Facebook’s loosening sense of privacy

14 December 2009

I am quoted in this weekend’s Financial Times, in Tim Bradshaw‘s article about Facebook’s new privacy settings [registration may be required]:

Chris Applegate [...] was dismayed to discover that applications installed by his friends could see his data unless he chose to opt out, an option not given in Facebook’s latest reminder. “I’ve always kept a tight rein on the apps I install. But it only takes one friend to install a malicious app and . . . my information is compromised,” he said. “There is a great potential for leakage.”

Tim & I had quite a long chat and obviously he couldn’t include it all, so here’s a bit more information about the situation. It all came about from a chat on Twitter I had with Kathryn Corrick; a few days ago I had seen a popup dialog on Facebook asking me to update my privacy settings; I could keep the old ones or (as suggested) I could make more of my Facebook details public.

I’ve taken care to keep much of the private data on my Facebook account properly private; my public profile is quite limited and only friends can see anything I want to keep personal. Seeing no reason to change this, I kept the settings as they were and left it that. But then a few days later, in our conversation Kathryn warned that there were new privacy settings added in, so I checked it out. And lo and behold, there’s a section I hadn’t seen before, in the “Applications and websites” section, called “What your friends can share about you through applications and websites”:

Facebook's friend's applications and website privacy settings

I am nearly certain this page did not exist before (this comment on Mashable remarking on its newness seems to agree). I try out a lot of Facebook apps and then ditch them, so I periodically check my settings to make sure they’re not still enjoying privileges on my data (Facebook apps retain permission to access your data even after they are uninstalled, presumably in case you want to install them again). I don’t recall seeing it then, and I definitely was not asked about these new privacy settings in the migration process, during which I just asked to stick to my old settings – as this how-to or indeed Facebook’s own tutorial video bear out.

Allowing my friends to look at my status updates & interests via the web or mobile interface is fine by me – else Facebook is pretty useless to them. But allowing apps or websites they have installed or allowed to access this data is another level entirely; all it would have taken would have been one friend who is not so tech-savvy to install a malware-infected app and my data would have been at risk, regardless of how careful I am with what I install. Even more alarmingly, the default options are to be very open about this information; Facebook assumes you want to share nearly all of this data with your friends’ applications by default – as you can see above, only two of these (Family/relationship & religious/political views) are excluded from being ticked.

So my advice? Re-review your privacy settings, especially the applications and websites section; pay special attention to the applications you have installed – the ‘Learn more’ button is a misleading link which eventually leads to the page that allows you to check these; pay extra-special attention to the ‘what your friends can share about you’ page and uncheck all the boxes you are not comfortable sharing with applications your friends may install (depending on how tech-savvy your friends are and how much you trust them to not install anything malicious) – I strongly recommend doing this part especially.

To round off, it’s worth remembering that Facebook is not a charity; it is a commercial venture that has always existed to take the userdata it has acquired and sell advertising based on it, a very old-school way of making money on the web. Whereas on the other hand, for years the more enlightened have been talking of open web services and APIs and the ability to mash up data from a variety of sources, and creating value from that. In many ways the Facebook application platform is fast becoming a combination of the worst elements of these two differing attitudes – the craving to make money no matter whether it might endanger their long-term interests, and the craving to share data without any respect as to what that data is or who it is meant for. Facebook are not being evil or stupid, but they are being remarkably casual with user privacy; they ought to remember that no-one running a site that relies on the goodwill of its users can afford to take them for granted for too long before their users find somewhere else to go.


3 Responses

Wow. That’s amazingly out of order. Thanks for the heads up.

I just went through the migration process myself, and had no idea.

I’ve always been careful with facebook largely due to facebook’s claim to copyright for user input (why I haven’t put up photos beyond my avatar) so I know I don’t have private info at risk but malware is a whole other story. Thanks.

Off to check it out.

True, Windows Malware will ruin your privacy. You should not blame the victims of those scams, they often work without user intervention. The Vista family of OS itself is malware, so anyone using it is open to invasion. Really, it sends encrypted communications back to Microsoft daily and no one knows what’s sent.

Facebook has also sold out their users. Employers and insurance companies can see what you think is private. A good example of this this lady who lost her unemployement compensation. As useful as these community sites are, there are dangers to trusting a third party. There’s no surprise that Facebook is 15% owned by Microsoft.

Facebook was built on free software and free software will do better soon enough. It should be possible for people to run their own web servers and control their own data, while still granting access to your information. A peerbook like this is currently under development by GNU and others.