Feeding, Facebook and privacy
Both here and, err, down the boozer, Andy and I have been critical of Facebook's failure to provide feeds "out" from Facebook, so that content created within Facebook can be "piped in to" other applications. Paul Walk, tipped off by Brian, points to a post by Dave Winer highlighting that Fb is indeed starting to provide some RSS feeds of Fb content. This seems to be happening quite quietly - at least I haven't seen any formal announcements about it from Fb, though I could quite easily have missed something. (Edit: Hmm, yes, I did!)
So, for example, you can obtain Fb feeds of:
- your notifications
- your friends' status updates
- your friends' posted items
The existence of these feeds isn't as visible as it might be (Dave Winer provides some helpful screenshots): AFAICT Fb isn't currently providing support for feed "auto-discovery" via the HTML link element, so, e.g., my browser doesn't signal the existence of the feed with an icon in the address bar, which is the indicator of feed availability that I usually look out for while browsing. But the feeds are there, and this has to be seen as a Good Thing in terms of Fb "opening up" and supporting the aggregation of its content as well as taking advantage of the capacity to aggregate external content.
However, Paul goes on to highlight that the availability of these feeds creates a potential challenge for the Fb privacy model:
The default privacy setting for most of the content a user can add to Facebook appears to be “All my networks and all my friends“. This is the most ‘open’ of the settings possible - there is no ‘public’ or ‘absolutely everyone’ setting. So when when one of my friends changes their status message for example they might, if they care at all, be under the impression that this can only be viewed by their friends (including me) and people in their network(s). If I then go and publish the feed URL to the world, this information is now available without restriction.
Have I betrayed the trust of my ‘friends’ by making such an RSS feed available? Is this model broken?
Within Fb, I tend to control reasonably tightly who gets to read my content on the Fb Web site i.e. in the HTML pages generated by Fb, and I typically limit access to the people with whom I am "friends" (though in my case, TBH, that content doesn't amount to much more than irregular flippant status updates and trivial posts on my friends' "walls"!)
Access to the Fb RSS feeds, however, seems to be controlled by the presence of a "key" which is embedded in the feed URI: as soon as you disclose a URI including that "key", then (I think?) anyone can read your feed. A quick search of the Bloglines aggregator (try a search for the word "Facebook" in "Search for Feeds") reveals that a substantial number of these feeds have been registered with the Bloglines aggregator (because, quite naturally, people want to read their Fb feeds via their usual RSS reader) and that they are now accessible to anyone. From a quick skim of some of the content, I suspect that the owners may not be aware of the consequences of their action!
It seems to me it's Fb's choice of "authentication" which may be the problem here (perhaps coupled with the lack of a warning to users of the consequences of making the feed URI available?). Would it not be better for Fb to implement HTTP authentication for the feeds? I think many RSS readers now have some level of support for HTTP authentication. But, yes, that still relies on users not publishing their credentials to the world in the form of URIs like
http://[myusername]:[mypassword]@[domain]/[path] (and on other services like Bloglines not disclosing them either, obviously). For discussions of the more general issue of feed privacy/authentication, see e.g. the posts by Jon Udell here and Niall Kennedy here.