blunt essays with sharp points

Privacy Risks of Facebook Applications

by Scrvpvlvs
Jan 8, 2009 6:54 PM–I was just asked about the privacy risks of what are called Facebook applications. It is well worth looking at, and I had given it only superficial attention.

I will begin with what a Facebook application is. Then I will present the personal data that is at stake. I will share my beliefs about how far you can trust a Facebook application with this data. Finally, I will suggest Facebook settings that I think are safe.

  1. What is a Facebook application?

    A Facebook application is an add-on to Facebook. Facebook offers a few of its own, such as Marketplace. The rest are contributed by web programmers all over the world. Whenever you get the message:

    Allow Access?
    Allowing (application name) access will let it pull your profile information, photos, your friends' info, and other content that it requires to work.
    Allow or cancel

    That is a Facebook application wanting your personal data.

  2. What information can a Facebook application get from Facebook?

    Almost everything you were willing to tell Facebook.

    According to Facebook, when you “Allow” an application, the application sees the same personal data that your friends do, except contact data (your address, phone, e-mail, IM, or website). It does not see unshared data such as your password.

    When a friend of yours “Allows” a Facebook application, the application sees limited data about you, too. This limited data can be extensive or it can be nothing at all, depending on your preference.

  3. How far can you trust a Facebook application?

    You might as well trust Facebook’s own applications, since you were willing to give the information to Facebook. But what about contributed applications? BBC looked into this in 2008. A BBC web programmer created an innocent looking Facebook application which secretly skimmed personal data from any user who allowed it, plus their friends. (This is called a Trojan horse attack.) It was three hours of effort. I looked into Facebook programming, and saw for myself how easy it would be.

    But BBC knows of no badly behaving Facebook applications (other than theirs). They say Facebook has a team that monitors the site for bad applications. If it is so easy to do, why isn’t Facebook overrun with bad applications? One possibility is that Facebook’s team is doing its job: when a bad application is released into the wild, it is detected and removed. A more grim possibility is that there are bad applications in the wild, but they have avoided detection. BBC did not release their bad application into the wild, so we don’t know if it was detectable.

    I think you can trust contributed applications to keep your personal data private only if you think Facebook is policing them perfectly, and I don’t think that’s been proven.

  4. So what do I do about Facebook applications?

    I treat anything I post to Facebook (other than my password and contact information) as if it might be available for anyone in the world to see. If I would be uncomfortable with that, I don’t post it.

    However, that does not work for your birthdate. Facebook requires you to supply it, and it is potentially useful for identity theft. Nevertheless, it is part of the personal data that applications can see.

    For that reason, when an application asks to be allowed, I check it out first. And until I feel pretty sure that it is not more than what it seems to be, I don’t allow it. Also, I have denied my “Basic Info” to applications allowed by friends, because that protects my birthdate from applications which I have not checked out personally.

    Another way to secure your birthdate is to supply the wrong date. The Facebook terms of service only require you to say truthfully whether you are 13+ or 18+. As long as the date you supply does not misrepresent your age category, you are not violating the terms of service. You could save your friends some confusion by supplying the true month and date, and changing only the year.

You control which applications you allow to access your personal data on these pages:

You control what personal data your friends’ applications can access on this page:

Facebook keeps a list of all applications on this page:

Facebook documents the personal data available to applications on this page:

Here is the BBC article.

Please comment if you have anything to add or correct in this article. I would like it to be as accurate and useful for Facebook users as possible.

Labels: , , , , , , , , , , , , , , , , , , ,

(go to complete article)





E-mail: enter address

Project Euler competitor metaed


Project Euler competitor db8

profile for MetaEd on Stack Exchange, a network of free, community-driven Q&A sites

Recent Articles

Open letter re: Grinnell College alumni “lifetime”...

Spybot – Search & Destroy interferes with Lync 201...

A moment of silence


Howard Schultz of Starbucks: firm on support for m...

In each of us, two natures are at war

Clorox does not understand how to measure bleach

This season’s pie recipe




November 1999
June 2000
July 2000
September 2001
October 2001
February 2002
March 2002
June 2003
February 2004
June 2004
July 2004
August 2004
September 2004
February 2005
March 2005
November 2005
July 2007
March 2008
April 2008
May 2008
October 2008
November 2008
December 2008
January 2009
April 2009
September 2009
December 2009
February 2010
March 2010
May 2010
June 2010
September 2010
October 2010
November 2010
December 2010
January 2011
April 2011
June 2011
July 2011
August 2011
September 2011
December 2011
February 2012
April 2012
May 2012
June 2012
July 2012
August 2012
September 2012
November 2012
January 2013
February 2013
April 2013
February 2014
May 2014
October 2014
June 2017