January 23, 2008 8:58 AM PST

Exclusive: The next Facebook privacy scandal

Posted by Chris Soghoian

Facebook is no stranger to the complaints of privacy activists. First, it was the site's News Feed feature back in 2006. Most recently, the company's Beacon service drew widespread criticism. This blog post will outline yet another major privacy issue, in which Facebook recklessly exposes user data.

Facebook launched its widely popular application developer program back in May 2007. As of press time, there were more than 14,000 applications. Some, including most of the popular apps, are made by companies, while a few of the popular apps, and a significant number of the long tail of the less popular applications are made by individual developers.

But a new study suggests there may be a bigger problem with the applications. Many are given access to far more personal data than they need to in order to run, including data on users who never even signed up for the application. Not only does Facebook enable this, but it does little to warn users that it is even happening, and of the risk that a rogue application developer can pose.

Privacy problems for the user

In order to install an application, a Facebook user must first agree to "allow this application to...know who I am and access my information." Users not willing to permit the application access to all kinds of data from their profile cannot install it onto their Facebook page.

Screenshot of adding an application

(Credit: Facebook)

What kind of information does Facebook give the application developer access to? Practically everything. According to the Application Terms of Service,

"Facebook may...provide developers access to...your name, your profile picture, your gender, your birthday, your hometown location...your current location...your political view, your activities, your interests...your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history,...copies of photos in your Facebook Site photo albums...a list of user IDs mapped to your Facebook friends."

The applications don't actually run on Facebook's servers, but on servers owned and operated by the application developers. Whenever a Facebook user's profile is displayed, the application servers contact Facebook, request the user's private data, process it, and send back whatever content will be displayed to the user. As part of its terms of service, Facebook makes the developers promise to throw away any data they received from Facebook after the application content has been sent back for display to the user.

Researchers blast Facebook

Some applications may make use of all this data, but as researchers from the University of Virginia have detailed in a recent report, Facebook provides applications with access to far more private user information than they need to function. Adrienne Felt, a student and lead researcher on the project, told me that of the top 150 applications they examined in October 2007, "8.7 percent didn't need any information; 82 percent used public data (name, network, list of friends); and only 9.3 percent needed private information (e.g., birthday). Since all of the applications are given full access to private data, this means that 90.7 percent of applications are being given more privileges than they need."

(Credit: Adrienne Felt, with permission.)

Felt condemned this practice, and said that it violated the the idea of least authority, an important security design principle that states that an actor should only be given the privileges needed to perform a job. In other words, she said, an application that doesn't need private information shouldn't be given any.

"Regardless of the click-through disclaimer that Facebook makes users accept, I don't think people understand what's happening to their data behind the scenes. If applications don't appear to use private data--but then they all have this same standard click-through screen--how can users differentiate between applications that really need access to data and all the rest?"

More than your own data--selling out your friends

Facebook's Web site and lengthy application terms of service curiously fail to mention something rather important. In addition to providing the application developer access to most of your private profile data, you also agree to allow the developer to see private data on all of your friends too.

Many Facebook users set their profiles to private, which stops anyone but their friends from seeing their profile details. This is a great privacy feature that can protect users from cyberstalkers and is completely gutted by the application system. To restate things--if you set your profile to private, and one of your friends adds an application, most of your profile information that is visible to your friend is also available to the application developer--even if you yourself have not installed the application.

The good news is that Facebook lets you configure the amount of your own private data that your friend's applications can see. The bad news is that it's hidden away, requiring several clicks through menus to find a page listing specific privacy settings (Privacy -> Applications -> Other Applications). Furthermore, the default values are extremely lax, such that a user who has yet to discover the preference page is essentially sharing her entire profile by default.

This friend data-sharing "feature," and the ability to protect against it, isn't mentioned anywhere else on Facebook's site, nor are users informed about it when they install an application.

On Tuesday, I had the opportunity to briefly chat with Chris Kelly, Facebook's chief privacy officer. During our conversation, he dismissed claims that Facebook does nothing to inform users that applications have access to data on user's friends, stating that "we have made things very clear to users, and they understand it very well." However, by press time, he had yet to send me a link to anywhere on the site where this information was "clearly" explained.

I also spoke with George Washington University Law professor and privacy expert Daniel Solove to get his thoughts on the issue. Regarding Facebook's claims that it makes its privacy policy clear to users, he said that "they seem to be going on the assumption that if someone uses Facebook, they really have no privacy concerns." Furthermore, "a kind of vague notice in a privacy policy that no one reads suddenly permits Facebook to do whatever they want with minimal to no privacy protections."

As for actually getting user permission before using their data in new and creepy ways, Solove said that the company "seem to have a very cavalier attitude to their users consent."

Rogue developers

Ok. So in order to give your friends virtual naughty gifts, play scrabble online, or see your daily horoscope, a user has to hand over all their private profile data to some unknown company or developer. No need to worry though, because Facebook has safeguards in place, right?

"Before providing any information to any Developer through the Facebook Platform, Facebook requires each Developer to enter into an agreement...which...strictly limits their collection, use, and storage of Facebook Site Information." (Facebook application terms of service)

Ah, good. Facebook requires that each developer protect the privacy of the user information and requires that they not store a local copy. I'm sure Facebook enforces this vigorously, audits developers, and throws the book at anyone who violates this rule, right?

"[each application] has not been approved, endorsed, or reviewed in any manner by Facebook...we are not responsible for...the privacy practices or other policies of the Developer. YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK." (Facebook application terms of service)

I asked Facebook's Kelly what his company is doing to ensure that application developers do not violate the rules by saving a copy of user data that passes through their servers. He cited "extensive security mechanisms operating behind the scenes," although, he refused to expand on this, due to "security reasons." He wasn't too happy when I accused him of practicing security though obscurity, a concept widely mocked in security circles. He dismissed my charge as a mischaracterization.

Kelly claimed that his company "has a variety of techniques to determine if [developers are saving user data.]" As a PhD student in Information Security, I can quite confidently say that from a technical perspective, this is impossible. Simply put, once the data leaves Facebook's servers, the company has no way of knowing what happens to it. Thus, giving Mr. Kelly the benefit of the doubt, I can only assume that Facebook has a team of trained psychics on staff who use their mysterious powers to ferret out rogue developers.

Who are the application developers

Kelly said that users can determine a developer's trustworthiness by looking at their profile page, and that somehow, users can combine to form some kind of intelligent hive mind. "One of the factors is what applications your friends are installing. Untrusted applications don't get added very often as the collective mind is choosing what is trusted in real time." He further added that it is "up to your friends to make that determination in real time. If an application is going to give them some utility, they'll know that the applications have to obey the rules."

Call me a cynic--but I fail to see how thousands of 18-year-olds can collectively assess the data protection practices of some random developer in a foreign land. Remember, these are the same 18-year-olds who post photos of themselves passed out drunk on their public profile pages.

Would I trust the hive mind of Indiana University students to tell me which bar in town has the cheapest beer? Sure. But to expect them to evaluate a company's privacy practices? No way.

A public outcry

Unfortunately, as alarming as this issue is to privacy activists, there is a good chance that it may fail to gain the attention of the millions of Facebook users necessary to actually force the company to fix its policies. While both the newsfeeds and Beacon scandals were "in your face," most users have no way of knowing what, if any, data is being transmitted to application developers by Facebook, and thus are unlikely to be motivated to complain.

Furthermore, even users who are aware of the privacy risks of Facebook applications may still end up installing them. To not do so is to isolate yourself, to cut off communication channels, and in some cases, to cause insult your friends.

In what can only be a great example of life imitating art (see below), I asked security researcher Adrienne Felt which, if any, applications she used. She told me that in spite of the fact that she had spent significant time investigating the privacy risks, she still ended up installing an application because her friends wanted to send her some virtual Christmas presents. Not wanting to offend them, she put aside her privacy concerns, and installed the app. As she told me, due to the peer pressure, "I had a hard time saying no."

The Joy Of Tech on Facebook

(Credit: Nitrozac and Snaggy, used with permission.)

Disclosure: I have applied to Facebook for a summer internship, along with about 15 other companies. I have received $5,000 of fellowship money from Google and the Hispanic College Fund in 2007-2008. Dan Solove also gave me a free copy of his book to review.

Originally posted at Surveillance State
Christopher Soghoian, a graduate student in the school of Informatics at Indiana University, delves into the areas of security, privacy and e-crime. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
Tags:

Facebook,

applications,

sheep

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from News Blog
Sprint HTC Touch Diamond outed early
Woman to virtual ex: 'I won't be ignored!'
Swiss secret sauce to power green choppers
iLink to deliver answers to military online communities
Vonage names new CEO
Add a Comment (Log in or register) 2 comments
outrageous
by Dalkorian January 24, 2008 8:51 AM PST
I know people who have Facebook profiles, they keep trying to
encourage me to "join in the fun".

Boy am I glad I haven't done so. Otherwise, I'd be scared and angry
right now.
Reply to this comment
Ridiculous Article. This is NOT a privacy scandal.
by meikitas February 7, 2008 2:20 PM PST
As a user of Facebook, myspace, and other social networking sites, and a person that cares about her privacy all I have to say is this: If you have information that you want to keep private THEN DON'T POST IT ON THE FREAKING WEB! In this article there is a long list of information that the application developers have access to. Well guess what, NONE of these fields are required. You don't have to put your birthday, your religion, your picture, etc. Even bigger news, even if you add all your data to your Facebook page, you certainly DON'T have to add any additional applications. It's not rocket science. If you have info you are sensitive about sharing, then don't post it.

The ability for third party programming geeks to build small applications that are available to add to facebook is a truly innovative feature of the site that keeps it fun, new, and different for users that care about those things. For some people turning your friends into Zombies is just a great way to pass the time. That's what keeps them coming back. For others it's the superpoke. For other's, they just like having one place to communicate with all their friends. Each person has the ability to personally customize their page according to what they like. THat is why facebook is so popular.

As to Privacy expert Daniel Solove statement "a kind of vague notice in a privacy policy that no one reads suddenly permits Facebook to do whatever they want with minimal to no privacy protections."
If 'no one reads' the privacy policy, then why is this Facebook's problem? Furthermore, Facebook is not doing it, the users are. They opt to add their information to the site, they opt to add applications when it is CLEARLY stated the application can 'know who I am and access my information.'

BTW, it's called an API. Facebook provides a generic API and it is up to the application developer to get the specific pieces of information they need for their app. It is not standard to have a different, custom API for every application developer out there.

The bottom line is: If you think too much private data is being accessed by third party application developers, it is NOT because Facebook is giving them too much information, IT IS BECAUSE YOU ARE SHARING TOO MUCH PRIVATE DATA WITH FACEBOOK.
Reply to this comment
Powered by Jive Software
advertisement

Latest tech news headlines

About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

News Blog topics

Featured blogs

advertisement

Inside CNET News

Scroll Left Scroll Right

  • Nanotech: The Circuits Blog

    Timing rumors surface for AMD plant spin-off

    Rumors persist that Advanced Micro Devices is planning to spin off all or part of its manufacturing operations.

  • Gallery

    Photos: Ron Paul's RNC alternative

    As the Republican convention took place just miles away, a crowd rallied for the former presidential candidate and his message of limited government, ensured civil liberties, lower taxes, and peace.

  • Digital Noise: Music and Tech

    Was 1980s music that bad?

    NPR asks listeners which year featured the best music, and the 1980s emerge as a bleak era. Personally, the '80s figure prominently in my collection, but well behind the 1970s.

  • Beyond Binary

    Microsoft begins big ad push

    Microsoft's multi-year push, estimated at $300 million, begins with a spot featuring Bill Gates and Jerry Seinfeld aired during Thursday's NFL game.

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Digital Media

    Michael Moore plans Net-only film premiere

    Filmmaker plans to premiere his latest documentary exclusively on the Internet for free, forgoing the traditional theatrical release.

  • Video

    Political party playlists

    We know the Democrats and Republicans are split over policy issues, but does their musical taste fall down party lines too? And what kind of gadgets did they bring to the conventions to listen to their music? CNET reporter Kara Tsuboi finds out.

  • News - Politics and Law

    What you can--and can't--find about Palin on the Internet

    John McCain's choice of Sarah Palin as a running mate has inspired a wealth of creativity on the Internet.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Photos: The brains behind Google Chrome

    Here's a look at some of the engineers and executives who took the stage at the company's headquarters as they unveiled the new browser.

  • Webware

    10 things we'd like to see in Chrome

    Google's Chrome is pretty good, but it could be a whole lot better. We've rounded up 10 fairly extensive ways to tweak it to make it an all-around better browser.

  • Green Tech

    Clean-tech group forms to support Obama

    "Clean Tech and Green Business for Obama" aims to raise $1 million for the Democratic presidential nominee while elevating issues of climate change and alternative energy.

News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET