Facebook’s Comment-by-Email Enhancement and Possibility of Future Privacy Violation

Facebook offers a new feature to its users which enable wall reply or comment directly from mailbox. This feature can be seen as another effort from Facebook to keep evolving and providing more convenience and a better user experience to more than its 400 million user base. From another perspective, however, concerns about security issue and the degree of exposure of this feature to user’s private data might be raised. As Facebook has been infamous for its inconsistent privacy policy, I would like to share some thought about this feature based on my quick finding.

The enhancement was observable in Yahoo mailbox. This enhancement might be observed in other third party email providers like Gmail or Hotmail, too. However, I can not guarantee the validity of the statement as I have no valid data.

To see the enhancement, you should opt-in wall or comment notification and configure the email client software to automatically display email content as HTML instead of plain text. Naturally, your Yahoo mailbox settings should have been configured to display HTML email by default. When you open the recent wall or comment notifications from Facebook, you will notice slight difference in the visual representation of the email. The notification email now also includes a text field in which you can type your comment and automatically post back to Facebook without having to log in first. The picture below shows the newly integrated text field.


You may be curious about the data sent back to Facebook every time you wall-reply from email. I used Firebug to explore and analyze the content of the email and noted that the following JSON data is associated with the message:

var _messageData = {
    "folderId": "Facebook",
    "messageId": "message_id",
    "to": {
        "email": "fb_user_email_address",
        "name": "Facebook User Name"
    }, "appId": "application_id",
    "fbUrlParams": {
        "id": "id_of_fb_url",
        "story_fbid": "id_of_story_on_fb"
    }
};

The data will be used as extra parameters when posting the comment back to Facebook. There is some javascript code embedded in the email which checks if the user is currently connected to Facebook system or not. If s/he is not, the script will establish the connection and post the comment through AJAX invocation.

Interestingly, some functionalities in the notification email’s javascript codes are native functional parts of the mail client. This leads into conclusion that the mail provider has come into an agreement with Facebook to enable such feature and run it from inside the mail GUI.

Even though I couldn’t find the part where private data stored by the mail client is transported back to Facebook system, it is still valid to question whether sharing the data between two platforms in which the user is subscribed to both, without prior user’s consent, does not infringe user’s privacy. Specific to this case, the “Remove Enhancement” link can be an attempt of the providers to establish a soft agreement with the users about the enablement of the feature. By adding the feature, provider may argue that if users don’t permit such feature they can remove it any time thus giving them the ability to control the privacy.

This feature will begin an era where some parts of a web application can be integrated and loaded from other web applications. While it can be a great for the sake of all-in-one use, it is also necessary to ensure that user data stored in such web application will not be freely interchanged with the other platforms. Otherwise, users won’t be able to control who knows about them and how the information was obtained.

2 Responses to “Facebook’s Comment-by-Email Enhancement and Possibility of Future Privacy Violation”


Leave a Reply