SIVACRACY.NET

Chronicle.com:

Study Raises New Privacy Concerns About Facebook

By JEFFREY R. YOUNG

Undergraduate researchers at the University of Virginia say that Facebook's application platform, which allows anyone to create plug-ins that can be placed on personal pages of the popular social-networking service, sends far more personal information than is necessary to the plug-ins' developers.

That means that an identity thief could develop an application to grab personal information using Facebook, says the study's leader, Adrienne P. Felt, a senior majoring in computer science.

Facebook officials argue that their application platform needs to be liberal with users' information to function properly. And they insist that any application developer who creates a malicious plug-in would be denied access to the site because misusing data violates Facebook's terms of service.

Thousands of applications have been created for Facebook since the company began allowing them last May. A typical application lets a user who adds the plug-in to their page share some information about themselves with other users who have also installed the application. One application called Visual Bookshelf, for instance, lets users list books they have read and share their lists with friends.

Even some colleges have joined in, creating plug-ins that, for instance, stream headlines from the public-relations office to users' Facebook pages or allow users to search the library's card catalog via Facebook. A college marketing blog recently listed more than a dozen Facebook applications created by colleges.

To install an application to their profile, users must check a box that says: "Allow this application to know who I am and access my information." The site further warns: "If you are not willing to grant access to your information, do not add this application."

But Ms. Felt argues that many Facebook applications do not even need access to most of a user's personal data to perform their functions (an application that lets users search a college library's catalog, for instance, does not need to know a user's birthday or who their friends are), and she is urging Facebook and other social-networking sites to fine-tune their settings to better guard user privacy.

In her study, Ms. Felt examined the 150 most popular third-party Facebook plug-ins to see whether they made use of private information on the users' accounts.

"We found that 8.7 percent didn't need any information; 82 percent used public data (name, network, list of friends); and only 9.3 percent needed private information (e.g., birthday)," Ms. Felt wrote on a Web site about the research.

She said in an interview that she did not know of any Facebook application developers who had misused private information, but she argued that "if this hasn't happened already, it will."

"I would recommend that people think twice before installing some random application," she added. ...

Here is the report on the study itself. It's a must read!

The problem with the Facebook Platform

The Facebook Platform lets Facebook users add gadgets to their profiles and play with third-party applications without leaving the Facebook site. It's been a wild success: the most poopular Facebook applications have around 24 million users, and competing social networking sites have moved to create their own imitation platforms. However, although these open platforms enable cool features, they also pose serious privacy risks.

When Jane installs a Facebook application, the application is given the ability to see anything that Jane can see. This means that the application can request information about Jane, her friends, and her fellow network members. The owner of the application is free to collect, look at, and potentially misuse this information. The Facebook Terms of Use agreement tells application developers not to do this, but Facebook has no way of finding out or stopping them.

Users view their profiles on social networking sites as a form of self-expression, but these profiles also have commercial value to marketing companies, competing networking sites, and identity thieves. Data mining through the development platform can potentially affect more people than screen scraping, because it exposes information that might otherwise be hidden (i.e., users with "private" profiles may still install applications).

The problem with the Facebook Platform
If a user wants to install an application, she must grant that application full privileges. Privacy settings can be applied to friends' applications, but one standard is set for all applications. There's no way to say, "X gets my hometown but Y only gets my favorite music." The principle of least authority, a security design principle, states that an actor should only be given the privileges needed to perform a job. In other words, an application that doesn't need private information shouldn't be given any.

We (with the help of Andrew Spisak) performed a systematic review of the top 150 Facebook applications in October 2007 and examined their information needs.

We found that 8.7% didn't need any information; 82% used public data (name, network, list of friends); and only 9.3% needed private information (e.g., birthday). Since all of the applications are given full access to private data, this means that 90.7% of applications are being given more privileges than they need.