Actually this is a common method of combatting spam, all of the various spam providers will block facebook as a whole if they don't include this information, which would obviously be a devastating annoyance.

Go and send an e-mail from hotmail, or any kind of mailserver.. normal e-mail client, gmail, etc.. and you will see the exact same behavior… not to mention your IP is transmitted to every web site you visit on the internet, and even someone you talk to on MSN say – if you do a direct file transfer.

Actually, that's the email of the sending server that you refer to, Trent. Facebook is sending the IP address of the user that initiated the event. Two very different things insofar as privacy is concerned.

a devastating annoyance?

the user generated spam you receive from facebook if you're not a member is an even greater annoyance. i have a rule on my mailserver to discard mails from facebook for my inbox as i don't want to be notified every time another lemming pours their whole addressbook – which happens to contain my email address – into the facebook abyss of annoyance.

I think sending the IP address of the actual user is definitely a whole different can of worms than sending the IP address of the mail server. Anyway, facebook is really in trouble with privacy now and I hope they clean up their act because I'm very close to gone from there. Actually, I might just get off the internet alltogether with DirtyPhoneBook and other sites having the ability to spread my personal information without my permission. Facebook is very close to being a multi-billion dollar behemoth, but theres a chance they screw it up at the finish line due to greed and incompetence.

if a wife is trying to hide from her abusive husband, why would she comment on her husband's post or take an action that would send him a notification, or be friends on Facebook anyways?

Yeah, the abusive husband maybe wasn't the best example. Still doesn't take away from the privacy implications involved.

No, nearly all large email service providers will report the IP of the user, often via the X-Originating-IP header. This lets you perform spam analysis based on the apparent end user location rather than just the server.

It's very valuable data in antispam.

Vpn. Done!

I'm surprised at some of the backlash on this. Yes, if I originate an email I expect my IP address to appear in the header. But if Facebook originates an email (based on another user's settings that I have no control over), my IP address should not appear.

Imagine if by commenting here, this blog sent your IP address to everyone who commented before you. It's just not right.

Correct me if I'm wrong people, but the IP address that is shown will not reveal the location of the PC, but rather the location of the ISP that the PC uses. This could be literally states away from the physical location of the PC. This is still a bit of an issue, but not nearly as big as this post makes it seem. You can't find someones house through this information.

This does not give the IP address of the Facebook user. Facebook has multiple mail servers, the header that is shown just shows the IP address of the mail server that mailed out the notification, not of the facebook user.

Just a heads up

This isn't limited to just friends — if I comment on a friend's photo, and someone else who has commented on that photo gets an email update, they will see my IP. It doesn't matter that we're not friends.

Also, yes, you can't find someone's house with this info, but take a look at a few of the (partially-obscured) hostnames reversed from IPs I grabbed from headers:
p0-0-0-0.nat.washington.edu — University of Washington
0-0-0-0.nctc.mnscu.edu — Northland College
0-0-0-0.phnx.qwest.net — Phoenix (Qwest customer)

TrainReq: wrong, it does give the IP of the user.

To all of the people who bluster and sputter that this will make them leave Facebook – could you just go ahead and DO it already?

Every email in the world has the IP address of the originating sender. So what?

Mmm – didn't seem to work for me – it returned 127.0.0.1 as the IP address…

@Charles: yes, emails do contain a source header, but commenting on a Facebook page does not constitute sending an email.

@Matt C: a lot of the backlash is out of ignorance as to how much identification is presented by this information.

Whoever suggested a VPN is making a good call.

The more I know…thanks for post, as it starts a great discussion. I'm on FB but growing more paranoid of it by the week.

I checked mine last night. I was not all that concerned with Earthlink, Tampa Bay but when I clicked on the map, it put the pointer in a small town next to me, about 2 miles from my house. There are no server farms there and it's not on the same side of the bay as Tampa.

It was a lot closer than I expected.

They can't go back and delete all the e-mails from someone's inbox now though. Our IP addresses are still there for all to see. There's no way to fix what's already been done.

As some have pointed out, your IP is in standard email headers you send depending on your mail provider. It is also left in server logs when visiting sites (unless you use a proxy service).

There has to be a balance between privacy and accountability. People are taking to Facebook as a way to bully others and make irresponsible statements thinking they are free from any consequences from doing so. Not providing some means to link this back to the author removes accountability and causes people to behave differently than when held accountable.

Privacy is necessary, but not at a cost of removing all accountability. A society with no accountability is just as dangerous as one with no privacy.

This is the most significant event regarding privacy that has happened this year. The founding fathers would be proud of you.

I tested this and it only has the facebook email servers in the header… as it should.

We originally included IP address information in these email headers as part of industry best practices designed to improve spam filters. This is similar to what many webmail providers do. However, we agree this practice no longer makes sense for Facebook and we’ve discontinued it. Thank you for bringing this to our attention.

Best,
Barry

–
Barry Schnitt
Director, Policy Communications
Facebook
barry@facebook.com
650.543.4979

Hi Barry,

Thanks for the comment and it's nice to see Facebook changed this particular practice.

You guys had an unfortunate week in the news as far as privacy concerns go. Has any of the recent press made Facebook consider new privacy options? Are there plans to give users more control over their privacy? The privacy options should be more restrictive by default and there are too many confusing options for the average user. I know more than a few people who would like to see things change.

Thanks,

Matt

This is an issue way back from 2009. Please read this post:

http://www.facebook.com/topic.php?uid=5484086268&topic=13871

When a wife is trying to hide from an abusive husband and assumes Facebook is the best form of communication?Why?Knowing her i.p. address will not give out her exact location,just her general one.

I've been well aware that my i.p. address can be found through just about any notification sent through an email from facebook for quite some time now,and I never had a problem with it.
If someone looks up my i.p. address,they will not get my exact location,it will show a different location each time.

Yes,this does protect the privacy of the other person.It is protecting the privacy of someone who has continually harassed and verbally abused myself and others on a discussion board many,many times.There are people on Facebook that bully and harass others.When their account is removed for it,they create another account with a fake name,and continue the same behavior.
It takes Facebook up to 3 to 5 days to remove the account(if they are even removed at all).In the meantime,there are humiliating and verbally abusive posts that show up on Google for that amount of time,and even longer.
What of our rights to have a general idea of who someone that sends us a friend request or replies to us on a message board might be?
Finding the i.p. address of the person helped to be able to identify,avoid them,and to be on the look-out for odd behavior.

On the other hand,the consequences of knowing someone's i.p. address are minimal.At the most,I believe someone could do a ddos attack(and you'd have to be quite a loser to do so.)It's a common misconception that someone knowing your i.p. address is a horrible thing.
If someone believes that,they should log off the internet and stay off it.

In my view,this was a giant step backward.

Of course,in a perfect world,Facebook would take bad behavior seriously and protect their users from this kind of thing,but anybody who has been on Facebook for any amount of time certainly knows that is not going to happen any time soon.

does not work with hotmail