Facebook Sharing Too Much Personal Data With Application Developers 165
An anonymous reader writes "Remember the Facebook News Feed privacy uproar? What about the Beacon scandal from late last year? Privacy activists are rallying around yet another major issue at Facebook, in which the company is secretly sharing user data with third parties. Researchers from the University of Virginia recently announced that in a study of the top 150 Facebook applications, more than 90% were given access to information that was not needed to function correctly. That Scrabble or Superpoke application you really like? Its developers get access to your religion, sexuality and home town. Facebook's position was summed up by Georgetown Law Professor Dan Solove, 'They seem to be going on the assumption that if someone uses Facebook, they really have no privacy concerns.' Do Facebook users deserve privacy? "
Net (Score:5, Insightful)
Deserve Privacy? (Score:2, Insightful)
At this point, I'd say no.
Personally, given their abysmal track record so far, I'd say that anyone using them at this point should assume they have no privacy at all. To some extent facebook is guilty of false advertising, by seeming to allow you to restrict other users from seeing some of your information. But why anyone who put anything on Facebook would expect any privacy at all, is a mystery to me.
Information sharing is optional (Score:2, Insightful)
When you add an application, it asks you quite clearly:
[ ] Know who I am and access my information.
It's the first checkbox.
Or, even better: you don't need to use applications! Hell, you don't even need to use Facebook! There are services like Hushmail for people who want privacy in their communications.
Automaticly install applications? (Score:4, Insightful)
Re:Net (Score:5, Insightful)
Deserve or expect privacy? (Score:5, Insightful)
So why is this news again...? (Score:5, Insightful)
Did anyone ever really have the assumption that that information was needed to make the app function, and not just a way of tricking users into giving up demographic info to third parties?
Personally I'm not sure Facebook is in the wrong on this one. It's up in big letters that you're giving whatever application it is access to your personal info--and all those things are OPTIONAL to place in your profile. I don't know that it should their fault that users don't think it through and then become surprised/outraged when they find out what it really means.
Translated Quote... (Score:2, Insightful)
uses Facebook, they really have no privacy concerns.'
"They seem to assume that people who post their name, address, sexual orientation and gender on giant roadside billboards don't care if strangers know their name, address, sexual orientation and gender! It's like they think that people who go out into the crowded streets don't care who knows what shirt they're wearing!"
It's an API (Score:5, Insightful)
Seriously, what is confusing here? You have to agree when you add an application that it will be able to access your profile data. When you say 'yes, allow this', why would you be surprised that the application is then allowed to do what you just allowed?
http://developers.facebook.com/documentation.php?doc=fql [facebook.com]
Comment removed (Score:4, Insightful)
What world will you live in? (Score:1, Insightful)
I do everything online. This includes transmitting legal documents, banking and having meetings. When I have a meeting at a local restaurant, I don't expect them to bug my booth and listen in. Sure, having a conversation there isn't giving them "personally identifiable" information but aggregated, the information can identify me, my clients and my work.
When I use my bank, I don't want them to transmit my transactions save my name to a 3rd party. Why? Pretty soon someone can piece together my actions (always buying a beer at this location on friday night between 8:35-9:05pm) and me.
What I think we need is a blanket privacy statement and recompense if broken.
Every action I'm engaging in is now somehow online. My banking, entertainment purchases, my religious organizations. I only expect more and more of what I do to be online. It's the way of the future, databases and all that. You can say "just don't use it" but the reality is every action has become easier because someone created a database and now those databases are online.
If You Want It Private Keep It Private (Score:3, Insightful)
> no privacy concerns.
Sounds like a reasonable assumption to me.
> Do Facebook users deserve privacy?
Sure. And they can have it. All they need to do is keep the stuff that they want to remain private off Facebook.
Re:It's an API (Score:4, Insightful)
But that's not to say this is the only way to do it. It would be possible, for instance, to have the API set such that the application initially makes a request for which database fields it will need to use. Then the application is only allowed to use those fields; all others are invisible. When a user installs an app, it clearly shows which fields the app will be using. This would allow users to make informed choices about which apps to install. If "SuperPoke" says it will access your friends list, that's fine. If it says it will access your address and phone number, that's suspicious.
My point is that Facebook decided to implement a binary security model: either you don't install the app, or you give it access to everything. This doesn't seem like the best model. As a general security rule, an application should be given access to the absolute minimum breadth of resources/data needed to do its job properly.
This is why I don't install Facebook apps: there is no mechanism for controlling the security or even establishing a chain of trust for the application developer.
Re:Deserve Privacy? (Score:3, Insightful)
Perhaps they shouldn't expect it, but that's different.
Re:Net (Score:3, Insightful)
Your advice is wildly overreaching. It's like telling MADD, "if you don't want to get killed by drunk drivers, don't leave your house."
Re:Net (Score:4, Insightful)
I agree with you that information posted to social networks can't be considered private, but that's because they are broken, and their users have the right to complain about it.
"Secretly"? (Score:3, Insightful)
I saw this the first time I went to add a Facebook app, and thought "hey, I don't want that, so I'm not going to add it."
Facebook is an advertising platform just like everyone else, so either I'm missing something (which, I'll admit is entirely possible--I recognize that I make mistakes all the time), or is there really a story here?
BTW, just read the terms of service for each application--if it doesn't say what they will do with your data, don't add the app. Then it isn't a whole lot different than putting the same data into any other web application. Also, being aware that this can happen, don't put data on your facebook profile you don't want the rest of the world seeing. It's not rocket science-just common sense.
Facebook Developer (Score:4, Insightful)
Here's the info I can see for any user that adds my app and clicks the box:
uid*, first_name, last_name, name*, pic_small, pic_big, pic_square, pic, affiliations, profile_update_time, timezone, religion, birthday, sex, hometown_location, meeting_sex, meeting_for, relationship_status, significant_other_id, political, current_location, activities, interests, is_app_user, music, tv, movies, books, quotes, about_me, hs_info, education_history, work_history, notes_count, wall_count, status, has_added_app
(More info on the already-linked http://developers.facebook.com/documentation.php?doc=fql [facebook.com] )
To me this seems like way, way too much. I haven't told our marketing people we can get all this.
Stupid Question (Score:2, Insightful)
Why is the application not treated as-if it were another user? From what I understand, there is a reasonable granularity of privacy settings for users. Let each app be a unique user, and you automatically get these benefits.
Or are the apps client-based, so that my Facebook on machine X can use apps and on machine Y it cannot, because of how it was set up? In this case, I suppose that I understand (since an app running as "me" only restricts "my" privacy as a favor, and cannot be compelled or punished, except by deletion).
Re:Net (Score:3, Insightful)
I think anyone, including users of Facebook, deserve as much privacy as they've set their accounts up for - no more, no less.
Re:Net (Score:3, Insightful)
If you gave the social networking site as much money as you do your bank, maybe you could.
Re:Net (Score:5, Insightful)
Well that's what I thought. But it appears that's actually not the case. If you RTFA and click through, you find a page that explicitly says that friends applications can view my data. Which presumably they can then do more or less anything with, seeing as how keeping that data is only "enforced" by the terms of service. The defaults are set such that my friends apps, any by implication anybody who can code, can view everything except my sexual preferences, basically.
That's pretty surprising, and I'm glad Ms Felt has called this out. It means that anybody who writes a moderately successful app can build a giant database of things that I never intended to be in any database other than Facebooks. Part of the reason Facebook has been successful is that it does actually have privacy controls, and people feel they can share their data with only their friends (and facebook inc, of course, but that's only one company). The fact that it's not true is a pretty gaping oversight.
What I find especially funny is the big bold sign at the top saying "Facebook does not sell your personal data". No, they give it away for free instead. Great.