Facebook Apps’ New Access to Contact Information Concerns Security Experts
On Friday, Facebook announced that it will allow application developers to request access to a user’s address and mobile phone number. Although the company is making strides to point out that the request is optional and must be explicitly granted by the user, the feature is already drawing criticism from privacy advocates and security experts.
Historically, Facebook applications have been able to request certain bits of information about a user. This information can include basic tidbits, like a person’s name, gender, list of friends and other publicly viewable information. More recently, Facebook has also allowed applications to request access to a user’s e-mail address. An application may then use this data to better serve the user.
On its developer blog, Facebook stresses that access to this data is governed by Facebook’s Platform Policies. These policies are supposed to ensure that user data is only used for legitimate purposes. Of course, that’s easier said than done.
As Graham Cluley, senior technology consultant at Sophos points out, some of the hysteria surrounding this new feature is perhaps being blown out of proportion. “This change isn’t as drastic as it might first appear, because users will need to give permission for third-party Facebook applications to access this data,” he says.
That doesn’t mean that the feature is without its foibles. Cluely continues, “It still sounds like a recipe for disaster, given the prevalence of rogue scam applications already on Facebook — all of which benefit from apparently being blessed by the Facebook name and brand.”
In fact, our real problem with the new feature is that it can be used by developers regardless of their intentions. Rogue Facebook apps continue to spread like wildfire and now those apps will potentially have access to even more user information.
Clueley makes the suggestion that only approved developers should have access to information like phone numbers and addresses. We agree. While we’re sure there are legitimate use cases for giving an application access to such information (though we can’t think of that many offhand), if Facebook is really concerned about its users privacy, it should impose stricter standards on app developers before giving them keys to the kingdom.
Furthermore, the notion that the feature is opt-in seems disingenuous. This might be accurate, but in most scenarios, requests for this kind of information are going to be made during the initial sign-up/install process. In other words, users are forced (and usually programmed) to allow the permissions request if an app is to be used. At the very least, for apps that don’t absolutely rely on needing a telephone number or address, there should be an option to allow partial access to public information, while still keeping phone numbers and addresses private.
The comments on the Facebook Developers blog entry are overwhelmingly negative — and many of those negative responses are from developers. Many are advocating that users remove their phone number and address data from Facebook.
That’s not a bad idea — although it seems to be an extreme response to a problem that realistically shouldn’t exist in the first place. If Facebook would take a harder stance on rogue applications, allow more granular permission types and do more to ensure that developers actually respect their platform policies, maybe users would feel less squeamish about offering up their personal information to the service.