[Infowarrior] - A Flashy Facebook Page, at a Cost to Privacy

[Richard Forno]

A Flashy Facebook Page, at a Cost to Privacy
Add-Ons to Online Social Profiles Expose Personal Data to Strangers

By Kim Hart
Washington Post Staff Writer
Thursday, June 12, 2008; A01

http://www.washingtonpost.com/wp-dyn/content/article/2008/06/11/AR2008061103759_pf.html

Facebook fanatics who have covered their profiles on the popular  
social networking site with silly games and quirky trivia quizzes may  
be unknowingly giving a host of strangers an intimate peek at their  
lives.

Those mini-programs, called widgets or applications, allow users to  
personalize their pages and connect with friends and acquaintances.  
But they could pose privacy risks. Some security researchers warn that  
developers of the software have assembled too much information -- home  
town, schools attended, employment history -- and can use the data in  
ways that could harm or annoy users.

"Everything requires you to give access to personal information or it  
forces you to ask your friends to do the same -- it becomes a real  
nuisance," said David Dixon, 40, an information technology consultant  
in Columbia who recently deleted most of the applications he had  
downloaded to his Facebook profile after reading on a blog that  
developers may have access to his information. "Why does a Sudoku  
puzzle have to know I have two kids? Why does a postcard need to know  
where I went to college?"

Even private profiles, in which personal details are available only to  
specific friends, reveal personal information, said Chris Soghoian, a  
cyber-security researcher at Indiana University. And they're allowing  
access to their friends' information -- even if their friends are not  
using the application. That's because MySpace and Facebook, the  
largest online social networks, let outside developers see a member's  
information when they add a program.

"You want to be social with your friends, but now you're giving 20  
guys you've never met vast amounts of information from your profile,"  
he said. "That should be troubling to people."

A year ago, Facebook started allowing outside developers to create  
small software programs for members to download. Since then, the  
company said, about 24,000 applications have been built by 400,000  
developers. They've become enormously popular, with users playing  
poker, getting daily horoscopes and sending one another virtual  
cocktails, to name a few. More than 95 percent of Facebook users have  
installed at least one application, the company said.

Applications have grown so much that venture-capital firms have formed  
exclusively to fund their development, and there is a Stanford  
University course devoted to creating them.

In February, MySpace also opened up to developers. It has more than  
1,000 applications. The company, along with other social networks such  
as Hi5 and AOL's Bebo, allows applications under OpenSocial, a Google- 
led initiative that lets developers distribute games and other  
programs across multiple social networks.

Each site has come up with its own policies on the data that  
developers are allowed to see. MySpace, the largest social network,  
with 110 million members, said developers can see users' public  
details -- name, profile picture and friend lists -- when they  
download a program. When a user installs one on Facebook, which has 70  
million members, the developer can see everything in a profile except  
contact information, as well as friends' profiles. Members can limit  
what is seen by changing privacy controls, and both companies say  
developers are allowed to keep those data for only 24 hours.

Developers can collect other data from members once they've download  
the applications.

Ben Ling, director of Facebook's platform, said that developers are  
not allowed to share data with advertisers but that they can use it to  
tailor features to users. Facebook now removes applications that abuse  
user data by, for example, forcing members to invite all of their  
friends before they can use it.

"When we find out people have violated that policy, there is swift  
enforcement," he said.

But it is often difficult to tell when developers are breaking the  
rules by, for example, storing members' data for more than 24 hours,  
said Adrienne Felt, who recently studied Facebook security at the  
University of Virginia.

She examined 150 of the most popular Facebook applications to find out  
how much data could be gathered. Her research, which was presented at  
a privacy conference last month, found that about 90 percent of the  
applications have unnecessary access to private data.

"Once the information is on a third-party server, Facebook can't do  
anything about it," she said. Developers can use it to provide  
targeted ads based on a member's gender, age or relationship status.

Consumer advocates have voiced concerns over how software developers  
are using such data. The Center for Digital Democracy is urging the  
Federal Trade Commission to look into the privacy policies surrounding  
third-party applications.

Some developers acknowledge the value of the data at their fingertips  
but say they're careful not to abuse it.

"We don't care who their favorite musicians are, and we're not looking  
at their pictures," said Dan Goodman, co-founder of Loladex, an  
application that lets users find friend-recommended businesses, such  
as plumbers and pizzerias. Loladex does keep track of user-provided  
data, such as Zip codes.

Goodman said he hasn't ruled out using the data for targeted  
advertising, but "we're not trying to push the privacy envelope."

Hungry Machine, based in Georgetown, has created 25 Facebook  
applications, including programs that let users recommend movies,  
books and music.

"Leveraging that data would make a lot of sense," said Tim  
O'Shaughnessy, a co-founder of the company. But he said no plans are  
in the works.

Slide, which designed three of the most popular Facebook applications  
-- SuperPoke, FunWall and Top Friends -- said it uses personal details  
only to make applications more relevant to users. For example, Slide  
collects friends' birthdays so it can remind you to "poke" them on the  
right day.

Many Facebook users don't mind using the tools to express themselves.  
Gabby Jordan of Baltimore uses the Flirtable and Pimp Wars programs to  
connect with friends.

"If there are too many, you could easily delete them off your profile  
and not have to worry about it," she wrote in an e-mail.

But revealing information on quizzes or maps of places visited, for  
instance, may also make it easier for strangers to piece together  
tidbits to create larger security threats, said Alessandro Acquisti,  
assistant professor of public policy and information systems at  
Carnegie Mellon University.

Some online activities ask users to list pets' names or to display  
their high school's mascot, answers to common security questions asked  
by financial companies.

"Nowadays, some people have downloaded so many [applications], it's a  
constant flow of information about what they've done, what they're  
doing, which can be mined by your friends and also by someone you  
don't know anything about," he said.