information with you because they think by you by asking that you are also into similar things.

It is a fun little trick I picked up while learning to do consumer polling and political surveying.

The Questions:

  • Who influences you professionally?
  • Do you follow any “thought leaders” “gurus” or coaches? If so, who?
  • What “school” of thought do you ascribe to in your profession, and where do you learn what you know?
  • Are there any industry standards you do not agree with?
  • How do you apply the services you offer to your own company?
  • Can you please tell me the background of your support staff and can I see their CV’s?
  • Do you outsource or white label any of the work your company does?
  • May we audit your process before buying your services?
  • May we discuss your proposed strategies with others in your industry to ensure quality?
  • Would you be open to speaking with an independent consultant that is knowledgeable about your industry about your proposals?
  • Can you show me examples of your past successful jobs?
  • Do you have any industry accepted certifications and how many hours of study do you do in a year to keep your knowledge up-to-date and current?
  • How many clients have you had in the past?
  • How many clients do you have currently?
  • How many clients are you able to handle at one time?
  • How many other clients do you have that are in the same industry as my company?
  • How long is your onboarding process before we start getting down to actually making changes to help solve the issues my company is facing?
  • Can you explain to me the steps you will take to identify my company’s needs?
  • Have you ever taken a course in NLP or any other similar course of study?
  • Have you ever been a part of a Multi-Level Marketing company?
  • Fun. Right? Well, we aren’t done.

    It is not just enough to ask these questions… you have to pay attention to the answers, as well as the WAY they are answering questions.

    And you also have to RESEARCH the company after you get your answers to make sure they ring true.

    You cannot keep accepting people at face value, not when the risk is to your business, employees, and clients. There is little to no risk for a person who is being dishonest about their capabilities and skill sets. They will walk away with your money, ready to go find another target for a chance meeting that seems amazingly perfect.

    Do not leave your business decisions to chance encounters at networking events. Research before saying yes.

    No matter how likeable or appealing the person you are speaking with is.

    How do you research? Easy. THE INTERNET. Look at the website of the company you are considering working with.

    • Does it look professional? (do not use your website as a standard for professional unless you have had it done by a professional)
    • Can you see a list of their past clients?
    • Do they effectively tell their story as a company or are they just selling?
    • What do their social media profiles look like? Do they have many followers? Are they updated regularly?
    • Do they have any positive reviews on social sites? (Yelp, Facebook, Linkedin, etc)

    You can also do some simple things like running SEO Website Checkers on their websites. There are tons of these online for free and they will give you a pretty good indicator of if they are using best practices on their websites – you can even do this research on their clients’ websites.

    Also, if you know anything about SpyFu, you can run their website through that to see how they are doing their own online marketing (the same can be said for their clients if they are selling this service).

    Facebook also has a cool section that shows you ads that a Page is running. You can find this info connected to their business Page as well as the Pages they manage for their clients as well. None of these things automatically disqualify a potential service provider, but their answers the question of “why” things are the way there are might be very illuminating to you as a business owner.

    This may seem like a lot of work, and it can be if you do not do these things regularly and have them down to a system, but the cost of not doing these things is way too high. A con-artist is born every day, thanks to the internet.

    You have a right as a business owner considering services from a vendor to ask these questions.

    They also have the responsibility as a service provider to answer these questions in a professional manner. Sometimes the way in which they answer the questions is far more important than the actual answer.

    If all of this seems too overwhelming for you to handle, that is okay.

    • You can ask one of your staff in your company to take on this role and responsibility.
    • You can hire someone to come in and help you with these decisions (and you can ask them all the same questions as above before taking their services).
    • You can reach out to other business owners in your network to see if they have recommendations for someone who could help you with things.
    • Heck, you can even call up companies that look like they are doing as well as you want to be doing online and ask them who they are using for their services. Try successful companies in other industries as your competitor won’t likely be interested in sharing their secrets with you…

    What is important is that you are asking questions, researching, and ultimately making sure that you are doing as much as possible to ensure making the best decision for your company.

    Final thoughts:

    “But, Jay, what’s wrong with taking a risk on an up-and-comer?”

    The answer to that is NOTHING. There is nothing wrong with taking a chance on someone. Someone being green doesn’t make them a con-artist.

    The issue I am raising is in the honest portrayal of businesses and their capabilities. It is about honesty.

    I am a huge fan of working with people who are new and passionate about an industry. But I only work with people who are honest with me about who they are, what they can do, and how their processes work.

    I have worked with tons of people who are still learning on the job. It can be quite educational for a business owner as well.

    Just make sure they are being honest about everything up front. You are no obligated to give anyone a chance when it comes to your businesses success, and it’s not right that someone might manipulate you into doing so.

Continue Reading
Advertisement

Our Great Partners

The
American Genius
news neatly in your inbox

Subscribe to our mailing list for news sent straight to your email inbox.

Emerging Stories

Get The American Genius
neatly in your inbox

Subscribe to get business and tech updates, breaking stories, and more!