Over the past few years on-line social networks (such as Facebook) have earned great popularity.  What they do is to offer the means of communication and sharing to the users who in turn become subjects to advertising.  The revenue generated by the OSN is not from the users themselves but from the advertisers.  Since these networks operate by gathering private user data and allowing their users to share private information, videos, photos, status updates, etc., privacy has become a major concern.  I am not here to argue extensively why you should be private (identity theft, phishing, credibility checks by potential employers, spam, etc.) but when it comes to Facebook I will try to explain a few basic principles on the difference between using Facebook itself and using third party applications on it.

 

Facebook provides a mechanism through which you can configure who can access various personal information and the things that you share.  It lets you configure a privacy policy for each static item (telephone number, e-mail address, relationship status, etc.) as well as everything else you share (status updates, photos, etc.) The privacy setting can be (a) Only you (b) All your friends (c) Public or (d) Any number of groups of people, where it also gives you the functionality to categorize your friends into groups.  If you do take the time to configure these settings then they are somehow adequate (nothing is fully private once posted on the Internet), however it does give a basic infrastructure for maintaining your privacy.

 

As far as advertising is concerned, I can say with caution that you are safe.  Advertisements are shown to you while browsing Facebook pages, and which advertisements are to be displayed are chosen by Facebook itself based on filters provided by the advertisers.  The advertisers have no access to the personal information of the people who have seen their ad, but only to collective aggregates and statistics.

 

When it comes to applications however things are different.  The Facebook privacy policy at the moment states:

While you are allowing us to use the information we receive about you, you always own all of your information. Your trust is important to us, which is why we don’t share information we receive about you with others unless we have:

  • received your permission;
  • given you notice, such as by telling you about it in this policy; or
  • removed your name or any other personally identifying information from it.

 

This is exactly where things become tricky.  You give your permission whenever you install an application on Facebook or you use another site’s registration with Facebook Connect by clicking the “Allow” button.  Whenever you do that you grant access to these applications (and thus to their developers) to your private data, as stated in the little box with the “Allow” button.  Have you ever read it?  To make matters worse, as the application acts on your behalf it may even harvest your friends’ data that they chose to share with you.  To test it out, I created an application and wrote the code myself.  In 15 minutes worth of effort I was able to pull private data from the Facebook Graph API in a state that I could store in my own database.  The problem is that Facebook could upgrade their infrastructure to create a mechanism for protecting their users’ security.  Various researches have already proposed solutions.  However since unless demanded by people this means extra development cost for no profit, so far they haven’t.  Instead they inadequately choose to rely on the licence agreement of their API with third party application developers that they should not store user information.  A study carried out at Virginia University showed that out of the 150 most popular Facebook Applications only 14 required some private information.  Ms. Felt who supervised the study said in an interview: “I do not know of any Facebook application developers who had misused private information, but if this hasn’t happened already, it will.”
So next time the Allow button pops up on your screen, think twice.