Redefining ‘Privacy’ Can Give Users a False Impression of Secrecy

Ryan Broderick, Ryan Mac, and Logan McDonald, Buzzfeed News:

Photos and videos posted to private accounts on Instagram and Facebook aren’t as private as they might seem. They can be accessed, downloaded, and distributed publicly by friends and followers via a stupidly simple work-around.

The hack — which works on Instagram stories as well — requires only a rudimentary understanding of HTML and a browser. It can be done in a handful of clicks. A user simply inspects the images and videos that are being loaded on the page and then pulls out the source URL. This public URL can then be shared with people who are not logged in to Instagram or do not follow that private user.

If you have any familiarity with how the web works, you probably rolled your eyes while reading these paragraphs — I know I did. But despite my reservations about the way this is written — it reads like a parody of infosec reporting — I bet most people have no clue that it is trivial to get the address of any resource. Images need to be hosted somewhere, and protecting those addresses is often more difficult than necessary for social networks.1

The problem is not with the way that URLs work. The problem is that social networks continue to abuse the definition of the word “private”, thereby giving users a false sense of safety and secrecy with whatever they post there. Educating users is important, yes, but it is equally important for them to not be lied to by implying that flipping a single toggle switch is enough to make their pictures private to everyone except select users.2

  1. Attempting to access an Apple Music .m4a file directly, for example, will result in an error. ↥︎

  2. Also, it’s crazy that some Instagram settings can only be changed from within a web browser. ↥︎