Facebook zombies: You can't see them, you can't unfriend them, and you can't block them. Facebook friends are forever, whether you want them or not. Here's how anyone can use account deactivations as a creepy spying tool.
Here's how Facebook is supposed to work: When you don't want to be someone's friend anymore, you unfriend them. Or, if you just want to keep certain things private, you can adjust their access settings. The ability to back out of a friendship is as vital online as it is off, which is why this is worrying: British security researchers Shah Mahmood and Yvo Desmedt have found a simple way to create un-unfriendable zombie accounts (via the Arxiv blog). Here's how it works:
Make a new account
Using an existing account works too, but the trick requires near-constant deactivation.
Add a bunch of friends
By day 285 of their experiment, the researchers had added 4339 friends to a fake account. These people didn't necessarily know that the account was fake, and may have mistaken its name for someone they knew. In any case, they voluntarily shared information with the owners of this account.
Deactivate the account
This will switch off, but not delete, your zombie account. Deactivated accounts no longer appear on other users' friend lists, and therefore can't be unfriended. Whatever the privacy settings were when they accepted your friend request are now permanently stuck.
