Study Finds Privacy Lapse in Facebook Apps

Playing Jetman on Facebook.com may cause you to lose more than just the game. Your private information is also at stake.

Facebook application developers—who can be anybody—are unnecessarily given full access to both users’ and their friends’ private information, according to a University of Virginia study.

Adrienne Felt, a senior at the University of Virginia who conducted the study, looked at the top 150 Facebook applications and what information they require in order to run. She concluded that only 9.3 percent of these applications required private information—yet Facebook currently gives all applications access to the information.

Felt said that application developers can see a user’s birthday, religion, sexual orientation, relationship status, past schools and photos—though not a person’s contact information.

“Currently, Facebook gives permissions for applications to view all the users’ information,” Felt said.

According to the company’s privacy policy, Facebook does require application developers to agree to respect users’ private information—but the company has no way of enforcing that requirement.

“While we have undertaken contractual and technical steps to restrict possible misuse” of personal data, the document reads, “we of course cannot and do not guarantee that all Platform Developers will abide by such agreements.”

“It’s a gentleman’s agreement,” said Christopher Soghoian, an Indiana University graduate student and a blogger on privacy and security issues for CNET.com. “But as Adrienne Felt’s study shows, developers are getting access to far more stuff then they need. There is no legitimate reason that a Scrabulous developer needs to know your religion or sex.”

Application creators can also have access to a user’s friends’ personal information without the friends having accepted the application.

“Users are unknowingly selling out their friends’ data,” said Soghoian. “And I think Facebook isn’t really communicating this at all. Do you trust a random developer that you’ve never met? For many people the answer should be no.”

Soghoian said that Facebook does have a privacy setting that can prevent a person’s personal information from being obtained by an unaccepted application, but that the setting is not easy to find. Additionally, all self-installed applications still have access to the personal information of the user.

John G. Palfrey ’94, executive director of the Berkman Center for Internet and Society at Harvard Law School, said that while this may seem troubling, he believes Facebook, relative to other websites, does a good job of informing users where their information is going.

“Nobody reads privacy policies. This is an issue that will probably be around for a long time to come,” he said.

However, Soghoin points out that the public won’t change their behavior until they have evidence that their information is being used inappropriately.

“Until we see something like that, we’re not going to see massive outcry, which is unfortunate,” he said.

Millicent M. Younger ’10, who uses the Scrabulous application, reacted to news of Felt’s study with the same sentiment.

“People should probably be more concerned than they are, and I should be more concerned than I am,” she said.

—Staff writer Rachel A. Stark can be reached at rstark@fas.harvard.edu.