Big Facebook privacy void: Controls on Connect
If you're sharing info on your news feed with Facebook Connect, it's visible to either all your friends or none of them, something that Facebook can and should change.
Privacy on Facebook has been front and center this month as the company has rolled out the controversial revamp of its user privacy settings. One thing that's thankfully stayed intact has been the ability to restrict the third-party applications on your profile to specific "lists" of friends--so that you can, for example, block your Mafia Wars activity from everyone who's not on your "People Who Know About My Mafia Wars Addiction" list.
But for stuff on my profile that was published through Facebook Connect rather than an app "built" on the platform, this is not the case. For some reason, information published to Facebook through Facebook Connect does not have any privacy controls attached to it, so it's either available to everybody or nobody.
To backtrack a little bit, Facebook first rolled out developer-created applications in the summer of 2007, and then a year later introduced Facebook Connect, which lets users log into third-party sites (and iPhone apps) from their Facebook profiles and publish content back to Facebook.
Facebook Connect apps that publish content back to Facebook profiles (which have additional permissions from those that simply let you log in with your Facebook ID) are grouped alongside the original variety of platform apps in Facebook's "Application Settings" privacy controls section. But the Connect apps don't have a "Profile" tab in their settings, because there isn't an embedded "box" for the app--just what shows up in your News Feed.
"We are evaluating adding post-level privacy settings for stories created through external developers, but for the time being, there is currently no difference between the settings for applications and Facebook Connect activities," Facebook representative Malorie Lucich told CNET via e-mail. "So, while you can control who sees the applications living in your profile boxes and application tabs, you currently cannot granularly control who sees your application activity in your feed."
I discovered this when I was testing out the new Facebook Connect feature on geo app Foursquare, one of the many mobile apps that lets you "check in" to different establishments and broadcast it to your friends from your phone. Foursquare will let you choose before you check in whether you want to broadcast that location to Twitter, and co-founders Dennis Crowley and Naveen Selvadurai tell me that a selective "share this on Facebook" button is coming alongside the Twitter button in a future version of its iPhone application. That'll help a lot, because right now, it'll share all of your check-ins to Facebook or none of them.
In the meantime, I decided to see whether I could restrict Foursquare's Facebook Connect publishing to one or two of my stratified Facebook friends lists--I mean, I don't need to clog all those news feeds up with a day's worth of check-ins, and my boss doesn't need to see that I checked in at Tom & Jerry's Bar after midnight on a weekday. (Not that I'd ever do that.)
Unfortunately, because you can't modify privacy controls for a Facebook Connect app, this means I can either show actions to all my friends (my profile is friends-only by default) or none of them. This appears to be the case for everything that's published to Facebook through Connect rather than an app--the same applies, for example, to Foursquare competitor Gowalla.
Right now, Facebook's Malorie Lucich explained to CNET, Facebook Connect posts are treated as "wall" activity. "With Facebook Platform applications and Facebook Connect, users always have control over whether or not they want their activity published to their feed for their friends to see," she wrote. "You can also control who sees your overall activity on Facebook by setting who can see 'posts by me' on your privacy settings page. This will limit who can see your Wall."
"As outlined in our (developer) roadmap, upcoming changes will make it easier for users to directly communicate with their friends about applications and Facebook Connect activity via the inbox," Lucich's e-mail continued. "Additionally, profile boxes and the boxes tab will be removed, making application tabs the sole way to integrate applications statically with your profile--and you will continue to be able to control who sees that content."
But Facebook Connect is huge. More than 80,000 third-party sites are now participating, and not all of them deal with publicly available content (i.e. Yelp reviews, photos uploaded to Flickr, comments on Digg). Privacy controls here are something that Facebook could certainly improve; the company says that plans for data permissions are still evolving.
This post was expanded at 4:46 p.m. PT with comment from Facebook.