Facebook App Devs Can See Your Private Parts
Dec 10, 2009 12:04 PM PT
You may have taken time out from playing "Mafia Wars," "FarmVille" or answering that "Which Muppet Are You?" quiz to update your privacy settings on Facebook this week. However, when you were clicking on your choices for who could see your updates and personal data, did you happen to notice any mention of those third-party applications involving games, quizzes and other outside software linking up to the world's largest social media network? How much access to your personal info do the developers of these apps have?
"This is the big, looming privacy issue that most users still don't know about," Marc Rotenberg, executive director of the Electronic Privacy Information Center, told TechNewsWorld. "Most folks are good about making decisions about information they disclose on their Wall. They have some reasonable understanding about who's going to have access to it. But that whole approach breaks down with third-party apps."
Indeed, while the way Facebook allows those outside developers to have users' data got the company in trouble this summer with the Canadian Privacy Commission, there's very little mention in this current privacy push of third-party apps. A Wednesday post on the Facebook Blog addresses applications, but only in regard to Wall posts. "There's been some confusion about whether you can still limit access to Wall posts from friends and applications. The answer is yes," the post reads. "You can also control whether applications you use can post stories to your Wall on the Applications Settings page. Just click 'Edit Settings' next to an application's name and choose the settings that are right for you."
Those settings, however, still rely on the same categories as other privacy settings: Everyone, Friends of Friends, etc. There has been no direct discussion on the Facebook blog or in the three-step process that users have faced this week with regard to their settings.
This apparent lack of detail is a point addressed by the Electronic Frontier Foundation's Kevin Bankston in a Dec. 9 post on the EFF's site titled "Facebook's New Privacy Changes: The Good, the Bad and the Ugly." The network's third-party app strategy falls under the "ugly" part of the post.
"Facebook previously offered a solution to users who didn't want their info being shared with app developers over the Facebook Platform every time one of their friends added an app: Users could select a privacy option telling Facebook to 'not share any information about me through the Facebook API,'" Bankston's post reads.
"That option has disappeared, and now apps can get all of your 'publicly available information' whenever a friend of yours adds an app," it continues.
"Most people don't know that their entire profile -- and all this stuff that their friends have posted, and their friendships -- gets pushed off to the app developers," Rotenberg said. "And all Facebook does is give you a little screen that says this is necessary. They make it sound like if you don't let them do it, you're not going to get to use that program."
Facebook did not respond for a request for comment by press time.
Possible Security Solutions
Facebook should be much more open about what info is given to third-party developers, according to both Bankston and Rotenberg. Instead of removing the "do not share" option for apps, Facebook should have made it bigger and publicized it better, Bankston argued.
"Instead, the company has sent a clear message: If you don't want to share your personal data with hundreds or even thousands of nameless, faceless Facebook app developers -- some of whom are obviously far from honest -- then you shouldn't use Facebook," he wrote.
"We've made several specific recommendations. They need to be more open about what's really going on with third-party apps," Rotenberg said. "They need to show users specifically the information that flows when users choose an app. Ironically, there's a Facebook app that does that. You can install an app to see the problems with apps."
Facebook also should take responsibility for limiting that data, making less access the default option for its relationship with developers, Rotenberg said. He's not referring to some of the raw demographic data available to advertisers; most of that is faceless, nameless age and gender information.
"We're a little less critical about that," he said. "Advertisers want to be able to target demographics. We're talking about when Facebook says, 'This user wants to use your program, here's everything that they have.'"