Facebook is Not Secretly Installing Apps from Other Websites
Updated 4:55 p.m.
Earlier today, Apple news site Macworld published a story with the ominous headline, “Facebook’s new features secretly add apps to your profile“. That claim will naturally get attention, and other sites have started the news.
There’s just one problem: The story appears to be incorrect.
I am not saying that Macworld’s writers are trying to mislead or that they intentionally reported incorrect statements. But I do think they did misunderstood some Facebook behaviors in their zeal to protect user privacy.
The behavior described in the article has nothing to do with “new features” from Facebook and existed under the old Facebook Connect model. When you visit a website that integrates with Facebook using application APIs, that site may load content from Facebook, such as buttons to login to the site with your Facebook account. Facebook then records a visit and lists the website’s application under the “Recently Used” section of your Application Settings page. Apart from the new instant personalization partners (Docs.com, Pandora, and Yelp), the external website does not automatically receive any of your Facebook information. Your visit will be included in the application’s active user count, but your name will not show up on the application’s information page. In fact, visiting that info page for any application has the same result – Facebook shows the app as recently used, but doesn’t transfer any data to the app.
The traditional sense of “adding” or “installing” a Facebook application is that you allow the app access to your profile by clicking through a standard prompt. For applications on Facebook, this is the familiar page asking to “Allow Access,” which did recently receive a makeover and some new features most of the time. For websites outside of Facebook, this happens when you click “Connect with Facebook” or “Login to Facebook” and then agree to the prompt that pops up. Once you’ve taken this extra step beyond just visiting, the site can then identify you and access certain information about you. Applications within Facebook can identify you and access certain public information automatically if you reach them via certain channels, such as by clicking on a friend’s news feed story. Again, all of these behaviors have been around for quite a while.
On the description page for an application, you’ll see a list of friends who have added the app. That list only includes friends of yours who have taken the extra step of “installing” the application as described above. If you only visit a Facebook-enhanced website or Facebook application but don’t agree to the extra prompt, you will never show up in that list or the general list of an application’s users.
Some people may be worried by the fact that Facebook can record visits to other websites that include Facebook content, and those concerns have credibility. But Facebook has this ability for years. Any time a website includes “like” buttons, lists of fans, or other data loaded from Facebook, footprints are left behind. This is not much different from tracking that happens with third-party advertising networks – except that Facebook knows much more about your identity. If you want to avoid tracking entirely, log out of Facebook before visiting other websites.
Readers of this blog know that I have often criticized Facebook over privacy and security issues. But I find it very important to be accurate and avoid sensationalism in such criticisms. If reports include mistaken or overblown problems, users become more confused, appropriate criticisms can be discredited, and Facebook has a chance to gloss over other legitimate concerns. Unless I misunderstood what Macworld described, I think this is one case where fears over supposedly malware-like behavior are not justified. We need to leave this story behind and focus on real issues facing Facebook users.
Note: To clarify, what I describe here does not apply to the three instant personalization partner sites: Docs.com, Pandora, and Yelp. Those sites’ applications are “installed” as soon as you visit unless you opt-out from the instant personalization program or block the apps individually.
Update: Macworld has added a response from Facebook, and the company says a bug temporarily caused external websites to show up in a user’s application list. Apparently my misunderstanding was that these sites’ applications don’t normally show up as “Recently Used,” but their appearance did not indicate any difference in functionality and the technical details I gave describing how such applications work remain unchanged. In other words, seeing these sites under “Recently Used” was consistent with their normal behavior. Facebook confirmed that no data was shared with the applications and that users’ visits were never visible to anyone else.