Last year I experimented with private group microblogging systems via authenticated feeds. Didn’t go anywhere, because many of the biggest newsreaders don’t properly support authenticated feeds. And “obscure but public” feeds get indexed by aggregators like Bloglines, by design, making sensitive content much less obscure.
Enter feed access control, a several- (3-?) year-old RSS/ATOM extension that tells Bloglines, and anyone else who is listening, that this feed should be treated as private, even though it’s public.
Facebook’s feeds are intended to support this protocol:
Which seems reasonable enough.
There are a couple of issues though. First, this approach is based on a third-party’s positive action to prevent or “opt-out” of publishing and indexing, in a system that normally defaults to syndication, indexing, etc. So it’s easier for a glitch to expose data.
Second, the whole “fac” extension is a gentlemen’s agreement among parties that couldn’t even agree on making authenticated feeds work well. Perhaps they all make a best effort to isolate the marked content. But tomorrow, a startup with a rocking aggregator could simply ignore “fac” and expose all of the feeds it has.
In some sense, the same vulnerability exists with other systems – if you signed up with some random webmail provider, who’s to say they don’t expose your mail. But because RSS is public by nature, almost all feeds live utterly unprotected, and this extension is one vendor’s hack, it’s not quite the same.
All in all, probably not a big reason for concern. But when people tell me how private things can be on facebook (where you can sneeze and end up revealing your data because the IxD is tilted so heavily toward sharing everything) it always seems worth noting how your data (via your friends’ feed subscriptions) can slowly leach out into the open ocean of the indexed net.