Ars Technica has found that the photo deletion flaw it discovered on Facebook three years ago still exists, where images that users have supposedly deleted are still accessible to those with the link months or years later. The issue raises questions over the principle of who owns the data you add to Facebook: the company has long-insisted that any content you add to the site remains yours, but if you're unable to remove your own data, it looks like Facebook's firmly in control. Alongside this, while its data retention policy doesn't directly address deleted content, it does state that, "it typically takes about one month to delete an account, but some information may remain in backup copies and logs for up to 90 days," which might not be true if your images are caught within this bug.
Responding to Ars Technica's investigation, Facebook spokesperson Frederic Wolens explained that "photos remaining online are stuck in a legacy system that was apparently never operating properly," and that although the photos were immediately removed from the site, they remained held in a content delivery system. He says that engineers are currently migrating the old images to a system that will remove the content within 45 days. However, this transfer could take at least another two months, meaning that that image of you passed out at a party could still be lurking somewhere on the web.