Many social networking sites keep copies of photos after
users have deleted them, say researchers at the University of
Cambridge today.
Announcing the results of a study, the researchers say that
users who believe they have deleted an embarrassing photo may have
an unpleasant surprise when they learn that it is still available
on the web.
The study examined 16 popular websites which host user-uploaded
photos, including social networking sites, blogging sites, and
dedicated photo-sharing sites. Seven of the 16 sites surveyed kept
copies of users' photos after 30 days.
The researchers uploaded photos to each of the 16 sites, then
deleted them, but kept note of URLs to the photos from the sites'
content delivery networks.
They say that these links continued to work even though a
typical user would think the photos were permanently deleted. There
is no simple interface to tell when a photo has ultimately been
purged.
Researchers found that it is common practice for web 2.0 sites
to store user photos on servers run by a different company. The
popular sites Facebook, MySpace, and hi5 serve photos from the
content delivery network run by Akamai Technologies.
Social networking sites fared especially poorly in the study,
with four out of eight failing to remove deleted photos, including
industry leaders Facebook, MySpace, hi5, and Bebo. Blogging sites
also fared poorly, with LiveJournal, Xanga, and SkyRock all failing
to remove photos permanently.
Faring well in the study were the dedicated photo-sharing sites
Flickr, Photobucket, and Fotki, which all removed photos within 1
hour. Three Google-operated websites, Blogger, Picasa, and Orkut,
all removed photos within 48 hours. Microsoft's Windows Live Spaces
received special commendation for removing photos instantly.
The study was conducted by PhD students including Joseph
Bonneau, Jonathan Anderson, Andrew Lewis and lecturer Frank
Stajano, who have been researching social networking privacy and
have reported ther flaws.
Bonneau said: "This demonstrates how social networking sites
often take a lazy approach to user privacy, doing what's simpler
rather than what is correct. It's imperative to view privacy as a
design constraint, not a legal add-on."
Anderson said: "This experiment is a litmus test of which online
services actually believe that you own your personal data."
Details of the study can be found on the
researchers' blog.
The researchers are
repeating
the experiment for public viewing.