How Facebook Apps Can Compromise Your Privacy, & How to Fix (Maybe)

I never liked Facebook, and I still don’t, which is why I don’t use it much. My main gripe has always been its badly designed interface which always leaves me confused about where to look and what to do.

But now I have an even bigger gripe about Facebook: How it compromises your privacy via its application programming interface (API).

For example, I sort my Facebook friends into groups so I can selectively view and share Facebook content. I use Facebook notes to create private blog posts to share with people who are interested in my personal updates. That’s where I posted several updates on my progress with recovering from knee surgery and other recent events in my life.

When I post those notes, I specifically designate that they will only be shared with my “close friends & family” group of Facebook friends.

Then yesterday I saw this tweet from the Center for Innovation in College Media:

“RT @alexdc: Your private Facebook info is made public to friends through apps you do NOT use. Change settings here http://bit.ly/1y1gSN“

I checked that link, which (after you log in to Facebook) takes you to the Applications section of your Facebook account’s privacy settings. I was appalled to see that, by default, most kinds of Facebook content were checked off to be shared with my friends through Facebook applications that I do not use. This included Notes, Relationship Status, and almost everything else.

I unchecked almost everything. I’m a fairly public person and am not paranoid about privacy. But this really annoyed me, because it appears that even if I designate some content to be shared only with a select group of friends, Facebook will still share it via apps with all of my friends.

…Which just goes to show: If you REALLY want or need to keep something private, don’t ever post it online. Anywhere. Because most of the time you can’t really control how it will get discovered or shared. Especially on Facebook.

George Kelly often calls Facebook a “walled garden of FAIL,” and I agree. Every developer I know complains about the shoddy design, coding, and security of Facebook. Just because it’s hugely popular doesn’t mean it doesn’t have big problems. I think it’s fine to use — just don’t rely on it or trust it too much.

Now, I’m not 100% certain that Facebook was inappropriately sharing my content via its API. Deepquest posted some technical background on this issue. I’m not a programmer, and I understand only a little bit about SQL. But he indicates the bad programming problem isn’t just about Facebook, but app developers:

“The major problem is that Facebook doesn’t control the apps and some code is really bad.”

For all I understand at this point, the Facebook API may indeed honor to your designations of friend groups when releasing your information via apps. I’d love for a developer to clarify this issue.

The problem as I see it is that the applications privacy settings page appears to indicate no awareness of friend group designations.

That sort of mixed message on privacy and sharing isn’t just annoying or confusing. It could actually put some people at risk. I don’t think it’s fair or reasonable to expect the millions of non-tech-savvy Facebook users to parse this issue out for themselves.

I don’t pretend to have the answers here, and some of what I’ve written may not be correct. I’d appreciation clarification of this issue in the comments below. Thanks.

If you liked my post, feel free to subscribe to my rss feeds

Post meta

This entry was written by Amy Gahran and posted on November 18, 2009 at 11:40 am and filed under development, privacy, problems, social media, usability. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment(Latest is displayed first) or leave a trackback: Trackback URL.

Share with others

Post How Facebook Apps Can Compromise Your Privacy, & How to Fix (Maybe) to digg.

Post How Facebook Apps Can Compromise Your Privacy, & How to Fix (Maybe) to Reddit

5 Comments so far (Add 1 more)

I’m doing a report on Facebook privacy issues. After a lot of research and personal experience, I’ve found that most people have no idea that their information is being shared. Additionally, there is now “search indexing” where if you google someone’s name, you can find their Facebook profile. I googled my friend’s name and the name of someone I knew she had friended on Facebook, and I found her profile. Any random stalker who knows your name can find you on Facebook through Google. To stop search indexing, you have to go through a heck of a lot of confusing settings (that are supposedly meant to “help” you micromanage what you share but instead of “helping”, are just confusing people and causing Facebook’s defaults to stay and leak people’s information).

I was talking to my friend, and she showed me her privacy settings and her applications. She had hundreds of applications, and only used about 20 of them. Additionally, a lot of her applications had access to almost everything, as you mentioned. Most Facebook users don’t know that their information is being shared. However, there was a study done on Carnegie Mellon college students and they were educated about the settings. According to the study, “The percent decrease of users who provided their website address had the largest drop with a drop just under 12%. Additional emails being provided dropped by 8.33%, primary e-mails dropped 6.4%, and AIM screenname disclosure dropped by 2.44%. The amount of phone numbers and cell phone numbers remained
constant. The disclosures of current addresses increased by 8.33%.”
The full study can be found at http://lorrie.cranor.org/courses/fa05/tubzhlp.pdf
Obviously, education didn’t have much of an effect on how college students protected their information. But I wonder if people in their 30s and 40s might have a different reaction? Nobody has done a study on that yet. One woman went to Blockbuster, rented a couple movies, and then went home and checked her Facebook. Her status detailed the movies she bought, and she sued Facebook (news article can be found here http://www.myfoxdfw.com/dpp/news/consumer/
mesquite_woman_sues_facebook%2C_blockbuster).


1. Tabby on January 19th, 2010 at 10:16 pm
I’ve come to expect that privacy will in some way always be breached on social networking sites. Thankfully, I’m a highly public person and don’t post anything that I wouldn’t want the world to see. (Or so I think). I don’t really know that there’s any way around it except to be cautious and NEVER use apps you don’t trust, like pirate quizzes and ninja swordfights…

That said, I still love Facebook. It’s the only means I have for keeping in touch with friends and family.


2. Lauren Rabaino on November 18th, 2009 at 11:28 pm
Amy,

Don’t read too much into the post from Deepquest as that information is actually an error in that particular application not revealing a flaw in Facebook itself. Also, the article about the Zynga team is really more about how those applications have taken advantage of users to make money, not to steal information. Zynga routinely used marketing techniques on Facebook to grow their applications installed user base and then misleading marketing offers within games to drive up revenue. It has never been about stealing identities because they can’t.

That said, there are some legitimate privacy concerns on Facebook (and every other website for that matter). FB Applications do have some access to your information if your not installed, but it’s limited. It’s roughly the same information that you can get about a person if your not logged into Facebook and visit a person’s profile. To see this in action, logout and then go to your profile page.

Just my $0.02.

Erik


3. Erik Giberti on November 18th, 2009 at 1:53 pm
Facebook puts an enormous amount of trust in the goodness of the application developers — trust that they haven’t in any way earned. The CEO of the company that created the hugely popular Mafia Wars app recently bragged that he “did every horrible thing in the book… just to get revenues” http://consumerist.com/5400720/mafia-wars-ceo-brags-about-scamming-users-from-day-one

These dirtbags are why I don’t accept gifts, play games, or do anything but connect and communicate with my friends on Facebook. Every stupid little app you add gets access to your personal information unless you explicitly tell it not to, and Facebook completely fails to inform folks of how much privacy they’re giving up.

The biggest problem, though, is that Facebook has no way of policing the applications developers. For instance, the API terms of service say that you’re not supposed to store the personal information made available in the API — just use it temporarily and forget it. But how could Facebook ever enforce this rule? They’d have to periodically review the code of every app! (And that’s assuming the developer provided the correct code. Really, they’d need to do a full audit of the app developers’ systems.)

This is a disaster waiting to happen. Tomorrow, one nasty developer could create the next Scrabulous and steal the identities of millions of Facebook users. Hell, forget tomorrow, this scenario has likely already happened hundreds of times over — and the baddies are just waiting for the right moment to strike.


4. Brian Boyer on November 18th, 2009 at 12:20 pm
I was floored by that default setting as well, Amy. The idea that your info could get shared because someone you know uses an app is just creepy.


5. Bryan Murley on November 18th, 2009 at 11:49 am