Hundreds of Facebook groups were turned into zombies on Tuesday in an attempt to display just how vulnerable social networkers can be. Using a design flaw in Facebook’s groups feature, a group called Control Your Info found Facebook groups where the administrator had stepped down, joined the group, claimed the vacant administrator spot (which is open to any group member when the administrator leaves) and changed the name to Control Your Info.
“When you’re admin of a group, you can basically do anything you want with it,” the group’s Web page states. “You can change it’s name, and the groups members won’t even get a notification of it. You can send mails to all members and edit info.” An evildoer could seize a widowed group (such as the hypothetical group “Sweet Valley High LoOoOoVeS Robert Pattison,” for instance) and change the name to something offensive (like “The Coalition for Pedophile’s Rights”), thereby damaging the image of the group members.
Control Your Info’s principals spoke via Skype to FastCompany.com on Tuesday. They chatted as a group and declined to give their names but they are four students from Hyper Island, a progressive school program in Sweden that focuses on digital media and communications. (Read a Fast Company piece about Hyper Island from the March ’09 issue here.) The foursome is using the experiment as their final project and will present it on Wednesday. Do they consider this project a success? “We like to think so,” they said. “The first reactions we got were anger. This was not our intention at all, but some people who were in hijacked groups reacted by getting upset. But now, it seems that the anger has settled, and that people have started discussing in a constructive way.”
Though a bit of a stunt, the group has a valid point about online security and does a good job of pointing out a flaw in Facebook’s design. When an admin leaves, Facebook should have a better security process, such as giving current members a week to claim the admin spot, then shutting down the group if no one does. Facebook users should think extra hard before putting online reputations in the hands of a total stranger who also happens to love B’Elanna Torres from Star Trek Voyager or the onion rings at Sonic.
Was Control Your Info’s project effective? Sure. If Facebook wasn’t aware of the problem before, they are now. But is exploiting a rare and random design flaw (instead of, say, an e-mail to Facebook) the most effective way to continue a cause? Not really. Control Your Info’s Facebook fan page has been disabled, as have accounts that got tangled up in the hijacking. Control Your Info backed up all the information from the original groups that were hijacked, but since their Facebook accounts were disabled, they’re no long admins and can’t restore the group info. “We will find some way of providing it back to the people who it belongs to,” they say. Whoops.
It would be impressive if Control Your Info continued using guerrilla tactics to expose problems with other popular services, such as Twitter or YouTube, but when asked if they planned to follow up their Facebook stunt, the group hedged. “We wanted to provide a platform for discussion for the people. We didn’t want to be in focus ourselves. It seems like the discussion is starting up. If we can be outside of the discussion, we will.”