Facebook Applications and Privacy Concerns

This week I spoke at the LSP Conference at UVa, and while I was there, I got to attend several other speeches that were very interesting.  One that I particularly enjoyed was on Building Facebook applications, and the potential privacy issues surrounding them.  Adrienne Felt is a graduating fourth-year student at the University of Virginia’s Computer Science department in the School of Engineering and Applied Science (also my alma mater).

She first talked about how to go about building a Facebook app, which was interesting because I have been curious about it, but I hadn’t had the chance to look into it yet.  But the second half of her talk was more thought-provoking, because she discussed her research into the privacy issues of Facebook.Those privacy issues are particularly relevant because of this article today in the Silicon Valley Insider, titled “Facebook Borks Blockbuster: Beacon Turns Into A Lawsuitâ€

The short description of what happened apparently is Facebook and Blockbuster video had a deal where you could put an application on your Facebook profile, and this application in turn was broadcasting to your friends what movies you are renting.  When a lady by the name of Cathryn Elaine Harris rented a pornographic movie, she was apparently pretty embarrassed to see it broadcast on Facebook and now she is suing.

Now go back to the Alley Insider article and read the comments if you haven’t already.  Once you get past the crude jokes, you’ll see a reply by a poster named Roy stating that:

“You did not need to do any type of opting-in to get this behavior. Simply being logged into Facebook was enough for Beacon to push my Blockbuster rentals to my Facebook news feed. There was no “do you want to opt-in” email, there was no “do you agree to send information from one site to another” option … it just happened one day.â€

That quote really rings true with what I learned from Adrienne at the LSP Conference.  Check out her site on Facebook Platform Privacy.

She is mainly talking about how when you build an application for Facebook, you can force people who install your app to let you get access to all their Facebook data or they won’t be able to install that app.  Most applications require you to let them have access to all your data, even though according to Adrienne’s research only about 6% of them use it.

Now this is a little different than the court case mentioned in Alley Insider, because that was a case of a company providing presumably private customer information to a public data feed without that customer’s consent (or at least that is what her pending suit will allege).

But nonetheless, the article reminded me of Adrienne’s presentation and her work at UVa on privacy issues because it highlighted how willing we are to give up control of our private information to anyone on Facebook who asks for it, just so we can install a Facebook app like Zombie Killer and play an online game with a friend.

While Zombie Killer is considered “safe†and is probably not doing anything bad with your Facebook info, the fact of the matter is that Facebook allows me as a developer to write an application, encourage you to install it, and then I am allowed to pull any information I want (except your email address) from the profiles of Facebook users of my application.  I can then store that data on my own server indefinitely and use it for anything I want.  Most uses of this will probably be for more direct marketing of products to you as a Facebook user, but frankly is still creepy to me.