May. 6, 2010

Posted by in Facebook | 58 comments

Facebook is Not Secretly Installing Apps from Other Websites

Updated 4:55 p.m.

Earlier today, Apple news site Macworld published a story with the ominous headline, “Facebook’s new features secretly add apps to your profile“. That claim will naturally get attention, and other sites have started the news.

There’s just one problem: The story appears to be incorrect.

I am not saying that Macworld’s writers are trying to mislead or that they intentionally reported incorrect statements. But I do think they did misunderstood some Facebook behaviors in their zeal to protect user privacy.

The behavior described in the article has nothing to do with “new features” from Facebook and existed under the old Facebook Connect model. When you visit a website that integrates with Facebook using application APIs, that site may load content from Facebook, such as buttons to login to the site with your Facebook account. Facebook then records a visit and lists the website’s application under the “Recently Used” section of your Application Settings page. Apart from the new instant personalization partners (Docs.com, Pandora, and Yelp), the external website does not automatically receive any of your Facebook information. Your visit will be included in the application’s active user count, but your name will not show up on the application’s information page. In fact, visiting that info page for any application has the same result – Facebook shows the app as recently used, but doesn’t transfer any data to the app.

The traditional sense of “adding” or “installing” a Facebook application is that you allow the app access to your profile by clicking through a standard prompt. For applications on Facebook, this is the familiar page asking to “Allow Access,” which did recently receive a makeover and some new features most of the time. For websites outside of Facebook, this happens when you click “Connect with Facebook” or “Login to Facebook” and then agree to the prompt that pops up. Once you’ve taken this extra step beyond just visiting, the site can then identify you and access certain information about you. Applications within Facebook can identify you and access certain public information automatically if you reach them via certain channels, such as by clicking on a friend’s news feed story. Again, all of these behaviors have been around for quite a while.

On the description page for an application, you’ll see a list of friends who have added the app. That list only includes friends of yours who have taken the extra step of “installing” the application as described above. If you only visit a Facebook-enhanced website or Facebook application but don’t agree to the extra prompt, you will never show up in that list or the general list of an application’s users.

Some people may be worried by the fact that Facebook can record visits to other websites that include Facebook content, and those concerns have credibility. But Facebook has this ability for years. Any time a website includes “like” buttons, lists of fans, or other data loaded from Facebook, footprints are left behind. This is not much different from tracking that happens with third-party advertising networks – except that Facebook knows much more about your identity. If you want to avoid tracking entirely, log out of Facebook before visiting other websites.

Readers of this blog know that I have often criticized Facebook over privacy and security issues. But I find it very important to be accurate and avoid sensationalism in such criticisms. If reports include mistaken or overblown problems, users become more confused, appropriate criticisms can be discredited, and Facebook has a chance to gloss over other legitimate concerns. Unless I misunderstood what Macworld described, I think this is one case where fears over supposedly malware-like behavior are not justified. We need to leave this story behind and focus on real issues facing Facebook users.

Note: To clarify, what I describe here does not apply to the three instant personalization partner sites: Docs.com, Pandora, and Yelp. Those sites’ applications are “installed” as soon as you visit unless you opt-out from the instant personalization program or block the apps individually.

Update: Macworld has added a response from Facebook, and the company says a bug temporarily caused external websites to show up in a user’s application list. Apparently my misunderstanding was that these sites’ applications don’t normally show up as “Recently Used,” but their appearance did not indicate any difference in functionality and the technical details I gave describing how such applications work remain unchanged. In other words, seeing these sites under “Recently Used” was consistent with their normal behavior. Facebook confirmed that no data was shared with the applications and that users’ visits were never visible to anyone else.

  1. While still logged into my FB account sometime over the last day or two, I closed that window, and went on to browse both Gawker and Fleshbot (let’s leave criticism of my browsing habits for another time). I’ve been doing this for quite some time.

    When I read the Macworld article tonight, I went into my FB account, under application settings, and both Gawker and Fleshbot were listed as recently installed. They weren’t there last weekend, when I last visited the applications page on FB.

    I was horrified, to say the least. I’d not clicked on a damn thing anywhere on either Gawker or Fleshbot, or visited their pages on FB, or clicked “Like” anywhere…all I’d done was to visit those sites while still logged into my FB account.

    Sensationalism?

  2. @Agnes: Yes, sensationalism. I can see why you’d be surprised and upset by what you saw, but I also think a technology news site with many readers should investigate the issue a bit more before reporting on it.

    I would think that anyone experienced in development or security with Facebook applications would understand the nature of the “Recently Used” list and immediately recognize what was going on. Despite the bug, there was never actually reason to think applications were being “added” to people’s profiles. If you visit the description page of a Facebook application, it will also appear as “Recently Used,” even if you never click through to the application.

    But rather than taking the opportunity to tell users “don’t panic, here’s how apps work and it doesn’t look like these sites are getting data, but we’re double-checking Facebook to make sure,” Macworld published a story based on speculation and misunderstanding that led with a stretched comparison to malware and a scary headline that simply wasn’t true.

    The issue of footprints you leave while surfing sites that pull content from Facebook is an entirely separate one that may bother many users and may be worthy of further investigation and reporting. But for a major tech news outlet to go from those footprints to “Facebook is secretly adding apps” or “Facebook is installing malware” (which is how the EFF understood Macworld’s piece) without a technical basis for such claims is, in my mind, both wrong and sensationalist.

  3. someone hack my Facebook profile so i cant log into Facebook please help me to do something

  4. There is something not directly related to this post but perhaps more perverse. A few weeks ago I visited the Huffington Post and in the right column was a large add for a cell phone, Nokia I think. The image of he cellphone screen showed my facebook profile complete with the most current friends posts. I was not logged into Facebook at the time. I have not seen this particular behavior, by facebook friends posts showing up on any advertising since that one time. However I do regularly see information on which of my Facebook friends have recently joined FaceBook, even though I remain not logged to HuffPo.

    I suppose I may have “connected” HuffPo to FB at one time but why does that persist when HuffPo claims I am not logged in? Facebook is making my friends list available to a website that I have not logged in to and is also sharing with me about those friends actions on HuffPo (that they joined). Now this may be more HuffPo’s fault than FB’s but it remains distressing!

  5. Hey there again, i’d been on your website before and left a comment about Commission Crusher. If you had not taken a look yet I suggest you do. It’s a amazing resource for site owners like yourself to acquire loads of new visitors http://bit.ly/mDl0yS

Trackbacks/Pingbacks

  1. Bits & Pieces » Facebook is Not Secretly Installing Apps from Other Websites - [...] Facebook is Not Secretly Installing Apps from Other Websites | Social Hacking. Share this ...
  2. Tweets that mention Please RT New Post: Facebook is Not Secretly Installing Apps from Other Websites -- Topsy.com - [...] This post was mentioned on Twitter by Chris Boyd, Ben Jackson, Social Hacking, Social Hacking, Laurie Jackson and others. ...
  3. Facebook Serves Up Unwanted Apps ~ Chris Pirillo - [...] one more slap in the face for Facebook. However, the site appears to remain unconcerned. With the government already ...
  4. Analysis: Some Facebook Privacy Issues Are Real, Some Are Not - [...] it said. The bug was so minor that it can not really be considered a privacy or security issue. ...

Leave a Reply