The Limits of Application Privacy Limits
One issue I have not discussed much previously is how much of your data an application can access via a friend’s session. I and others have had to sort through some confusion on this topic, and I appreciate recent work by Ian Glazer to clear things up. As you can see from my comments on Glazer’s second post about his Privacy Mirror, I did not fully understand how things worked until Glazer posted his more detailed explanation of his findings:
It shouldn’t take a few hundred lines of PHP, three debuggers, and an engineering degree to figure out how privacy controls work. This lack of clarity robs Facebook users of the opportunity to make meaningful and informed choices about their privacy.
What Glazer found is that when a user restricts how much profile data is available to applications through friend’s sessions, those restrictions only apply if the user does not also authorize the application. Once you install an application, all of your data is available in any friend’s session (subject to profile restrictions).
In Facebook’s defense, they do technically say this on the application privacy settings page, though I think it could be made more clear. I certainly didn’t comprehend all the ramifications at first:
When a friend of yours allows an application to access their information, that application may also access any information about you that your friend can already see….
You can use the controls on this page to limit what types of information your friends can see about you through applications. Please note that this is only for applications you do not use yourself…
One could easily argue that this is a case of incompetence on my part for not making sense of what Facebook said, but I know that other security researchers have also missed some of these caveats or didn’t put them all together.
As Glazer points out, Facebook provides an easy way to tell how much information a friend can access via your profile, but provides no simple way for letting you know how much data applications can access. Apparently, though, the answer is rather simple, since besides a few special cases, an application still basically has full access.