Privacy Policies on the Top 25 Facebook Applications

Today, I performed a little experiment.  I went through the current top 25 Facebook applications, based on monthly active users and excluding applications by Facebook, and checked to see if they linked to a privacy policy.  I noted not only whether a privacy policy existed, but where one could find it.

Each of the applications currently have at least 5.5 million monthly active users, and 12 of them are Facebook Verified Applications.  Keep in mind that every application is entrusted with the same access to user data on authorization, regardless of the application’s purpose.

With each application, I checked for any links on the Info page, then checked to see if any of these pages linked to a privacy policy.  I then looked for application terms of service on the installation page, and checked to see if the TOS linked to a privacy policy.  (Throughout this experiment, I made a distinction between “terms of service” and a specifically designated “privacy policy.”  I also considered plaintext URIs to be links, even if they were not hyperlinked.)  Finally, I looked for help or supports links within the application that then linked to a privacy policy.

Following this method, I was unable to find any link to a privacy policy in nearly a third of the applications.  Of these, one was a Facebook Verified Application (more on that in a bit).  Also, one application only posted to a user’s wall and never requested authorization to access user data.

Two applications linked to a privacy policy only after installation, one on the first page after installation, and one via a second linked support page.  Seven applications linked to pages on their Info page that then included links to a privacy policy.  In five of these cases, the page containing a privacy link was the About link, a rather subtle one that points to the developer’s web site, which at times applies to more than one application.  Three of the seven included links to application TOS on the install page which did not include privacy policies.

Eight applications not only had a privacy link via one of the Info page links (five being the About link), but included a link to a privacy policy in the application TOS from the install page.

Only one application linked to its privacy policy directly from the Info page of the application: CourseFeed.  Major props to its developers for making that decision.  A close second in terms of disclosure was Zoosk, whose privacy policy is included in the application terms of service, which are linked to from the installation page.  Also, Zoosk’s Info page links to a support page, which then links to a privacy policy.

All of these findings are summarized in the chart below.

Chart of findings on the top 25 Facebook application privacy policies.

A few other specific applications stood out in various ways.  While Birthday Cards linked to the RockYou homepage, which includes a privacy policy link, the homepage was taken over by an advertisement in Firefox, and I saw no way to close the ad and get back to the actual page.  Also, Slide’s FunSpace presented a rather strange dynamic.  The application seemed to behave as if it were a Facebook Connect page, only prompting for authorization in a pop-up dialog when I tried to create a post.  In fact, since I had used the application previously, it included such details as my name and friend list before I even authorized it.  I’m not sure exactly what was happening behind the scenes in that instance.

Finally, one application deserves mention for its rather pitiful performance: RockYou Live, formerly Super Wall.  This is a Facebook Verified Application, yet I could not find any link to a privacy policy within the application or via its links to other pages.  In fact, the About link on the Info page points to a section of the application, which requires user installation.  Finally, it provided no link to application terms of service on the install page.

Once again, keep in mind that a user grants the same level of trust to each of these application on installation.  Yet 36% either have no published privacy policy or only offer links to a privacy policy after a user has authorized the application.  I’ve seen people get upset over the lack of a privacy policy on web sites that have access to far less personal information than a Facebook application.  If this sample of the most popular applications is any indication, however, people have another reason to be upset about the current state of privacy on the Facebook Platform.