Facebook passes the privacy ball to developers

Changes to the Facebook Platform for developers

I’ve written about the legal labyrinth developers for Facebook’s Platform must navigate in a previous post. Facebook has outlined its changes to the Facebook Platform for developers in its post titled “A New Data Model”. The post describes the changes to Facebook’s Platform from behind the scenes. There are a number of interesting changes which are concerning.

Generally speaking Facebook is putting some distance between developers and users. Its new approach is summed up in this paragraph from the post:

These changes reflect two core beliefs: first, user data belongs to the user; they should have transparency and control over it. And second, you should be able to build relationships with your users; we should not be in the way. We hope these improvements will foster more trust and engagement for our platform and the applications and websites using it.

By putting some distance between itself and users, Facebook doesn’t have to take responsibility for errant developers who abuse the new levels of access they are being granted to users’ personal information. On one hand it probably lightens the administrative load on Facebook to keep a watchful eye on the Facebook Platform ecosystem but it also gives Facebook an excuse when a user’s personal information is abused: its not Facebook’s job to manage a user’s relationship with the developer. The hope is that developers will conduct themselves responsibly but there have already been instances of developers who have abused the system and misused users’ personal information through their applications.

For starters the permissions developers require from users to permit social applications and socially aware websites to access users’ profile information are not as granular as they were before Facebook shifted away from its previous Facebook Connect approval and authentication model. One of the changes is that instead of being required to approve a series of requests to reference different aspects of a user’s profile, all the necessary permissions are collection in a single dialogue:

While this certainly makes obtaining permissions from users a lot simpler for developers and gives the appearance of a simpler approval mechanism for users, it removes the option of allowing access to some parts of a user’s profile and not to others. Instead, using a social application or socially aware website becomes an either/or option for users: either they grant all the permissions requested or they don’t benefit from the social functionality of the site or the application.

Facebook has also removed the 24 hour retention limit on some profile information which, coupled with increased profile publicity thanks to changes to profile publicity in December 2009, increases the risk of users’ personal information abuse. Developers still require users’ consent to access and store their personal information and if they obtain explicit consent, they will be able to do more with users’ profile information than simply display it back to them. As a starting point developers will have access to users’ User ID, name and email address and, thanks to Facebook’s real-time updates, developers will also receive updates when users change their profile information which they have given developers access to.

One of the challenges with this degree of data retention and Facebook’s hands-off approach is that users will have to take greater responsibility for managing their profile information (as much as they can, Facebook has already decided that some profile information will be public by default and the majority of users are not savvy enough to change those defaults where possible). Another challenge is that developers are expected to publish privacy policies for their applications and websites and give users an option to delete their personal information. This is particularly concerning because once the information has been passed along to an unscrupulous developer, you can’t unscramble that egg.

These are just overviews of some of the implications of the new Facebook Platform. There are even more privacy concerns and a marked absence of adequate answers. As has become its habit, Facebook couches these changes in user friendliness and convenience terms which disguise the underlying threats to users’ privacy in the hope that more people will drink the Koolaid than will question its motives.

Complying with privacy law

As I mentioned above, Facebook requires developers to make sure they comply with applicable privacy laws. In South Africa developers should anticipate the Protection of Personal Information Bill which is making its way through Parliament. This legislation, when enacted, will likely require developers to publish a detailed privacy policy describing what personal information they will collect from users and what they intend doing with that personal information. I wrote about the essential requirements of a privacy policy in a recent post titled “Privacy policies that don’t suck”. The key issue there is to obtain informed consent from users to collect that personal information and process it in the manner the developer intends. Depending on what personal information the developer intends collecting, specific consent to collect personal information for a specific session may also be required.

To add to all of this, Facebook’s global nature may also necessitate that developers factor in privacy laws in other countries and regions. The European Union has a fairly developed body of laws and regulations dealing with data collection and privacy and developers may need to cater for these rules as well.

This is one of the challenges of Facebook shifting the responsibility for how developers interact with users’ personal information to the developers. Developers not only need to take care to comply with Facebook’s own policies but they also have to cater for privacy laws which may impact on their applications. For users the challenge is managing their personal information better on Facebook and taking care not to give permission to collect and process their personal information without first taking the time to understand exactly what will be done with it. This decentralised approach opens the door to even more abuses and users will be left picking up the pieces while Facebook shrugs its shoulders.

Published by Paul Jacobson

Enthusiast, writer, Happiness Engineer at @automattic. I take photos too. Passionate about my wife, Gina and #proudDad.

%d bloggers like this: