Posted by theharmonyguy in Facebook | 6 comments
Privacy Policies on the Top 25 Facebook Applications
Today, I performed a little experiment. I went through the current top 25 Facebook applications, based on monthly active users and excluding applications by Facebook, and checked to see if they linked to a privacy policy. I noted not only whether a privacy policy existed, but where one could find it.
Each of the applications currently have at least 5.5 million monthly active users, and 12 of them are Facebook Verified Applications. Keep in mind that every application is entrusted with the same access to user data on authorization, regardless of the application’s purpose.
With each application, I checked for any links on the Info page, then checked to see if any of these pages linked to a privacy policy. I then looked for application terms of service on the installation page, and checked to see if the TOS linked to a privacy policy. (Throughout this experiment, I made a distinction between “terms of service” and a specifically designated “privacy policy.” I also considered plaintext URIs to be links, even if they were not hyperlinked.) Finally, I looked for help or supports links within the application that then linked to a privacy policy.
Following this method, I was unable to find any link to a privacy policy in nearly a third of the applications. Of these, one was a Facebook Verified Application (more on that in a bit). Also, one application only posted to a user’s wall and never requested authorization to access user data.
Two applications linked to a privacy policy only after installation, one on the first page after installation, and one via a second linked support page. Seven applications linked to pages on their Info page that then included links to a privacy policy. In five of these cases, the page containing a privacy link was the About link, a rather subtle one that points to the developer’s web site, which at times applies to more than one application. Three of the seven included links to application TOS on the install page which did not include privacy policies.
Eight applications not only had a privacy link via one of the Info page links (five being the About link), but included a link to a privacy policy in the application TOS from the install page.
Only one application linked to its privacy policy directly from the Info page of the application: CourseFeed. Major props to its developers for making that decision. A close second in terms of disclosure was Zoosk, whose privacy policy is included in the application terms of service, which are linked to from the installation page. Also, Zoosk’s Info page links to a support page, which then links to a privacy policy.
All of these findings are summarized in the chart below.
Chart of findings on the top 25 Facebook application privacy policies.
A few other specific applications stood out in various ways. While Birthday Cards linked to the RockYou homepage, which includes a privacy policy link, the homepage was taken over by an advertisement in Firefox, and I saw no way to close the ad and get back to the actual page. Also, Slide’s FunSpace presented a rather strange dynamic. The application seemed to behave as if it were a Facebook Connect page, only prompting for authorization in a pop-up dialog when I tried to create a post. In fact, since I had used the application previously, it included such details as my name and friend list before I even authorized it. I’m not sure exactly what was happening behind the scenes in that instance.
Finally, one application deserves mention for its rather pitiful performance: RockYou Live, formerly Super Wall. This is a Facebook Verified Application, yet I could not find any link to a privacy policy within the application or via its links to other pages. In fact, the About link on the Info page points to a section of the application, which requires user installation. Finally, it provided no link to application terms of service on the install page.
Once again, keep in mind that a user grants the same level of trust to each of these application on installation. Yet 36% either have no published privacy policy or only offer links to a privacy policy after a user has authorized the application. I’ve seen people get upset over the lack of a privacy policy on web sites that have access to far less personal information than a Facebook application. If this sample of the most popular applications is any indication, however, people have another reason to be upset about the current state of privacy on the Facebook Platform.
Keep Reading »Posted by theharmonyguy in Facebook, General, OpenSocial | No comments
Application Data Retention (Updated)
As many who follow news on privacy and technology know, Canada’s Privacy Commissioner Jennifer Stoddart recently issued a report criticizing Facebook for various problems with privacy on the site. The report addressed several aspects of privacy on Facebook, including data access by third-party applications.
One item in the report, though, concerned data retention by Facebook. As TechCrunch describes:
The organization and Commissioner’s main concern is that Facebook provides confusing or incomplete information about its privacy practices, like not giving users to opportunity to complete wipe out their accounts instead of merely deactivating them. Stoddart also criticizes Facebook’s policy of indefinitely keeping the personal information of people who have done just that.
Commissioner Stoddart is not the first to raise this issue, as it’s been a subject of debate for some time. However, I have not heard many people discuss a related aspect: data retention by third-party applications.
Unfortunately, with the way the Facebook Platform is currently structured, applications receive no notification when a user removes an application’s access to their data or shuts down their Facebook account. Consequently, an application developer has no way to determine when a user has “uninstalled” the application, and thus for most applications, data retention lasts forever. You can see this in action by removing an application then later authorizing it again: all of your data generated within the application will likely remain. For some applications, this data continues to be accessible to other users even if you’ve uninstalled the application.
And this is not simply a Facebook problem. From what I understand so far, the same issue applies to OpenSocial platforms, such as MySpace.
Granted, there’s not simple solution to this problem, but as concerns grow over the amount of data shared on social networking sites, third-party data retention policies will have to enter the discussion at some point. One can argue that each application developer is responsible for their own policies, but most applications probably have no policy, and lack of notification on uninstall makes any policy difficult to implement.
Update (8/26): Upon further research, I discovered that I was quite incorrect with this blog post; my apologies to Facebook for making an erroneous statement about the Facebook Platform. Facebook does, in fact, allow developers to set a post-remove URL which is notified when a user removes an application. Apparently my experience has mostly been with applications which do not take advantage of this feature, meaning the issue primarily lies with application developers, not Facebook. I do wonder how many applications actually remove data upon uninstallation.
Keep Reading »Posted by theharmonyguy in Facebook, General | No comments
Matching User Expectations
About two months ago, I mentioned that one Facebook application had a hole which allowed me to view the photo albums of any Facebook user whose privacy settings allowed it. I imagine that many users do not realize that access for “Everybody” is the default setting when creating a new album, so while the issue did not technically violate anyone’s privacy, it would probably come as a surprise to many people.
Turns out developers had already built applications whose sole purpose was accessing public photo albums. Since these albums were set to public access, the applications simply made API calls consistent with the album’s privacy settings. CNET News now reports that Facebook has taken action to prevent such access via the API. Since the albums are still public, you could still access them if you had the direct URI, but the difficulty of finding the URI gives users the illusion of control without requiring them to understand the ramifications of the default setting.
The key to this whole story can be found in this statement from the CNET article:
A Facebook spokesperson said the company made the change so the technology more closely matched users’ privacy expectations.
Some people seem to think that Facebook should be more public and open – that users should get over any illusions of keeping information private on the Internet and embrace free exchange of ideas without annoying filters and controls. People endorsing this perspective may wonder why I spend so much time talking about privacy on Facebook. For instance, some may view highly targeted advertising as a benefit, since it can provide users with relevant ads that link them to services they would want.
I recall a blogger (I can’t remember where I read this; if anyone has a link, please let me know so I can give credit where it’s due) once remarking that if a site uses someone’s personal information in an unexpected way, that’s an invasion of privacy, but if something useful happens in an expected way, it’s a feature. Privacy comes back to user expectations.
And that’s one of the major problems I see with privacy on Facebook right now. I don’t consider myself a “privacy fundamentalist.” I simply believe users should have control over their information and be aware of how it’s used. If Facebook users want public profiles or highly targeted advertising, so be it. But make sure those users are aware of what’s going on – sell them on the benefits while being realistic about the risks.
If social networking sites want to strike a good balance on privacy, they need to match user expectations. Adding new features may require changing those expectations (the News Feed comes to mind), and that can happen through education, other helpful features, and time. But iwhen the state of privacy on a site races ahead of what users expect to happen, that’s a problem waiting to happen.
And that’s the way I see Facebook right now. Vulnerabilities in applications leave personal information at risk. Application advertising networks process vast quantities of personal information to target ads (yes, Facebook does too, but their relationship to the user is quite different). Rogue applications can steal personal information. All the while, Facebook trumpets their extensive privacy controls, and I continue to get shocked reactions when I explain or demonstrate to people what’s actually happening with their personal information.
And that’s why I keep talking about privacy in social networking applications.
Keep Reading »Posted by theharmonyguy in Facebook | No comments
The Limits of Application Privacy Limits
One issue I have not discussed much previously is how much of your data an application can access via a friend’s session. I and others have had to sort through some confusion on this topic, and I appreciate recent work by Ian Glazer to clear things up. As you can see from my comments on Glazer’s second post about his Privacy Mirror, I did not fully understand how things worked until Glazer posted his more detailed explanation of his findings:
It shouldn’t take a few hundred lines of PHP, three debuggers, and an engineering degree to figure out how privacy controls work. This lack of clarity robs Facebook users of the opportunity to make meaningful and informed choices about their privacy.
What Glazer found is that when a user restricts how much profile data is available to applications through friend’s sessions, those restrictions only apply if the user does not also authorize the application. Once you install an application, all of your data is available in any friend’s session (subject to profile restrictions).
In Facebook’s defense, they do technically say this on the application privacy settings page, though I think it could be made more clear. I certainly didn’t comprehend all the ramifications at first:
When a friend of yours allows an application to access their information, that application may also access any information about you that your friend can already see….
You can use the controls on this page to limit what types of information your friends can see about you through applications. Please note that this is only for applications you do not use yourself…
One could easily argue that this is a case of incompetence on my part for not making sense of what Facebook said, but I know that other security researchers have also missed some of these caveats or didn’t put them all together.
As Glazer points out, Facebook provides an easy way to tell how much information a friend can access via your profile, but provides no simple way for letting you know how much data applications can access. Apparently, though, the answer is rather simple, since besides a few special cases, an application still basically has full access.
Keep Reading »Posted by theharmonyguy in Facebook, General | No comments
Introducing Articles
I’ve added a section to this site entitled Articles. This area will include generally static pages aimed at introducing and explaining various concepts in more detail. The first series of articles will be on understanding the relationship between your Facebook profile information and Facebook applications. This series is designed to be less technical than most of my posts, and includes many figures to illustrate the concepts discussed. You can now access the first article here:
Understanding Facebook Application Privacy, Part 1
Keep Reading »Content License
All content by theharmonyguy on this site, including text and images, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.