Until today, when I started work on my first Facebook app, I’ve considered my Facebook profile to be relatively safe. I’ve adjusted the privacy settings to my liking, by restricting info available on my public listing as well as controlling which of my friends/acquaintances see which portions of my profile. But after reading the Facebook developer documentation and policies, I stumbled across one more privacy concern I didn’t really think of before: Facebook applications.
When you add a Facebook application, it asks you for access to a host of information. If you agree, then you can add the app. If not, no app. Straightforward, right? Well, that depends. Let’s take a closer look at an app authorization pop-up:
Access to my info and photos? Sure. Access to other stuff it needs to work? Fine. Access to my friends’ info? Yup, no problem. In a nutshell, Facebook is telling me what information the app might need, and is also asking my permission before proceeding, as it should. I’ve go no qualms about this aspect of Facebook – in fact, the application authorization process is done exactly as it should be done.
But what happens if we reverse the roles? Consider Frank the Facebook user. Frank uses Facebook every once in a while, and being a popular guy, has a lot of Facebook friends. But what happens when Jane, one of Frank’s friends, adds a sweet new application (let’s call it X) to her profile? Well, X can now access Frank’s information, because Frank is best buddies with Jane. “What? I didn’t allow this app access to my info!”, Frank exclaims. Doesn’t matter, because Jane allowed it. And that’s all it takes.
So what kind of information about Frank can application X access? That depends. The application privacy page on Facebook has this to say:
3. When a friend of yours visits an application or authorizes it, the information that the application can access includes your friend’s friend list and information about the people on that list.
Thus it can access some information about you. Please note that applications are obligated only to act upon the request of your friend and must respect all of your existing privacy settings.
To control which types of information are available to friends through applications, please visit the Settings tab on this page.
Looking under the Settings tab, we can see a list of all the information a Facebook application can have access to:
Now that’s a lot of information, application X’s access to which someone else (Jane) approved. If Frank had all the boxes checked in his settings, application X could access all of those drunken photos taken at Frank’s party last week. Not good.
I checked my application privacy settings age a few hours ago, and was shocked at all the information that was freely available to applications. I’m not sure which boxes are checked by default, but I could’ve sworn I’ve never touched these settings before. Either way, I urge each and every Facebook user that reads this post to go to the well-hidden Settings->Privacy settings->Applications->Settings page in Facebook and review their settings post-haste.
