Facebook (Probably) Didn’t Expose Your Private Messages. It Just Made a UI Mistake.

Most folks have probably seen some blog post or story warning them that Facebook has exposed their private messages from 2010 and before on their public timeline, which Facebook denies of course. And Facebook is (probably) right — what you’re really seeing are old wall posts that you thought were private. That’s not much solace to some Facebook users though, who — based on the message content — insist that the messages *must* have been private.

Here’s what I think really happened.

Facebook used to have a wall-to-wall feature, which showed the wall posts between you and your friend in a back-and-forth conversation format. It looked sort of like this. Or this. Because this layout looks very similar to how messages work in Facebook, people treated wall-to-wall the same way they treat private messaging. But as the name suggests, wall-to-wall posts actually go on your (very public) wall. The wall-to-wall feature was removed in late 2010. Coincidentally, people are only reporting private messages on their timeline for 2010 and earlier.

That’s not to say there hasn’t be a privacy snafu. There absolutely is. Regardless of whether they’re wall posts or PMs, old embarrassing messages on your Timeline are still embarrassing. And if that bothers you, you should hide them.

But the cause of this privacy breach isn’t some Facebook engineer inadvertently flipping the privacy bit in the FB database. It’s really a UI / design problem, or more specifically, a divergence between Facebook’s model of users behave and the user’s mental model of how Facebook behaves. Two divergences really.

The first is the aforementioned wall-to-wall issue. From Facebook’s perspective, two users were posting on each other’s public walls. But from the user’s standpoint, based on the visual cues presented to them, they were engaging in a private conversation.

The second is Timeine itself. Timeline exposes old, possibly-private and sensitive information. Again, this is because of a divergence between mental models. For Facebook, the question of whether something is public is a binary decision. When the server receives a request for some particular information, it either provides it or it doesn’t.

But for many Facebook users, public really means accessible. And accessibility isn’t quite so binary. Prior to Timeline, sifting through old messages was time-consuming and difficult (it still is in a way). So by the time an old wall post was buried several months in the past, it may still have been public (as Facebook understood it), but it was relatively inaccessible. Timeline changed the accessibility of old information, and combined with the earlier wall-to-wall issue, we ended up with a huge chunk of Facebook users thinking their private messages were exposed (and in a way, they were).

Some final takeaways / questions:

Don’t trust your memory. When it comes to technology, what matters is what the technology thinks is true, not what you remember as true. As the Wall-to-Wall issue shows, poor UI design can affect how people perceive things are happening on the backend. In this case, if you still think there’s a PM on your timeline, the easiest way to verify this is to cross-reference it against your email archives (if you have your email archived that far back and you had e-mail notifications turned on). Until recently, Facebook would send a separate e-mail for wall posts and private messages. If it’s a private message, the e-mail will say so. And you should notify Facebook, because that’s a huge $#@&-up.

Privacy is often a design problem. Same with security. Or really anything else whether the error exists between keyboard and chair.

How do you resolve old UI mistakes? Facebook was almost certainly aware that many wall posts were intended to be private, despite being marked public. But because of the mis-marking, there’s no easy way to identify what user intent actually was for many of these messages. So what’s the proper response? This actually reminds me of the 2000 election in which many Gore voters likely inadvertently voted for Buchanan. But at least some of those Buchanan voters actually intended to vote for Buchanan, and there’s no easy way to tell who intended what, short of a re-vote. So what’s the fair thing to do here?

How do you roll out new paradigms with old data? Start-ups are all about rapid growth and change. Lots of iterations. The occasional pivot. The problem is this can look a lot like a bait-and-switch. Users may provide a company private information based on implicit assumptions on how that data is being used. And indeed, the company may share those assumptions, at least initially. But start-ups often to change course. Sometimes those changes may seem slight from the start-up’s perspective but strongly conflict with the user’s assumptions about how the data is handled. In such case, what’s the best way for a start-up to handle that?