Facebook’s Biggest Un-Secret: Your apps are watching you!

Posted on May 13, 2011


So – it turns out Facebook is hiring PR firms to highlight Google’s privacy violations “for the common good” – and not at all to draw attention away from its own practices (Pot, meet kettle, as they say.)

So now seems a good time to flag an issue that’s been nagging me since I started dabbling in the social web. See, Facebook has a big Un-Secret: its Graph API.

Why Un-secret? Because its not a secret. Not at all. The facebook Graph API is publicly documented. It is the programming interface for social app developers, facebook game developers, and so on interact with facebook’s services. All you need to build a facebook app is some programming knowledge and an app key – which are easy to get if you can prove you are a legit app developer.

But let’s have a look at the Graph API. Why should it be of any concern? Short answer: because when you use a facebook app, that app gains considerable access to your personal information, and also quite a lot of access to your friends information! So you don’t even need to be an app-junky for your information to be exposed – simply having friends using these apps can erode your privacy.

See when you click that harmless looking “allow” button, you grant the app access to your profile . This is not a secret of course: it tells you right there “this app is requesting permission to do the following:”  But tell me, did you read that? More importantly, did you think about what it meant? It means that the app, no matter what it is – if could be a quiz, it could be a game, anything – can get access to most of the information on your facebook profile that is accessible to anyone you are friends with. That means the application developers also have access to this information.

Of course you can choose how much to share – some people have it all locked down, but many do not. It gets better:

“Your friend list is always available to applications”

The app can see who you are friends with and retrieve their public profiles (the profile you see when you are not “friends” with someone). But again, how many people have not sussed out the privacy settings or realised the importance of locking down their profiles? Many people have a lot of their information publicly viewable, and this information can be harvested by facebook apps which their friends have installed. All of this is automated  and make it easy to build profiles of people. Exactly why someone would do this is not even that relevant if you consider: how comfortable are you knowing that it is even possible for someone to do so?

Even if you have strict privacy settings, there is often enough information to make close estimates about you: gender can be guessed from your name, your position in other people’s social network also says a lot about you – if many people share similar characteristics (music tastes, political affiliation, etc) and are all friends with you, its not much of a stretch to assume you share many of them. Similarly, you can hide your address but you can often be located from where your friends live.

And let me reiterate: none of this is news, none of this is secret. The information for app developers is there online. The agreement is there in plain language when you accept an app invite.

What there is not is awareness among users of the implications – facebook is a tool for anyone with a reasonably successful app to harvest huge amounts of data. This is valuable marketing data, and no matter how innocent the app may look (it could be about magical ponies) there are no guarantees that the developers are not making full use of data collection tools available to build up a picture of you and your friends. There are no guarantees that these developers are not working for governmental or private security agencies – after all these are, to facebook, just customers who use their tools and are free to access the data that facebook makes available.

This is a serious concern – apart from the many questionable activities of western governments, many facebook users do not live under remotely benign governments – for these governments facebook is an excellent spying tool to keep up the oppression of their citizens.

Then there are the private security forces – good old fashioned mercenaries like Xe/Blackwater or Securitas who work for whoever pays them, and who will happily find ways to pry for their clients – thanks to facebook it may just be a matter of making a facebook quiz.

So what can you do? The radical solution is of course to ditch facebook and go back to emails and phone calls. Assuming that, like many people, facebook is now an indispensible part of your social life, the first thing to do is disable any apps you may have installed, go through your privacy settings to put everything to “only me” or “friends only”, and remove any profile information that isn’t really essential to your social life. Finally, just don’t accept invites to pointless apps, and learn who to trust and who not to trust on the internet!