Earlier today on Facebook, I shared a link to a blog post claiming that Facebook had made private messages pre-2010 visible on timelines, and providing detailed instructions on how to check for this.
I was skeptical, since I'd seen denials of this on prominent technology websites (and my go-to source for rumor-checking, Snopes), but out of curiosity I followed the instructions in the post:
On the right-hand column of your profile page, select the year 2010. In the box where it shoes the messages that friends posted on your wall (and now, apparently, to your inbox), select HIDE FROM TIMELINE. You will need to select each year you've been on facebook prior to 2010 and repeat this step.
Much to my surprise, I found a significant number of what I had thought were private messages from friends that were accessible to anyone with access to my timeline. This was particularly disturbing because when I first switched to the timeline view (back when you had to be a Facebook developer to do so), I thought I had gone through all of my content to look for just such a problem.
So, why did I miss these? They were hidden in that box at the top of each time period labeled "### friends posted on Liz's profile". Most of those were innocuous things like birthday greetings. But quite a few used Facebook's "wall-to-wall" posting feature.
If you're relatively new to Facebook, you may not realize that Facebook didn't implement its current email-like messaging system until 2010. Before that, it offered a "wall-to-wall" messaging option that allowed you to post a message for a friend that generally only the two of you would see. Until Timeline came on the scene, that is.
After I posted this, a significant number of very tech-savvy friends--people who, like me, have been using Facebook for more than five years (I joined in early 2005), and who work in the tech industry--weighed in to say that by following these instructions they'd also found messages they'd believed were private. (Including the estimable Robert Scoble.) That's an indication that Facebook failed BADLY here--perhaps not legally or technically, but certainly from a UI and user trust standpoint.
So yes, Facebook's denial of a privacy breach is technically accurate. But if you've been using Facebook since before 2011, I strongly encourage you to follow the directions linked above to check for problematic content. Even if you, like me, don't post private information on Facebook, your friends might not have been that careful.