blunt essays with sharp points
Jan 8, 2009 6:54 PM–I was just asked about the privacy risks of what are called Facebook applications. It is well worth looking at, and I had given it only superficial attention.
I will begin with what a Facebook application is. Then I will present the personal data that is at stake. I will share my beliefs about how far you can trust a Facebook application with this data. Finally, I will suggest Facebook settings that I think are safe.
What is a Facebook application?
A Facebook application is an add-on to Facebook. Facebook offers a few of its own, such as Marketplace. The rest are contributed by web programmers all over the world. Whenever you get the message:
Allowing (application name) access will let it pull your profile information, photos, your friends' info, and other content that it requires to work.
Allow or cancel
That is a Facebook application wanting your personal data.
What information can a Facebook application get from Facebook?
Almost everything you were willing to tell Facebook.
According to Facebook, when you “Allow” an application, the application sees the same personal data that your friends do, except contact data (your address, phone, e-mail, IM, or website). It does not see unshared data such as your password.
When a friend of yours “Allows” a Facebook application, the application sees limited data about you, too. This limited data can be extensive or it can be nothing at all, depending on your preference.
How far can you trust a Facebook application?
You might as well trust Facebook’s own applications, since you were willing to give the information to Facebook. But what about contributed applications? BBC looked into this in 2008. A BBC web programmer created an innocent looking Facebook application which secretly skimmed personal data from any user who allowed it, plus their friends. (This is called a Trojan horse attack.) It was three hours of effort. I looked into Facebook programming, and saw for myself how easy it would be.
But BBC knows of no badly behaving Facebook applications (other than theirs). They say Facebook has a team that monitors the site for bad applications. If it is so easy to do, why isn’t Facebook overrun with bad applications? One possibility is that Facebook’s team is doing its job: when a bad application is released into the wild, it is detected and removed. A more grim possibility is that there are bad applications in the wild, but they have avoided detection. BBC did not release their bad application into the wild, so we don’t know if it was detectable.
I think you can trust contributed applications to keep your personal data private only if you think Facebook is policing them perfectly, and I don’t think that’s been proven.
So what do I do about Facebook applications?
I treat anything I post to Facebook (other than my password and contact information) as if it might be available for anyone in the world to see. If I would be uncomfortable with that, I don’t post it.
However, that does not work for your birthdate. Facebook requires you to supply it, and it is potentially useful for identity theft. Nevertheless, it is part of the personal data that applications can see.
For that reason, when an application asks to be allowed, I check it out first. And until I feel pretty sure that it is not more than what it seems to be, I don’t allow it. Also, I have denied my “Basic Info” to applications allowed by friends, because that protects my birthdate from applications which I have not checked out personally.
Another way to secure your birthdate is to supply the wrong date. The Facebook terms of service only require you to say truthfully whether you are 13+ or 18+. As long as the date you supply does not misrepresent your age category, you are not violating the terms of service. You could save your friends some confusion by supplying the true month and date, and changing only the year.
You control which applications you allow to access your personal data on these pages:
You control what personal data your friends’ applications can access on this page:
Facebook keeps a list of all applications on this page:
Facebook documents the personal data available to applications on this page:
Here is the BBC article.
Please comment if you have anything to add or correct in this article. I would like it to be as accurate and useful for Facebook users as possible.
Labels: application, BBC, birthdate, birthday, contributed, data center, developers, Facebook, identity theft, password, personal information, privacy, profile, programmers, risks, security, skimming, trojan horse, trust, web
Finish each day and be done with it. You have done what you could. Tomorrow is a new day; begin it well and serenely and with too high a spirit to be encumbered with your old nonsense. —Ralph Waldo Emerson
Sometimes they fool you by walking upright.
What part of “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn” don’t you understand?
Build a man a fire, and he’ll be warm for a day. Set a man on fire, and he’ll be warm for the rest of his life. —Terry Pratchett
Never try to teach a pig to sing; it wastes your time and it annoys the pig. —Robert Heinlein
Do not ask why the past was better than the present, for this is not a question prompted by wisdom. —Ecclesiastes 7:10
Power lines abruptly stopped causing cancer in 1997 after the U.S. National Cancer Institute conducted a better study. —Robert Parks
Встретимся под столом! (Vstretimsja pod stolom: To meeting you under the table!)
The more you cry, the less you’ll pee.
Relish the love of a good woman.
It’ll never get better if you keep picking at it. —advice from Judge “Maximum” Bob Gibbs