Yet another Facebook privacy risk: emails Facebook sends leak user IP address (UPDATED)


UPDATE, Sunday, May 9, 2010 : Facebook has fixed the issue. Barry Schnitt, Policy Communications at Facebook, writes:

We originally included IP address information in these email headers as part of industry best practices designed to improve spam filters. This is similar to what many webmail providers do. However, we agree this practice no longer makes sense for Facebook and we've discontinued it. Thank you for bringing this to our attention.

We've been covering the mounting privacy violation woes for Facebook users here on Boing Boing in recent weeks—here's another issue to be aware of. Facebook base64-encodes your IP address in every emailed event that you interact with.

Matt C. at Binary Intelligence Blog explains that Facebook's automated email notifications (which go out when, say, a friend comments on your status or sends you a message) appear to contain the IP address of the user who caused that Facebook email to be sent:

The email headers contain a line similar to:
X-Facebook: from zuckmail ([MTAuMzAuNDcuMjAw])

Copy this line out and feed it to this page:

You will get the IP address of your friend and clicking on it will get a geolocation-based map. This will also show you if your friend used their cell phone to post and who they use as their service provider.

This information is great when a fugitive is taunting law enforcement through their Facebook page, but not when a wife is trying to hide from an abusive husband and assumes Facebook is the best form of communication.

As Matt points out in the blog post, this may not be the most onerous of Facebook's privacy problems, and it's certainly not the only one. But no good purpose for users is served by leaking user IPs, and there are many good reasons not to. Facebook, get your shit together for chrissakes.

Facebook Leaks IP Addresses

(, thanks Jake Appelbaum / IMAGE: Facebook, a Creative Commons-licensed photo from the Flickr stream of Franco Bouly)