Facebook Application Privacy Confusion Continues

Many technology journalists and privacy advocates have criticized aspects of Facebook’s new privacy controls and default settings. But I’ve noticed one aspect to the changes that I find disappointing, and thus far I’ve not seen it noted elsewhere.

You may recall that earlier this year, Facebook came under scrutiny by the Privacy Commissioner of Canada. Several concerns the Commissioner’s office raised related to Facebook applications. Readers of this blog were already quite familiar with privacy issues relating to applications, but the Canadian investigation brought them to the forefront, and Facebook responded by promising sweeping changes to their platform.

When the new privacy controls launched on my own Facebook profile, I took a look at the section for “Applications and Websites.” At first, my feelings were mixed. Facebook had finally made it clear that the checkboxes of various fields you could elect to share applied only to applications your friends used. (The previous setup was far more confusing and led to even major technology sites errantly reporting that the controls applied to applications you used as well.) But Facebook had also removed the option to exempt yourself from the Platform completely.

But then I clicked the button to “Learn More” about what I shared when using applications and web sites. I’ve long talked about the need to educate users, so perhaps this would finally clarify how much access applications have. Instead, I was stunned to read this statement:

When you visit a Facebook-enhanced application or website, it may access any information you have made visible to Everyone (Edit Profile Privacy) as well as your publicly available information. This includes your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages. The application will request your permission to access any additional information it needs.

Excuse me?

At first, I thought this was simply false. The way I read it, authorizing an application gave it access to your PAI and anything visible to “Everyone,” but if the application also wanted, say, your favorite movies, it would ask you first. While Facebook has vowed to eventually roll out such a setup, it has not yet appeared and was not promised to be fully in place until fall of next year.

But then I realized what the paragraph was actually communicating. An application has access to your PAI and anything visible to “Everyone” as soon as you stop by – no authorization necessary. (This may lead to a few surprises and scares in the near future.) That last bit about requesting your permission for any additional information refers to authorizing the application. In other words, if the application needs any more data, it will request authorization – which gives it access to all of your personal data.

Some may counter that the confusion here lies with me alone, and I ought not presume that users will make the same mistake. However, given that users have already been trained to authorize applications before using them at all (not to mention whether users even distinguish applications from the Facebook brand), I’m quite certain this new paragraph will continue to produce the sort of myths I’ve seen published about the old application privacy settings. In any event, Facebook has resorted to language that could at best be described as somewhat vague.

Please correct me if you think I’m wrong, but I find the last sentence of Facebook’s new explanation very misleading. It gives the impression that applications will politely ask users for more personal details if they become particularly necessary, when in fact most people who use a given application have already authorized it and thus already given it full access to personal profile information.

After all of the controversies, studies, confusions, misstatements, and problems that have come about this past year regarding privacy and Facebook applications, and especially in light of the previous pressure from Canada, I would have thought that Facebook would take this opportunity to add a more thorough and clear exposition of what applications can access and do with user information. Perhaps I’m being too hard on their new attempt. But if the past is any indication, I expect user misunderstandings over Facebook applications to persist.