Social Networking Sites Keep Your Deleted Photos
Many social networking sites keep user's photos that may have been already been deleted by a user, a team of Cambridge researchers found.
The researchers ran a small experiment on 16 social-networking, blogging, and photo-sharing web sites and found that most failed to remove image files from their photo servers after they were deleted from the main web site.
It?s often feared that once data is uploaded into "the cloud," it?s impossible to tell how many backup copies may exist and where, and this provides clear proof that content delivery networks are a major problem for data remanence.
For the experiment, the researchers uploaded a test image onto 16 chosen sites with default permissions, then noted the URL of the uploaded image. Every site served the test image given knowledge of its URL except for Windows Lives Spaces, whose photo servers required session cookies. They ran their initial study for 30 days, and according to the results, a dismal 6 of the 16 sites failed to revoke photos after 30 days. Special photo-sharing sites, such as Flickr and Google's Picasa, fared better than Facebook and Microsoft's Windows Live Spaces removed the photos instantly, the research found:
"Most likely, the sites with revocation longer than a few hours aren?t actively revoking at all, but relying on the photos eventually falling out of the photo-server?s cache," the researchers said.
This memory-management strategy makes sense technically, as photos are deleted from these types of sites too infrequently to justify the overhead and complexity of removing them from the content delivery network. This paradigm is usually reflected in sites? Terms of Service, which often give leeway to retain copies for a ?reasonable period of time.? Facebook is actually quite explicit about this, stating that 'when you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer.'
This architecture is not only fundamentally wrong from a privacy standpoint, but likely illegal under the EU Data Protection Directive of 1995 and its UK implementation, the Data Protection Act of 1998, which both clearly ban keeping personally-identifiable data for longer than necessary given the data?s purpose.
In the social web case, the purpose of keeping a photo is to share it. Since this is no longer possible after the photo is marked 'deleted' all copies of the photo must be removed. There?s also an interesting violation of the provision that a user should have access to all data stored about her, after marking a photo ?deleted? the user no longer access to it, as there is no way to see which user content is still cached.
"Sensitive personal data must be stored and cached using reference counts to ensure it can be fully deleted, and not simply left to be garbage collected down the road. Unfortunately, as is common with with social networking sites, privacy is viewed as a legal add-on and not a design constraint," the researchers said.
It?s often feared that once data is uploaded into "the cloud," it?s impossible to tell how many backup copies may exist and where, and this provides clear proof that content delivery networks are a major problem for data remanence.
For the experiment, the researchers uploaded a test image onto 16 chosen sites with default permissions, then noted the URL of the uploaded image. Every site served the test image given knowledge of its URL except for Windows Lives Spaces, whose photo servers required session cookies. They ran their initial study for 30 days, and according to the results, a dismal 6 of the 16 sites failed to revoke photos after 30 days. Special photo-sharing sites, such as Flickr and Google's Picasa, fared better than Facebook and Microsoft's Windows Live Spaces removed the photos instantly, the research found:
"Most likely, the sites with revocation longer than a few hours aren?t actively revoking at all, but relying on the photos eventually falling out of the photo-server?s cache," the researchers said.
This memory-management strategy makes sense technically, as photos are deleted from these types of sites too infrequently to justify the overhead and complexity of removing them from the content delivery network. This paradigm is usually reflected in sites? Terms of Service, which often give leeway to retain copies for a ?reasonable period of time.? Facebook is actually quite explicit about this, stating that 'when you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer.'
This architecture is not only fundamentally wrong from a privacy standpoint, but likely illegal under the EU Data Protection Directive of 1995 and its UK implementation, the Data Protection Act of 1998, which both clearly ban keeping personally-identifiable data for longer than necessary given the data?s purpose.
In the social web case, the purpose of keeping a photo is to share it. Since this is no longer possible after the photo is marked 'deleted' all copies of the photo must be removed. There?s also an interesting violation of the provision that a user should have access to all data stored about her, after marking a photo ?deleted? the user no longer access to it, as there is no way to see which user content is still cached.
"Sensitive personal data must be stored and cached using reference counts to ensure it can be fully deleted, and not simply left to be garbage collected down the road. Unfortunately, as is common with with social networking sites, privacy is viewed as a legal add-on and not a design constraint," the researchers said.
