Stalkbook: Stalk anyone, even if you're not Facebook friends

MIT graduate Oliver Yeh recently built a service called Stalkbook that he claims allows you to stalk people on Facebook even if you're not friends with them on the social network. Yeh has a simple but malicious trick: he uses other Facebook users' credentials to view whichever profile you want to stalk.

When I went to the site, typed in "Mark Zuckerberg" and clicked "Stalk," I was greeted with the following message: "Stalking is considered to be morally wrong. Why don't you try talking to the person instead." Stalkbook hasn't been released publicly, but Yeh has demoed it to select individuals.

In an interview with IEEE, Yeh explained in further detail how Stalkbook works:

So, the photo version works by whenever a person signs on to the application; not only does he reveal his or her own information but he also compromises all of his or her friends' information too. So for example, if I sign on to the site, then my friend Trevor would also be signed on to the site because I'm friends with Trevor. And because with my credentials, I can see Trevor's information. Now, everyone on the Internet can also see Trevor's information by using my credentials. And as more people sign up to Stalkbook, you get this network effect, in which you only need perhaps 10 percent of Facebook to join to compromise 80 to 90 percent of Facebook.

If that's a bit too complicated for you, this diagram should simplify it:

How can Yeh possibly pull this off though? With a Facebook app that caches the data, of course. He continues:

So, with Facebook API--which is software that Facebook developed so that third-party developers can access Facebook's information--so with this API, I can have access to my friend Trevor's information. And what Stalkbook does is it goes through all of a user's information and all of the friends of the user's information and stores a cache copy on the website, so that when somebody else visits Stalkbook, they now have access to a cache version of Facebook's data, even though they don't have permission to access Trevor's information.

So, is Yeh right? Technically speaking, it is possible to do. He would have to build a very large network of individuals willing to use his app for such purposes, cache all the information he can, all while avoiding Facebook's wrath as more and more users start using Stalkbook.

Unfortunately for Yeh and fortunately for Facebook's users, Stalkbook goes against Facebook's terms of service (Statement of Rights and Responsibilities). In the Safety section of Facebook's TOS, point number five clearly states: "You will not solicit login information or access an account belonging to someone else."

Some could argue that this doesn't apply to Facebook apps. In that case, let's check the "Special Provisions Applicable to Developers/Operators of Applications and Websites" section. Here's point No. 2, "Your access to and use of data you receive from Facebook, will be limited as follows:"

1. You will only request data you need to operate your application.
2. You will have a privacy policy that tells users what user data you are going to use and how you will use, display, share, or transfer that data and you will include your privacy policy URL in the Developer Application.
3. You will not use, display, share, or transfer a user's data in a manner inconsistent with your privacy policy.
4. You will delete all data you receive from us concerning a user if the user asks you to do so, and will provide a mechanism for users to make such a request.
5. You will not include data you receive from us concerning a user in any advertising creative.
6. You will not directly or indirectly transfer any data you receive from us to (or use such data in connection with) any ad network, ad exchange, data broker, or other advertising related toolset, even if a user consents to that transfer or use.
7. You will not sell user data. If you are acquired by or merge with a third party, you can continue to use user data within your application, but you cannot transfer user data outside of your application.
8. We can require you to delete user data if you use it in a way that we determine is inconsistent with users' expectations.
9. We can limit your access to data.
10. You will comply with all other restrictions contained in our Facebook Platform Policies.

A lawyer might argue that the first nine points don't explicitly restrict Yeh from achieving what he wants. The 10th point, however, is where Facebook does indeed properly cover its bases. In said document there's a section called "II. Storing and Using Data You Receive From Us," the fourth point of which specifically says: "A user's friends' data can only be used in the context of the user's experience on your application."

Busted. If you login to a third-party app or Web site that leverages Facebook, only you can view your friends' data. Yeh, or anyone else for that matter, is not allowed to hoard your credentials so that others can see your friends' information and photos.

I reached out to Facebook for a comment on this story. Right as I was finishing up this article (really, I was on this paragraph!), I was told the company could not provide a comment on Yeh's app (likely because it's not live). A Facebook spokesperson did, however, point me to a section of its Data Use Policy titled "Controlling what is shared when the people you share with use applications."

This webpage explains all about sharing and resharing of your information on Facebook, but the last line in this section is the one that applies here: "If an application asks permission from someone else to access your information, the application will be allowed to use that information only in connection with the person that gave the permission and no one else." That's just another way of saying the line I found earlier in the Facebook Platform Policies: "A user's friends' data can only be used in the context of the user's experience on your application."