All it took was to mention a secret link to an mp4, uploaded to a private encrypted server, in a private message to a friend on Facebook. After a while the server logs showed this:
Seeing a Safari browser download the file, I thought it had been her, so I removed the file from the web server, but she later replied that she hadn't downloaded the video yet.
Since only she, Facebook and I knew of the video, it must have been Facebook downloading it, faking a Safari browser. So I checked and.. yes.. the downloading IP number belongs to Facebook and the way it downloaded the file three seconds after the normal check for its existence should have made me suspicious.
"facebookexternalhit" is the official Facebook spider to check the integrity of links. As you can tell from the log it only took the first 131072 bytes rather than the entire 32387503. In the case of an mp4 it should have merely checked the existence using HEAD, but having the first bunch of frames to generate a preview makes sense, although it is also quite invasive.
But it is a spectacular invasion of privacy that Facebook would then download the entire private video anyway, maybe with the lame excuse that only then it can make a neat preview. A preview for whom? In a private chat? That is beyond terribly inappropriate. That is actively snooping into people's private life beyond what they already give to Facebook because of the lack of appropriate enforcement of data protection laws and market regulation.
After almost an hour, Facebook checked again. By that time the video was gone.
All of the IP numbers appear to be registered to Facebook, although some of them suspiciously refuse to be tracerouted.
Facebook and you know who now have a copy of the video that otherwise only exists on my hard disk. The legitimate recipient still doesn't.
This behavior is new. At some point in the last three years Facebook must have introduced this new degree of surveillance. I had occasionally sent private https links to people before and never saw such aggressive invasion of privacy.