Facebook apps – you’re doing it wrong!

“[W]eb cognoscenti tend to think that people who worry too much about privacy are sentimentalists who should grow up.”

(See “Do you own Facebook – or does Facebook own you?” by Vanessa Grigoriadis, San Francisco Sentinel, April 8, 2009).

As someone having dabbled in both programming and law, this “cognoscente” respectfully disagrees.

My curiosity first arose when I advised a Facebook app developer on the adequacy of their privacy policy.  “We don’t store any info we gather from Facebook like the other apps, we’re good about that.”  I was a little shocked at first.  Info gathered from Facebook? What?  “Yeah, through Facebook APIs, everybody does it.”  Because I’m an avid Facebook user myself, and one that is professionally familiar with APIs I was a little concerned.  How come I didn’t hear of this before?!  I got on Facebook and started poking around.

I decided to add a facebook application to my profile and this is the screen that came up:

“By proceeding, you are allowing LivingSocial to access your information and you are agreeing to the Facebook Terms of Use in your use of LivingSocial.”

LivingSocial doesn’t have their own privacy policy.  This is what Facebook has to offer in terms of notice:

1. It tells you that the app will have access to “content that it requires to work” and
2. links you to the Facebook Terms of Use (ToU) (which was updated as I was writing this post on May 1st , but thanks to google caching can be found here )

I think a regular user will safely assume that “content that it requires to work” is general information not including much else than your facebook user ID and your name, but that’s not the case.  (More on that later)

Facebook Terms of Use
or as it’s presently called, Statement of Rights and Responsibilities.

The first clause is a brief description of and a link to their Privacy policy.

The rest of the clauses don’t really address what information is available to facebook apps.

The new version has a developers provisions clause which asks the developers not to use the collected data in unintended ways.  It also mentions Platform Guidelines.

OK, so after clicking around I finally stumbled upon their Platform Application Terms of Use which stated:

PLEASE NOTE: Facebook Platform does not give Developers access to your e-mail address, personal website, instant messenger ID, telephone number or street address (”Contact Information”). Facebook will only disclose your Contact Information to third parties in accordance with the Facebook Privacy Policy.

The Facebook terms of use continiues by explaining that “[t]he Facebook Platform is a set of APIs and services provided by Facebook that enable third-party developers.”

Well that’s presumptious of them to assume that everyone knows what that means so in case you’re in the minority that doesn’t, here’s a feeble attempt at an explanation.

In geek talk, API stands for Application Programming Interface.  In lesser geek talk, a Facebook API is a set of routines that Facebook makes available to outside programs (facebook apps like TopFriends, ComparePeople, Superpoke, Quiezzes etc).  How does it work exactly?

(Feel free to skip the following if you’re getting sleepy.)

Let’s say Facebook is a hospital and the users are the patients.  API’s would be the various employees of the hospital such as receptionists, nurses, doctors of varying specialties, medical billers, janitors, physician assistants, security guards etc.

Each employee at the hospital has a specific task to perform, and for the sake of analogy let’s say they only perform a single task.  A cardiologist will only give you patient’s heart statistics, a receptionist will only give you the patients basic information like name, address, social security etc., a medical biller will only tell you if a patient is covered by medical insurance or is self-pay.

The Facebook applications are visitors of the hospital but for the sake of analogy let’s assume they’re not mostly relatives or loved ones of the patients’.  A lot of them are ambulance chasers or Jehovah’s witnesses.

In the Facebook world, the ambulance chasers (Facebook Apps) will query the hospital employees (API’s) and get any information about the hospital patients (Facebook users) they ask for in order to do their job (TopFriends, ComparePeople, Superpoke, Quizzes).  In the Facebook world there’s no HIPAA compliance training that the employees are bound by, there’s rarely even a call to the patient to ask permission to give out some of the basic information.  Certain basic information is available regardless of the user’s privacy settings or consent.  Almost all of the information is available once a patient interacts with a Jehovah ’s Witness or an ambulance chaser just once without agreeing to join their religion or use their legal services.  Ah yes, the Facebook world.

Oh and if you thought you could shield yourself from these API’s by making your profile and all the contents private and only visible to your friends, think again.  Facebook provides API’s that allow the Facebook apps to retrieve your information through your friend.  Once a friend uses a Facebook app, that app can access their info and the info from any friend’s profile that they can view.

The basic information that the application can access once you’ve interacted with it (by simply visiting the apps page, or perhaps commenting on another users activity with the app) is outlined in the Users.getStandardInfo API.  When called, it returns your Facebook specific User ID, first name, last name, time zone, birthday, sex, regional affiliations, locale, and profile url.  But don’t worry, Facebook asks the developer to use this API “for analytic information only” and reminds the app developer that, other than the user id, storing this data for more than 24 hours or for any other use is against the Developer Terms of Service.

We get us some sort of notice about the lowered expectation of privacy but it’s not adequate.  There are other concerned users out there.   Facebook’s policy is vague and cumbersome and it doesn’t properly disclose the risks to its users.  I had to click a few different links and review the APIs documentation to see the exact data available.

What’s to stop these developers from storing the data and using it for other than “content that it requires to work”?  There aren’t many technological safeguards in place, and the only thing that’s really stopping them is the Developer Terms of Service.

When Chris Kelly, Facebook’s chief privacy officer was asked about the situation and the wealth of information provided by the API’s to Facebook apps, he responded with “’So the Indian government knows that you like Bon Jovi, and that’s a threat to national security?’ he asked, laughing.”  (See “Do you own Facebook – or does Facebook own you?” by Vanessa Grigoriadis, San Francisco Sentinel, April 8, 2009).

Yes, perhaps Facebook users aren’t under any immediate danger from India or a hoard of hackers, but that doesn’t mean we should be so lackadaisical with our privacy.   There’s nothing technologically speaking that’s stopping this kind of identity theft.  A lot of these Facebook apps are written and hosted in jurisdictions that don’t have developed privacy laws.  Because your full name, location, sex and date of birth are easily accessed through an API, it wouldn’t be difficult for a hacker to steal your identity.

Even assuming the developers are harmless and good natured, how do we know that they keep their data secure?  I know that to most programmers, in a small to mid-sized software company, data security and software stability is the last thing on their minds.   They are usually busy trying to make the new features run, without failing, before the next update; sales guys are busy putting lipstick on a pig and promising things for the next release; and the boss is mostly concerned with the invoices getting paid.

We can’t expect fancy code solutions with the way things are set up now, and I guess we can’t expect Facebook to screen all of the Facebook developers and vouch for them, but we’re at least entitled to better disclosure of the situation.  It seems to me that it’s only a matter of time before a 21^st century MacPherson brings a lawsuit that will finally impose a duty of care in these situations.  I guess I’ll just quietly go back to “Superpoking” until then.