Old photos never die

Jake Widman
Friday, 22 May 2009 01:11

Business IT - Security

Bonneau and his colleagues uploaded a test image to 16 photo sharing sites, including Facebook, Flickr, LiveJournal, MySpace, Orkut, Picasa, Bebo, and Windows Live Spaces.

They then noted the URLs for the photo and confirmed that all but one site would deliver the photo when requested with the proper URL.

The one exception was Windows Live Spaces, whose photo servers required session cookies, prompting Bonneau to write, "a refreshing congratulations to Microsoft for beating the competition in security."

The researchers then deleted the photo but kept trying to retrieve it for 30 days to see how long it persisted on each site's photo server.

They discovered that Orkut, Photobucket, and Flickr "revoked" the photo immediately, but that it was still available 30 days after deletion on a full seven sites, including Bebo, MySpace, Facebook, and LiveJournal.

Bonneau labeled the sites' approach as "not only fundamentally wrong from a privacy standpoint, but likely illegal under the EU Data Protection Directive of 1995 and its UK implementation, the Data Protection Act of 1998, which both clearly ban keeping personally-identifiable data for longer than necessary given the data’s purpose."