Those Facebook photos you deleted are still online - three years later

In this era of over-sharing about ourselves and the people we know on social networks, it’s understandable that, from time to time, we end up having to go back to airbrush our social histories a little bit. Sometimes you just need to tighten your privacy controls; sometimes a friend asks you to remove a post that might create more trouble than it’s worth; and sometimes you decide to remove a photo that you think might get you or someone else in hot water.

The vast majority of Facebook users have, at some point, removed a picture from one of their albums for this reason, and when it’s done, it’s not at all unreasonable to imagine that that’s the end of it – the picture is gone from your account and no-one can see it anymore; it’s deleted, dead, gone. But unfortunately, the reality of the situation is quite different.

Facebook photos that you ‘delete’ are indeed removed from your profile, and aren’t linked to from anywhere on the site. But, as Ars Technica revealed, those images aren’t being deleted from Facebook’s servers, and that means that anybody with the direct URL for those images can still access and view them.

Perhaps more damning than the existence of this issue is the fact that Facebook has been aware of it for three years now. In 2009, Facebook responded to comments and complaints by claiming that it was “working with our content delivery network (CDN) partner to significantly reduce the amount of time that backup copies persist”.

Over a year later, nothing had changed. In late 2010, Facebook spokesperson Simon Axten reiterated that the company was “currently working with the CDN on a fix that will delete photo and video content from the CDN’s cache shortly after it’s removed from Facebook. The fix is already in place for videos, and we hope to implement it for profile pictures and photos in the coming weeks.”

Fast forward another sixteen months to the present day, and despite the assurance of a solution “within weeks”, the issue still remains unresolved. Company spokesperson Frederic Wolens stated: “The systems we used for photo storage a few years ago did not always delete images from content delivery networks in a reasonable period of time, even though they were immediately removed from the site.”

He also explained that a new system is in development that will ensure images are permanently expunged from Facebook servers within 45 days of being deleted by a user, adding: “We expect this process to be completed within the next month or two, at which point we will verify the migration is complete and we will disable all the old content.”

Of course, given the company’s previous assurances that they were working on the issue, it’s difficult to take these promises seriously – but we’ll find out in the next few months if Facebook finally sorts out the years-old problem that it’s so far just brushed aside.

Report a problem with article
Previous Story

New Charms bar and Metro wallpaper pattern revealed in leaked Windows 8 shots

Next Story

Windows 8 to feature revamped handwriting support

31 Comments

Commenting is disabled on this article.

Facebook is a data mining company; Everything they do is to collect as much information on you as possible in an organized fashion. What products you like, political affiliations, schools you attended, locations you visit, websites you visit, time lines for these activities, medical info, EVERYTHING. This information is sold to third parties for whatever purposes they deem fit (including to governments for intelligence).

The simple fact is, Facebook deletes NOTHING about you, they simply flag it as "deleted", but they still keep everything you post.
https://www.youtube.com/watch?v=KEC-vk9psTw
Be sure to turn on Captions.

So I guess what I'm saying is, Facebook couldn't care less about your privacy, as long as you keep giving them all your info.

One other concern is why are they keeping this data. We know they didn't delete the photos because of a lack of funds or a failure of technology, they have a good reason for procrastinating and not deleting your photos.... They didn't want to.

Why?

It's not unreasonable to think that perhaps FB is building a visual DB on you to assist them with their facial recognition program.

Hmmm... quit posting pictures you don't want the whole world to see? anyone is free to look at ANYTHING in my profile, I have never posted something I don't want everyone to see. The majority of my albums are actually public. Rule of Thumb: Do not post ANYTHING You don't want the entire world to see. Works well.

CMG_90 said,
meh, I could care less. My profile has been on "friends only" since day one.....

Stupid post. You lack the ability to comprehend.

Unreal. How hard is this to do really? LOL. Seems rather odd that they are having such difficulty with this and I also question these content partners... Who has possession of our photos?

tiagosilva29 said,
Neowin doesn't delete your attachments from their servers.

OMG neowin keeps backup just in case. I'm so surprised ..

In my cie when you delete a file from the network drives it's not really deleted. OMG OMG why ???

3 years may be strechting it but you can't expect FB to delete a file from every place it is stored as soon as you press delete. That would be bad network infratsucture imo.

The link giving you access to a deleted file is big fail though.

http://www.europe-v-facebook.org/EN/en.html

An austrian youth asked Facebook for all the data they have about him and received a file containing 1,222 pages.

http://www.theage.com.au/techn...to-heel-20111027-1mksg.html

Max Schrems wasn't sure what he would get when he asked Facebook to send him a record of his personal data from three years of using the site.

What the 24-year-old Austrian law student didn't expect, though, was 1222 pages of data on a CD. It included chats he had deleted more than a year ago, "pokes" dating back to 2008, invitations to which he had never responded, let alone attended, and hundreds of other details.

Time for an "aha" moment.

In response, Schrems has launched an online campaign aimed at forcing the social media behemoth that has 800 million users to abide by European data privacy laws - something the Palo Alto, California-based company insists it already does.

Yet, since Schrems launched his Europe vs. Facebook website in August, Facebook has increasingly been making overtures not only to Schrems, but to other Europeans concerned about data privacy, including Germany's data security watchdogs.
"Have we done enough in the past to deal with you? No," Facebook's director of European public policy, Richard Allan, testified before a German parliamentary committee on new media. "Will we do more now? Yes."

They don't want to delete those photoss.I hope the new EU policy about personal data will affect how Facebook stores our data.

Well for people like me who are on the fence it makes me more weary towards the service. If a user deletes something and you say its going to be deleted, then I expect it to be gone. Just goes a long way to the whole trust thing which is somewhat important and inherent with these social networks.

Also 3 years...come on, CEO's projected to be worth $28b and you cant afford to hire the ppl to fix this in that time? How seriously can you say you take privacy with stuff like that..

Osiris said,
Well for people like me who are on the fence it makes me more weary towards the service. If a user deletes something and you say its going to be deleted, then I expect it to be gone. Just goes a long way to the whole trust thing which is somewhat important and inherent with these social networks.

Also 3 years...come on, CEO's projected to be worth $28b and you cant afford to hire the ppl to fix this in that time? How seriously can you say you take privacy with stuff like that..

"How seriously can you say you take privacy with stuff like that.."

How dare you use the word privacy in any context when talking about Facebook! There is absolutely no such thing and anyone who thinks different is TOTALLY screwed in the head!

These guys are setting themselves up to self destruct. At least I sure hope so. Get that mess of a s**t site off the net!!

I'm not entirely sure how this is such a big deal? I mean, the only situation I can think of where this would be serious trouble would be if your profile were viewable to all and a company were doing research on you, or a bank was checking on you and your friends to see if they should give you a loan.
But even in those situations, the business/bank would have to have the direct link to that photo, since they wouldn't be able to see it automatically in your profile (assuming that you were smart enough to delete the picture from the profile, which - if you're leaving your profile open for anyone to see - you probably aren't).

I guess the main problem would be if you are identifiable in a photo, but in a circumstance that wouldn't look good to for example a new employer or a new partner, or where one of your kids is in a situation you wouldn't like to see online, for example naked (this last circumstance has actually happened and is brought up in the Ars Technica article).

If someone gets hold of the direct links, which is possible directly in any web browser, these photos can be used for e.g. extortion and you have no easy way to remove them.

This can of course be avoided by simply being more careful about which photos you upload, but the problem is that all photos linger on their servers. Not just your own, but stuff other people than you shoot as well. And they may have far from your intentions. They may not even be your Facebook friends.

It's clearly a problem that I hope gets more attention, since users shouldn't expect photos they delete or ask others to delete still remain, easily linkable. During all these years, the delete message box should have alerted the user that the photo WILL remain on their servers despite deleting it.

Intrinsica said,
I'm not entirely sure how this is such a big deal? I mean, the only situation I can think of where this would be serious trouble would be if your profile were viewable to all and a company were doing research on you, or a bank was checking on you and your friends to see if they should give you a loan.
But even in those situations, the business/bank would have to have the direct link to that photo, since they wouldn't be able to see it automatically in your profile (assuming that you were smart enough to delete the picture from the profile, which - if you're leaving your profile open for anyone to see - you probably aren't).
When you register, it clearly says that every picture uploaded to Fb belong to Fb. They can do whatever they want with it.
The problem is that people are dumb and they think that it will be removed, it will just be archived & Fb will still own a copy.

Northgrove said,
I guess the main problem would be if you are identifiable in a photo, but in a circumstance that wouldn't look good to for example a new employer or a new partner, or where one of your kids is in a situation you wouldn't like to see online, for example naked (this last circumstance has actually happened and is brought up in the Ars Technica article).

If someone gets hold of the direct links, which is possible directly in any web browser, these photos can be used for e.g. extortion and you have no easy way to remove them.


Except that in those circumstances it's too late and the damage has already been done. Someone who finds a compromising photo and makes the decision to use it for extortion would probably have the idea of downloading a copy of the photo to their computer, rather than thinking, "I'll just copy the link and hope my victim doesn't take the picture offline."

Anthonyd said,
When you register, it clearly says that every picture uploaded to Fb belong to Fb. They can do whatever they want with it.
The problem is that people are dumb and they think that it will be removed, it will just be archived & Fb will still own a copy.

Just because it's in the Tc & Cs doesn't mean that it's right or that it's legal.
If you agree to a T&C that said that someone has the right to terminate your life for any reason without recourse, does that make murdering you right or legal just because you agreed to those Ts & Cs? Tc & Cs can only go so far, and if the Ts and Cs have clauses that are detrimental to the person (such as significant risk or waiver of any legal rights that are legal to even waive) they have a legal responsibility to make it clear, not just buried in the Ts & Cs, and even have someone explain it to them in some cases (this is a legal requirement in Australia at least).

Intrinsica said,
I'm not entirely sure how this is such a big deal? I mean, the only situation I can think of where this would be serious trouble would be if your profile were viewable to all and a company were doing research on you, or a bank was checking on you and your friends to see if they should give you a loan.
But even in those situations, the business/bank would have to have the direct link to that photo, since they wouldn't be able to see it automatically in your profile (assuming that you were smart enough to delete the picture from the profile, which - if you're leaving your profile open for anyone to see - you probably aren't).

Why? Why do you have to overthink this? Clearly, Facebook is at fault here for being notorious, just like Google, Microsoft, and several other web service providers are with their spurious 2-3-5 year self-made rules for data collection. Nobody knows how much longer than that they keep any data because there is no higher power regulating this kind of criminal activity.

When YOU press DELETE, YOU mean it to be GONE for good. There are no more sides to it. That is all.

Simon- said,

Just because it's in the Tc & Cs doesn't mean that it's right or that it's legal.
If you agree to a T&C that said that someone has the right to terminate your life for any reason without recourse, does that make murdering you right or legal just because you agreed to those Ts & Cs? Tc & Cs can only go so far, and if the Ts and Cs have clauses that are detrimental to the person (such as significant risk or waiver of any legal rights that are legal to even waive) they have a legal responsibility to make it clear, not just buried in the Ts & Cs, and even have someone explain it to them in some cases (this is a legal requirement in Australia at least).
Keep comparing murder and photo. I'm sure you'll convince somebody, someday, maybe ...

Anthonyd said,
Keep comparing murder and photo. I'm sure you'll convince somebody, someday, maybe ...

He made a bad comparison, but his point is still valid. Regardless of what is in their terms and conditions, in a number of countries it's considered illegal to keep this data, and they have to, by law, remove it from their servers upon the user's request (when the user click's delete).

Because anyone who could see it before you deleted it can download it and upload the photo within their own profile, mark it public and tag you.

Rohdekill said,
Because anyone who could see it before you deleted it can download it and upload the photo within their own profile, mark it public and tag you.

Technically they could still do this even if the bug didn't exist. The initial problem is that you need to be the first person to see the picture and remove it. Without this bug in place the picture is no longer accessible, with this bug it is only accessible if someone has gone and copied the link. If they have copied the link then they've probably downloaded the photo as well, so even if the bug didn't exist there would be nothing stopping them from reuploading the picture.

Jebadiah said,


When YOU press DELETE, YOU mean it to be GONE for good. There are no more sides to it. That is all.

I'm sorry but i don't know any server not having any sort of files backup.

3 years may be stretching it but i would have been really surprised to learn FB did not backup files you upload to its server.

I guess you never worked in a technical service dept. I've seen people request file restore for file deleted like 2 weeks before.

The link giving you access to a deleted file is big fail though.

Edited by LaP, Feb 6 2012, 3:13pm :

LaP said,

I'm sorry but i don't know any server not having any sort of files backup.

3 years may be stretching it but i would have been really surprised to learn FB did not backup files you upload to its server.

I guess you never worked in a technical service dept. I've seen people request file restore for file deleted like 2 weeks before.

The link giving you access to a deleted file is big fail though.

Great excuse. Do I as a customer care about your service inefficiencies? **** no. When I press delete, it means delete what I uploaded from all your storage servers.

Let me make this clear for you.

You or your friend or someone else have uploaded a photo in that you are in inappropriate position (naked, bad looking, etc. ) Someone copy the link make a blog post about something(may or may not be about you) hotlink the same pictures for some reason. So, the picture can be accessed by public from two places. Later you realized that was a bad picture and you deleted or requested the uploader to delete. So, It's gone! Gone in your facebook picture. You feel safe. You thank facebook for allowing you to delete it. Lifesaver! But what you didn't know is the picture can still be seen by public via the blog for the next 3 years and still counting.

Intrinsica said,

Technically they could still do this even if the bug didn't exist. The initial problem is that you need to be the first person to see the picture and remove it. Without this bug in place the picture is no longer accessible, with this bug it is only accessible if someone has gone and copied the link. If they have copied the link then they've probably downloaded the photo as well, so even if the bug didn't exist there would be nothing stopping them from reuploading the picture.

Awesome trolling. We are not talking about any of that. You talk as if we never knew the obvious repercussions of uploading a file that is publicly available.

Jebadiah said,
Awesome trolling. We are not talking about any of that. You talk as if we never knew the obvious repercussions of uploading a file that is publicly available
I think you missed the point that the person that I was quoting was making. My reply was directed at him, just mentioning that what he was saying was already possible. There was no trolling on my behalf, although if you decided to see it that way then fair enough.