Study Raises New Privacy Concerns About Facebook

February 04, 2008

Undergraduate researchers at the University of Virginia say that Facebook's application platform, which allows anyone to create plug-ins that can be placed on personal pages of the popular social-networking service, sends far more personal information than is necessary to the plug-ins' developers.

That means that an identity thief could develop an application to grab personal information using Facebook, says the study's leader, Adrienne P. Felt, a senior majoring in computer science.

Facebook officials argue that their application platform needs to be liberal with users' information to function properly. And they insist that any application developer who creates a malicious plug-in would be denied access to the site because misusing data violates Facebook's terms of service.

Thousands of applications have been created for Facebook since the company began allowing them last May. A typical application lets a user who adds the plug-in to their page share some information about themselves with other users who have also installed the application. One application called Visual Bookshelf, for instance, lets users list books they have read and share their lists with friends.

Even some colleges have joined in, creating plug-ins that, for instance, stream headlines from the public-relations office to users' Facebook pages or allow users to search the library's card catalog via Facebook. A college marketing blog recently listed more than a dozen Facebook applications created by colleges.

To install an application to their profile, users must check a box that says: "Allow this application to know who I am and access my information." The site further warns: "If you are not willing to grant access to your information, do not add this application."

But Ms. Felt argues that many Facebook applications do not even need access to most of a user's personal data to perform their functions (an application that lets users search a college library's catalog, for instance, does not need to know a user's birthday or who their friends are), and she is urging Facebook and other social-networking sites to fine-tune their settings to better guard user privacy.

In her study, Ms. Felt examined the 150 most popular third-party Facebook plug-ins to see whether they made use of private information on the users' accounts.

"We found that 8.7 percent didn't need any information; 82 percent used public data (name, network, list of friends); and only 9.3 percent needed private information (e.g., birthday)," Ms. Felt wrote on a Web site about the research.

She said in an interview that she did not know of any Facebook application developers who had misused private information, but she argued that "if this hasn't happened already, it will."

"I would recommend that people think twice before installing some random application," she added.

Protection From Plug-Ins

Facebook officials defended the company's policies.

"By limiting developers' access to user data, Facebook would be limiting the types of useful applications that can be built," said a representative of Facebook, who spoke on condition of anonymity because she is not authorized to talk to reporters.

The representative, in an e-mail interview, pointed out that users do have the ability to fine-tune some aspects of how applications access their data. Those settings are somewhat buried, however. (To get to them, users must go to the "privacy" section of the service, and then select the "profile section.")

"Obviously, privacy and security are a huge priority for Facebook," she added.

B.J. Fogg, director of Stanford University's Persuasive Technology Lab, co-teaches a course at the university about developing Facebook applications. He agreed that many applications can see more user information than they need to. But he argued that the risks of using Facebook applications are minimal. "Like most things in the world, it is a trade-off, and the risks are low compared to the benefits," he said.

Even if a malicious application developer could snag all of the information from someone's Facebook profile, they probably wouldn't have enough to do anything terribly damaging with the information because the site doesn't store social-security numbers or other sensitive data, he said. "I can't come up with a really terrible story" or worst-cast scenario, he said. Facebook has a high incentive to strictly enforce its policies and ban any abusive applications that might pop up, Mr. Fogg said.

He also argued that most users of the social-networking service were aware that the applications they installed could monitor their information. "Facebook has this ethic of openness, and if you're on Facebook, there are certain things you share with other people," he added.

Most Internet users these days seem far less concerned than Ms. Felt about the information they share online. In a survey conducted last year by the Pew Internet & American Life Project, 61 percent of respondents said they did not feel a need to limit the amount of information that could be discovered about them online.

"By and large, people aren't worried about the personal information about them that's available online, which is striking," said Mary Madden, a senior research specialist for the project.