Understanding what Facebook apps really know (FAQ)

An in-depth look at how much Facebook applications know about the users who opt into them, and what it means in the bigger scheme of things.

Caroline McCarthy Former Staff writer, CNET News
Caroline McCarthy, a CNET News staff writer, is a downtown Manhattanite happily addicted to social-media tools and restaurant blogs. Her pre-CNET resume includes interning at an IT security firm and brewing cappuccinos.
Caroline McCarthy
7 min read

Do Facebook apps sell you out? Judging by the contents of a Wall Street Journal report last week, one could easily get the idea that a massive lapse in oversight on Facebook's behalf led a bevy of opportunistic developers to start selling user data off to marketers and advertisers. Or not. Plenty of tech journalists jumped to Facebook's defense and poked holes in the the Journal's page-one story.

The result was a rather muddled mess. Because, yes, it's a problem if developers are going behind Facebook's back and selling user data. But even if so, it still isn't particularly new and shocking: tech industry insiders say Facebook has been aware of this, and continually policing it like a game of Whac-A-Mole, since the platform's early days.

What exactly was this "privacy breach," if any, and what can Facebook users learn from it all? CNET breaks it down for you here.

Do third-party apps on Facebook really have access to loads of personal information?
Many of them do. That is, of course, if you give them permission. But at this point, hitting that "Connect with Facebook" button has become second nature to many of the social network's users, and loads of them hastily click through without thinking what kind of information might be handed over. If you're concerned about who has access to your information, make a habit of thinking before you click.

What caused last week's scandal?
The Wall Street Journal investigation pitched the issue as a "Facebook privacy breach." That isn't really the best way to phrase it; there was no hole, hack, or exploit that led to last week's report. The "breach" in question is the fact that, as a rule, some information about Facebook users is transmitted to third-party applications that sync up to Facebook. Among that is the user ID number, which can be matched up to a profile and all of the public information contained within--which includes first and last name by default, and often significantly more information based on how much that member has opted to render public.

The Journal's investigation found that many app developers have been selling or transmitting those user IDs to outside companies. Some of those outside companies, in turn, are data-collection or advertising firms with their own databases to which they can match up public Facebook profile data to bigger compendiums of personal information.

The real scandal, if there is one, is that this is a violation of Facebook's developer terms of service and yet it had been going on for an undetermined amount of time on behalf of most of the social network's biggest developers. Facebook has said that this sharing of user identification numbers was, in many cases, inadvertent, and that the company is "investigating a technical solution to the issue." Some cynics obviously don't buy that, and believe that Facebook may have turned a blind eye to it in the interest of keeping massive Platform apps--which are a big Facebook traffic draw--growing quickly and profitably.

"Our policy is very clear about protecting user data, ensuring that no one can access private user information without explicit user consent," a post on the Facebook developer blog read. "Further, developers cannot disclose user information to ad networks and data brokers. We take strong measures to enforce this policy, including suspending and disabling applications that violate it."

"Any time you go to any retail site on the Internet, any hospitality site, any restaurant site, any number of sites, and you put in your information--your name, your address, your e-mail address, where you live, those kinds of things...unless you opt out, then someone's likely to sell that information and then you're going to be subjected to all kinds of advertisements."
--Scott Vernick, attorney

Is this just lip service? Does Facebook actually combat the exploitation of user data by third parties
Yes, Facebook has a history of blocking and unblocking apps, including those made by big-ticket developers, in accordance with security problems as well as newly developed features that Facebook decides aren't kosher. When a developer found a security hole in Top Friends, an app manufactured by then-leading Facebook widget-maker Slide, Facebook temporarily suspended the app. The terms of the platform, too, are malleable as a result: "Forced invites" were permissible in the platform's early days, until Facebook realized that they were effectively being used to spam members' friends. The social network banned forced invites, and reportedly warned developers that their apps could be blocked if forced-invite activity was detected.

"They've seen this before already, where they made changes to their privacy policy and made sure that their application vendors were aware that they were not supposed to be doing this because they'd had abuse previously," Chet Wisniewski, an analyst with security firm Sophos, told CNET last week.

Politically, Facebook also wants to wield sufficient influence over the Platform. Some app developers have grown extremely large and gained an extraordinary amount of boardroom clout with Facebook, to the extent that Facebook has been forced to negotiate on occasion. Some of these instances of marketers snapping up Facebook profile data from app manufacturers to complete people-search databases--a company called Rapleaf appears to have been doing just that--could undermine Facebook's hold on the data of 500 million users.

While Facebook executives talk about making the world a more "open and connected" place, the company clearly understands the value of that information. Just look at how hesitant it's been in the past to join initiatives where a significant amount of user data would be swapped with other companies; from a pure business standpoint, Facebook probably doesn't want it to be making the rounds outside of its control. And, ultimately, that's good for users who are concerned about third parties doing too much with their data.

How can I best be in control of what's getting shared with third-party applications?
You aren't using SuperPoke anymore, so why are you still permitting it to access your data? You can turn this off pretty easily through Facebook's new application dashboard, perhaps one of the best products that the social network has launched in the past year with regard to user control and privacy. It's not, however, the easiest feature to access on Facebook. You'll want to go up to the upper right-hand corner of any Facebook page, to the "Account" drop-down menu, and select "Privacy Settings." On the page that then loads, click the "Applications and Websites" link in the bottom left-hand corner.

You should check up on the application dashboard regularly in the same way that you keep tabs on your credit card billing statement. (I had no idea that I still was granting permission to the "CollegeHumor Insult Generator," for example. Though I'm sure CollegeHumor had only the most honorable of intentions with my personal data, I promptly gave it the ax.) If there's anything you haven't heard of, no longer use, or aren't comfortable with the level of information shared with it, just remove it, and it can't glean any new data from you.

Also, take a moment to look at the "Info accessible through your friends" section. Uncheck anything that you don't want to be accessible by applications your friends install.

The catch, though, is that Facebook does not guarantee that a deleted application will in turn remove data that you've already shared with it. The company recommends that users contact the application developers directly in that case--which is, particularly with applications run by huge companies, a hassle to say the least.

How does this compare to what other companies, online and offline, might know and sell about you?
Truth be told, the best argument in favor of not freaking out about what FarmVille might be doing with your data is the plain fact that there are a lot of services and programs out there that know a whole lot more about you than most Facebook applications ever will--and, yes, they sometimes sell it. If you count yourself as a member of the modern consumer economy, you're probably a participant. Credit card companies, retailer loyalty programs, and online travel booking sites are only a few of the establishments that have been known to share information

Facebook applications "probably got access to less information than if you went to Orbitz and signed up and didn't opt out," attorney and privacy specialist Scott Vernick of the law firm Fox Rothschild LLP told CNET. And, he noted, that opt-out can be difficult to spot. "Any time you go to any retail site on the Internet, any hospitality site, any restaurant site, any number of sites, and you put in your information--your name, your address, your e-mail address, where you live, those kinds of things," he explained, "unless you opt out, then someone's likely to sell that information and then you're going to be subjected to all kinds of advertisements."

And when you consider that many consumers have been turning over information in this manner for years, if not decades, the idea of FarmVille having access to your Facebook profile seems a little more benign. Perhaps the most important thing to remember is that even if Facebook gives you a profile field to fill out, you aren't obliged to put anything in it.