Facebook lives up to my worst expectations

In January 2008 I made this prediction:

it would be far more effective to use a Facebook application to harvest personal information whilst apparently offering a useful service, and then use the data elsewhere and/or at some time after the application harvested it.

And sure enough, Facebook application providers such as FarmVille and FrontierVille have been hoovering up user data via the Facebook API and selling it to 3rd party advertisers. This has been all over the web today, and is just the latest in a long line of Facebook security cockups. Of course, it's been known about for ages as well, as I pointed out in this February 2008 post:

Researchers from the University of Virginia recently announced that in a study of the top 150 Facebook applications, more than 90% were given access to information that was not needed to function correctly. That Scrabble or Superpoke application you really like? Its developers get access to your religion, sexuality and home town.
-- slashdot.org

Because the WSJ has run the story today, the webosphere is all a-flutter with the 'news':

The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities.
-- WSJ

There are currently more than 550,000 Facebook apps, they haven't been audited by Facebook, and they don't run on Facebook's servers. As an application developer, you are responsible for hosting your application, not Facebook, so you have complete control to the data Facebook feeds to your application. As a developer, to get access to all this juicy data all you need to do is click on an "I agree to behave" agreement on Facebook's developer site. There is absolutely no technical means Facebook can determine what the apps are doing with user's data after the have transmitted it to the application.

Next time someone sends you an application invite, rather than blindly clicking 'Accept' ask yourself why it needs the information it is asking for access, and if you don't think it's reasonable, reject the invitation. Personally I won't use any Facebook apps at all, because I barely trust Facebook, let alone some unknown and unaccountable external company who I have absolutely no recourse against.

I think part of the reason that Facebook has become popular, apart from the 'social networking' aspects is because people believe it's somehow 'safer' than the rest of the internet because you have to log in, and there's a veneer of apparent control over your data. However, that's a dangerous assumption. You are not significantly safer on Facebook than you are on any random internet site, and in practice probably less so as Facebook is set up to encourage you to disclose information that you probably wouldn't disclose on an 'open' website.

As Scott McNealy said 11 years ago:

You have zero privacy anyway. Get over it.
Categories : Tech