Newsfeed RSS

[Chris Messina]

Dunno if you have seen this (and I hope raising awareness here doesn't get it shut down), but someone built a feed exporter for Facebook:

http://www.readwriteweb.com/archives/five_things_you_can_do_with_this_new_facebook_rss.php

It's called "Newsfeed RSS" but apparently exports the full ATOM activity stream (the developer said "I guess we are using 'RSS' in the generic sense since people are familiar with that term.").

Anyway, I'm eager to try this out, just because it should make it easier for me to get at the raw data coming out of Facebook without having to build a real app. Can has public ATOM feed for my PUBLIC stuff?

Chris

--
Chris Messina
Open Web Advocate

factoryjoe.com // diso-project.org // openid.net // vidoop.com
This email is:   [ ] bloggable    [X] ask first   [ ] private

[David Recordon]

That's a great post by Marshall about interesting ways to use news feed given this app.  It's also great to see the Activity Streams markup make it through the transformation.

Personally, I setup a Yahoo! Pipe to keep track of my friends talking about tech.

--David

[Darren Bounds]

As I'm sure everyone's aware and expected, Facebook has removed this app.

--
darren bounds
dar...@cliqset.com

[Chris Messina]

*cry*

That's quite lame. Without explanation?

[Darren Bounds]

None that I've seen yet.

--
darren bounds
dar...@cliqset.com

[Ari Steinberg]

Hey, sorry, don't have any official word on this, but just looking at the RWW article, I think there are some definite privacy issues with this app which I'd imagine led to it being taken down.  Use case #3 from the article (create a twitter account to import your entire news feed into) seems particularly egregious - imagine if just a few hundred thousand people decided to do that - suddenly you'd have tens of millions of people's private content publicly searchable on Google without their permission.

We're certainly not opposed to enabling you to export your own content (in fact, we're always trying to work on ways to make that easier) but exporting all your friends' content to a totally public place without their permission isn't cool.  Hope that makes sense.

Incidentally, this is the type of thing that we'd LOVE to see some type of standardized protocol attempt to solve (enabling a way to export private content while preserving the appropriate ACLs).  The only attempt at this that I'm aware of was http://www.bloglines.com/about/specs/fac-1.0 but as far as I know it never really gained wide adoption, and I'm not sure it really does enough.
-Ari

[Chris Messina]

Ari -- this has come up a number of times.

I'm curious — realistically, there is no way to prevent people from leaking their friends' data if they can get a feed of the data — apart from some kind of DRM (to my knowledge). How are you guys thinking about tackling this problem if the data needs to be in standard formats to be useful (i.e. RSS/ATOM) and yet those formats themselves don't deal with access controls?

We talk about using OAuth for providing access to individuals to get the data that they can already see from outside an application — but once it's brought outside the app, it's the social contract that keeps the data safe. As it is, if I take the feed of my Twitter friends' posts — including my friends who are private — and syndicate that to some third party site (like Google Reader) — the data could leak. 

Wouldn't it be better to make this use case a "known issue" and let me lose my friends than try to be in the position to keep all people's data safe forever? 

Curious your current thinking on this?

Chris 

[Ari Steinberg]

Chris, these are tough questions which sadly I don't have great answers for.  I'll take a stab at them, though...

I'm curious — realistically, there is no way to prevent people from leaking their friends' data if they can get a feed of the data — apart from some kind of DRM (to my knowledge).

Yeah, I think the goal here is not to make it impossible, but to make sure that someone who is doing it is really doing it willfully.  If you want to take a screenshot of your feed or copy and paste it or whatever, obviously we are not going to try to stop you from doing that, and hopefully you'll have a pretty good idea of the implications of your action.

But if you can just click a couple of buttons under the assumption that you are setting up some new convenient way of reading your friends' content and now you've inadvertently enabled permanent exporting of all of their data to the entire world, then that's quite a bit worse.

 

How are you guys thinking about tackling this problem if the data needs to be in standard formats to be useful (i.e. RSS/ATOM) and yet those formats themselves don't deal with access controls?

I think this is why we've historically been hesitant to adopt RSS/ATOM for the entire feed.  If we could come up with some standard that says "here is a private feed, do what you want with it but only show it to the person whose feed it is" then we'd adopt it in a second.  The tricky thing is, if this was just an extension of ATOM/RSS (like the bloglines spec), there's this annoying legacy issue where consumers of the feed who don't know about the standard will inadvertently expose the data.  I don't know a great way around this but I'd love to hear thoughts from others on this list.  one straw-man i'll throw out there which doesn't sound great is "make a standard with intentionally different names from ATOM so that we can enforce that there are no legacy feed consumers who inadvertently do bad things".  Actually, come to think of it, does anyone know how widely adopted that bloglines spec is?  I haven't actually looked into it in a while.

 

We talk about using OAuth for providing access to individuals to get the data that they can already see from outside an application — but once it's brought outside the app, it's the social contract that keeps the data safe. As it is, if I take the feed of my Twitter friends' posts — including my friends who are private — and syndicate that to some third party site (like Google Reader) — the data could leak. 

Yes, it could.  I think realistically there's a lot less private information on Twitter at this point so the social norms/expectations may be different.

 

Wouldn't it be better to make this use case a "known issue" and let me lose my friends than try to be in the position to keep all people's data safe forever? 

Historically this kind of approach has not worked great for us.  If you've got a couple hundred friends, it only takes one of them to accidentally screw up for all your private stuff to be exposed forever.  We've seen plenty of cases where users will be tricked into doing stuff that bothers their friends (eg with platform applications tricking them into invite spamming, or getting phished or whatever).  Just because your (real life) friend is irresponsible with his usage of the web doesn't mean you don't want to be friends with him.  And making things worse, in this case, you don't even have any way to find out that your friend did it until you do an ego-search and find all your private stuff there for the world to see on Google.

[ian kennedy]

Apologies in advance if I am missing something obvious but what about
a variation on what the Teck Chia, the Newsfeed RSS developer
suggested in Marshall's article about the take down. (http://
www.readwriteweb.com/archives/facebook_shuts_down_rss_feed_app.php)

"One option may be to publish only a user's own items in a feed,
perhaps folding in the updates of friends who have added the app as
well and specifically opted-in."

Create a new privacy setting in Facebook that allows read permission
to the world, open to crawlers, open to non-facebook members,
essentially removing all privacy controls. Anyone that sets their
updates to this setting explicitly allows their updates to be shared
with the world. If any of their friends wish to export their newsfeed,
only those that are publishing under this new global read permissible
setting would be republished into formats that travel outside the
reach of a Facebook login.

Ian Kennedy
http://everwas.com

[Ari Steinberg]

I think this solution sounds reasonable to me, but in general there tends to be a tension here - if we leave it opt in, it will probably not get very much usage, while if we change the defaults it will risk confusing people and causing them to publish something they didn't intend to.  But I think you're right that this is a good direction to explore.

I'm also not totally sure how best to enable people to change their minds - generally we try to let people delete content or retroactively change its privacy settings if they realize they don't like it.  In some cases (eg photo tags) this is the only way to enforce things since the person whose privacy is at risk didn't create the content in the first place.  If you've got a bot continuously crawling and indexing this content, it doesn't allow much of a window for users to manually take things down.  Obviously this is a much lesser problem than the main one being discussed here but it's still a bit frustrating that we can't come up with anything to better accommodate this.

[lowke...@gmail.com]

Hi there,

Really?? This is from the old FB help subject relating to this:

"To subscribe to your friends' statuses, follow the steps below:

Click the "Friends" link at the top of any Facebook page.
From the Friends page, select "Friends' Status Feed" in the left
column.
Click the "Subscribe Now" button to receive an RSS feed of the
statuses.
You can permanently store this link in your browser bookmark folder to
quickly view all of your friends' statuses."

So the feature was there, and now it's gone. Are those user's who had
subscribed already (not me stupidly ergh) now cut off from the feed's?
Was there a reason for this? Had FB been held liable for a specific
data leak case?

Since I've already got access to my Friend's update feeds the regular
way (not to mention their profiles), I already have the ability to
violate their privacy rights if I was so inclined. The onus is on me
not to do so.

Cheers,