Many social networking sites keep copies of photos after users have deleted them, say researchers at the University of Cambridge today.
Announcing the results of a study, the researchers say that users who believe they have deleted an embarrassing photo may have an unpleasant surprise when they learn that it is still available on the web.
The study examined 16 popular websites which host user-uploaded photos, including social networking sites, blogging sites, and dedicated photo-sharing sites. Seven of the 16 sites surveyed kept copies of users' photos after 30 days.
The researchers uploaded photos to each of the 16 sites, then deleted them, but kept note of URLs to the photos from the sites' content delivery networks.
They say that these links continued to work even though a typical user would think the photos were permanently deleted. There is no simple interface to tell when a photo has ultimately been purged.
Researchers found that it is common practice for web 2.0 sites to store user photos on servers run by a different company. The popular sites Facebook, MySpace, and hi5 serve photos from the content delivery network run by Akamai Technologies.
Social networking sites fared especially poorly in the study, with four out of eight failing to remove deleted photos, including industry leaders Facebook, MySpace, hi5, and Bebo. Blogging sites also fared poorly, with LiveJournal, Xanga, and SkyRock all failing to remove photos permanently.
Faring well in the study were the dedicated photo-sharing sites Flickr, Photobucket, and Fotki, which all removed photos within 1 hour. Three Google-operated websites, Blogger, Picasa, and Orkut, all removed photos within 48 hours. Microsoft's Windows Live Spaces received special commendation for removing photos instantly.
The study was conducted by PhD students including Joseph Bonneau, Jonathan Anderson, Andrew Lewis and lecturer Frank Stajano, who have been researching social networking privacy and have reported ther flaws.
Bonneau said: "This demonstrates how social networking sites often take a lazy approach to user privacy, doing what's simpler rather than what is correct. It's imperative to view privacy as a design constraint, not a legal add-on."
Anderson said: "This experiment is a litmus test of which online services actually believe that you own your personal data."
Details of the study can be found on the researchers' blog.
The researchers are repeating the experiment for public viewing.