This story was updated at 4:20 p.m. on Tuesday, Sept. 27.
That new real-time ticker in the corner of your Facebook page seems innocent enough — hey, look, your cousin posted a picture of her puppy!
But listen closely and you could hear the sound of a massive privacy invasion.
Tick, tick, tick
Introduced last week, the ticker announces what your friends — and friends of friends — are doing in real time. Every article they read, every song they listen to, every wall post and picture comment and status update — when they share it, you hear about it.
The ticker gives Facebook's hundreds of millions of users up-to-the-second access to the personal lives of their contacts. To Graham Cluley, senior technology consultant from the security firm Sophos, that's an invitation to disaster.
In a blog post, Cluley said the ticker allows for "enforced eavesdropping," enabling users to see conversations between people that aren't in their friends list.
"The ticker has just made it much easier to eavesdrop on what were probably intended to be more private conversations," he wrote.
Watch what you read and listen to
The ticker isn't the only culprit butting its way into what you choose to share on Facebook.
Facebook also introduced third-party media sharing, or "social," apps that let users share the articles they've just read, or the music they've just listened to, with their friends. The tech website ReadWriteWeb looked at two in particular, the Washington Post Social Reader and The Guardian's Facebook app, and found that, while they do as advertised, they way they do so is a little sneaky.
Both apps, ReadWriteWeb's Richard McManus found out, immediately and automatically update your profile to show that you've read an article, even if you've only clicked on it.
"That could potentially cause you embarrassment and it will certainly add greatly to the noise of your Facebook experience," McManus wrote.
Think of it this way: if you're reading today's Washington Post article about Supreme Court Justice Elana Kagan, you'd probably have no problem letting your Facebook friends know. But what if you just read 27 articles on Justin Bieber and Selena Gomez, or something decidedly less PG? Would you want your hundreds of contacts to see?
The music-streaming website Spotify has also joined forces with Facebook, and guess what? Every song you listen to through Spotify's Facebook app is immediately broadcast to your network. Thankfully, Facebook doesn't have total access over the entire world of entertainment; Wired reported that unlike Spotify, Facebook, due to a 1988 federal law, is prohibited from sharing the Netflix rental information of its U.S. users. So your repeated rentals of "7th Heaven" or, again, something less PG, are safe.
Keep your private information private
These potential privacy infringements, Cluley wrote, are "the result of the lax or non-existing settings of your friends."
To help limit the entire world of Facebook from knowing what you're up to every second, Cluley suggests creating lists to decide who has access to your different posts, restricting your privacy settings to "Friends" only and disabling the "Friends of friends" setting.
"Inform strangers or the connecting friend when strangers show up in your feed," Cluley said. "It is their settings that made them show up. This will illustrate to them why they need to change their settings. "
And Cluley threw in a final piece of advice that is especially pertinent to the oversharing issue, but should always be followed: "Next time you leave a comment on someone else's Facebook post, don't say something that you may later regret."
Is Facebook tracking you after you log out?
An independent researcher claims he has proof that even after you log out, Facebook still tracks the websites you visit.
Facebook, however, struck quickly to deny Cubrilovic's claim. The first response to his blog post is from Gregg Stefancik, a Facebook engineer, who wrote that Facebook has "no interest in tracking people," and that Cubrilovic's assertion that the social network does so after users log out is false.
"Our cookies aren't used for tracking," Stefancik wrote. "They just aren't." The logged-out cookies, he explained, are used "for safety and security protections" such as identifying phishing scams and helping people recover hacked accounts.
Facebook did not return an email from SecurityNewsDaily seeking comment.
UPDATE: Cubrilovic on Tuesday posted an update in which he said that Facebook had admitted to him that one cookie — the "a_user" that identifies each unique Facebook member — should not have survived user logout from the social network, and was being fixed so that it would no longer do so.
"What you see in your browser is largely typical, except a_user which is less common and should be cleared upon logout (it is set on some photo upload pages)," an unnamed Facebook staffer was quoted as telling Cubrilovic. "There is a bug where a_user was not cleared on logout. We will be fixing that today."
After reading Cubrilovic's latest posting, ZDNet reporter Emil Protalinski got a begrudged confirmation from an unnamed Facebook representative that Cubrilovic's account was factual.
(Cubrilovic also created a fascinating table showing which Facebook cookies expire when, if ever.)
Cubrilovic accepted Facebook's assurances that the other long-lived cookies, some of which set values for preferred language and screen resolution, were benign.
"I would still recommend that users clear cookies or use a separate browser [for non-Facebook Web use], though," Cubrilovic wrote. "I believe Facebook when they describe what these cookies are used for, but that is not a reason to be complacent on privacy issues and to take initiative in remaining safe."