According to research by the University of Cambridge

May 21, 2009 12:17 GMT  ·  By

Deleting a photo you uploaded to the web should remove it from the server it is being hosted on, or at least make it inaccessible to the outside world, right? Wrong, according to Cambridge University researchers. Their team tested popular websites by uploading photos and then deleting them and the results were worrisome. Seven out of the 16 sites tested still made the photos accessible a full month after they were deleted.

“For our experiment, we uploaded a test image onto 16 chosen sites with default permissions, then noted the URL of the uploaded image. Every site served the test image given knowledge of its URL except for Windows Lives Spaces, whose photo servers required session cookies (a refreshing congratulations to Microsoft for beating the competition in security). We ran our initial study for 30 days, and posted the results below. A dismal 7 of the 16 sites failed to revoke photos after 30 days,” wrote Joseph Bonneau on the Light Blue Touchpaper, the Security Research team's blog.

Researchers found that on many sites the deleted photo would remain on the photo server for a long time after it had been removed from the main site and would be accessible to anyone who knew its direct link. Some sites failed the test altogether with the photo still available after 30 days. Among them are most of the biggest social networking websites out there, like Facebook, MySpace, hi5 and Bebo, along with a couple of blogging services. Others removed the photo after a few hours to a few days. Only three sites deleted the photo immediately – photo sharing sites Flickr and Photobucket and social network Orkut. Interestingly enough, Microsoft's Windows Live Spaces fared the best as it was the only site that didn't allow access to the photo with only a URL.

The test should serve as a reminder that once something gets into the “cloud” you have little control over its fate.