Privacy in Facebook apps – the risk of the SuperPoke
The social networking site Facebook has been under scrutiny lately for lax security with its applications feature. Applications in Facebook are created by third-party software developers and are run on third-party servers. These applications can take many forms – a quiz, a game, or just another way to reach out to friends – but the common feature in all is that they allow software developers to access Facebook users’ personal data.
And while Facebook says it advises its users to “employ…precautions” when downloading applications, any Facebook user will tell you that most applications simply won’t work if you don’t agree to give the developer access to your information.
BBC’s technology program Click decided to test out this security flaw by creating its own Facebook application meant solely to “steal the personal details of you and all your Facebook friends without you knowing”. The application took them three hours to create and allowed them to not only collect personal information about the Facebook user who had downloaded the application, but all of his friends as well.
Click’s experiment suggests that the concerns of privacy advocates (including those of us at the Office of the Privacy Commissioner) that the applications feature on Facebook exposes users to significant privacy risks, are warranted. As well, the collection and use of this data by third-party developers could mean that some developers aren’t complying with PIPEDA, Canada’s private sector privacy legislation.
Something to think about the next time you feel like throwing a sheep.
6 Responses
11:49 am
Good for the BBC. Having built a test Facebook App myself I was astonished by how easy it was to build a huge user base very quickly. It’s the ultimate viral community because of the sheep-throwing behaviour of it’s users and the way that app installs are structured (in order to see the Sheep your friend throws at you, you have to install the app). From a web app company’s perspective it’s really an amazing tool and an opportunity you can’t ignore.
But you and the BBC are exactly right. In the wrong hands this information becomes dangerously easy to access and distribute. Facebook app users are automatically signed up for your regular site (if you have one), so consider all those users to be “yours” if you run your own database. There are markets for databases like that, so even if your app fails to make profit, you can dump the database on the spam market (and others) to recoup your costs. It’s like a last-ditch business model for Web 2.0.
7:03 pm
In 30 minutes I was able to create a Facebook application that generate 100,000 email addresses of Facebook users in 30 seconds, though I was also testing, I removed all my personal information from Facebook. It is very easy to hack Facebook with their developer stuffs.
2:18 pm
Social medial creates a real threat to people’s privacy. At the same time people do not care about this issue or maybe they don’t realize importance of it. I feel government does do enough on educating people about privacy. Also it appears there is a new wave of Privacy 2.0 companies that offer services allowing people to mask their personal information such as email, phone, and credit cards on the web. Check out this blog they cover some of them http://blog.arzoola.com/.
8:14 am
[...] Office of the Privacy Commissioner – blog – Yates – Risk of the SuperPoke http://blog.privcom.gc.ca/index.php/2008/05/07/privacy-in-facebook-apps-the-risk-of-the-superpoke [...]
8:07 pm
[...] 3 Kristen Yates, ” Privacy in Facebook apps-the risk of the SuperPoke” Privacy Commissioner of Canada (7 May, 2008), online: Privacy Commissioner Canada http://blog.privcom.gc.ca/index.php/2008/05/07/privacy-in-facebook-apps-the-risk-of-the-superpoke [...]
7:58 pm
[...] Privacy in Facebook apps – the risk of the SuperPoke The application took them three hours to create and allowed them to not only collect personal information about the Facebook user who had downloaded the application, but all of his friends as well. [...]