The Social Media Security Podcast

Updated 4:55 p.m.

Earlier today, Apple news site Macworld published a story with the ominous headline, “Facebook’s new features secretly add apps to your profile“. That claim will naturally get attention, and other sites have started the news.

There’s just one problem: The story appears to be incorrect.

I am not saying that Macworld’s writers are trying to mislead or that they intentionally reported incorrect statements. But I do think they did misunderstood some Facebook behaviors in their zeal to protect user privacy.

The behavior described in the article has nothing to do with “new features” from Facebook and existed under the old Facebook Connect model. When you visit a website that integrates with Facebook using application APIs, that site may load content from Facebook, such as buttons to login to the site with your Facebook account. Facebook then records a visit and lists the website’s application under the “Recently Used” section of your Application Settings page. Apart from the new instant personalization partners (Docs.com, Pandora, and Yelp), the external website does not automatically receive any of your Facebook information. Your visit will be included in the application’s active user count, but your name will not show up on the application’s information page. In fact, visiting that info page for any application has the same result – Facebook shows the app as recently used, but doesn’t transfer any data to the app.

The traditional sense of “adding” or “installing” a Facebook application is that you allow the app access to your profile by clicking through a standard prompt. For applications on Facebook, this is the familiar page asking to “Allow Access,” which did recently receive a makeover and some new features most of the time. For websites outside of Facebook, this happens when you click “Connect with Facebook” or “Login to Facebook” and then agree to the prompt that pops up. Once you’ve taken this extra step beyond just visiting, the site can then identify you and access certain information about you. Applications within Facebook can identify you and access certain public information automatically if you reach them via certain channels, such as by clicking on a friend’s news feed story. Again, all of these behaviors have been around for quite a while.

On the description page for an application, you’ll see a list of friends who have added the app. That list only includes friends of yours who have taken the extra step of “installing” the application as described above. If you only visit a Facebook-enhanced website or Facebook application but don’t agree to the extra prompt, you will never show up in that list or the general list of an application’s users.

Some people may be worried by the fact that Facebook can record visits to other websites that include Facebook content, and those concerns have credibility. But Facebook has this ability for years. Any time a website includes “like” buttons, lists of fans, or other data loaded from Facebook, footprints are left behind. This is not much different from tracking that happens with third-party advertising networks – except that Facebook knows much more about your identity. If you want to avoid tracking entirely, log out of Facebook before visiting other websites.

Readers of this blog know that I have often criticized Facebook over privacy and security issues. But I find it very important to be accurate and avoid sensationalism in such criticisms. If reports include mistaken or overblown problems, users become more confused, appropriate criticisms can be discredited, and Facebook has a chance to gloss over other legitimate concerns. Unless I misunderstood what Macworld described, I think this is one case where fears over supposedly malware-like behavior are not justified. We need to leave this story behind and focus on real issues facing Facebook users.

Note: To clarify, what I describe here does not apply to the three instant personalization partner sites: Docs.com, Pandora, and Yelp. Those sites’ applications are “installed” as soon as you visit unless you opt-out from the instant personalization program or block the apps individually.

Update: Macworld has added a response from Facebook, and the company says a bug temporarily caused external websites to show up in a user’s application list. Apparently my misunderstanding was that these sites’ applications don’t normally show up as “Recently Used,” but their appearance did not indicate any difference in functionality and the technical details I gave describing how such applications work remain unchanged. In other words, seeing these sites under “Recently Used” was consistent with their normal behavior. Facebook confirmed that no data was shared with the applications and that users’ visits were never visible to anyone else.

After Facebook’s sweeping announcements at the 2010 f8 conference, many people have been reexamining the content they’ve posted on Facebook and who can access that content. This process has helped raise awareness of new behaviors that affect privacy expectations, but has also caused some users to discover old issues for the first time. As with many Facebook updates, the ensuing responses have at times led to confusion and misunderstandings. In this guide, I hope to provide some clarity in understanding how privacy works on Facebook.

This guide is intended for a general audience, so I will try hard to explain ideas clearly and not get bogged down by technical details. However, I will also be focusing on the concepts behind various privacy controls, but not necessarily stepping through all available settings. If you want more on the latter, along with recommendations for those settings, I would point you to the Facebook Privacy & Security Guide maintained by Tom Eston at Social Media Security, a site where I’m also a contributor.

In case you’re not familiar with Social Hacking, it’s a blog about privacy and security issues in online social networking written by Joey Tyson (a.k.a. theharmonyguy), a security engineer at Gemini Security Solutions. Note that all opinions are those of the author and do not reflect in any way on Gemini or any other organization. Finally, note that this guide is licensed under a Creative Commons License. That means you’re welcome to share it with others for noncommercial purposes if you cite Social Hacking or theharmonyguy with a link to http://theharmonyguy.com/ and under similar terms. If you want to publish a large portion of the guide on a site that includes advertising, please contact me first.

1. Facebook is Not Magic

I’ve spent countless hours over the last few years studying the technical details behind Facebook’s privacy controls and looking for ways an attacker could override them. All that investigation leads me to state that Facebook is not magic, in both a positive and a negative sense. First, while Facebook employs all sorts of technology to record your activity on the site and the information you post there, they cannot magically discover all of your secrets and post them for the world to see. The biggest form of control you have over your content on Facebook is not sharing it to begin with.

Of course, participating in Facebook often carries a variety of social pressures that may prevent from simply “not sharing,” and Facebook may record data or combine pieces of data in ways you don’t anticipate. Also, remember that your friends are humans, and even if you restrict all of your content to just your friends, they can still copy that content and post it elsewhere beyond your control. That’s the sort of social problem no technology can completely stop, and comes down to the trust you place in your friends. However, Facebook can’t hack into your e-mail account or copy your wall calendar, so if Facebook knows something about you, that knowledge probably involved you or a friend of yours.

On the flip side, no website is totally bulletproof in securing information. As someone involved in security research, I know that even “secure” websites pose risks. And yet, I routinely share my credit card number with merchants as I shop online. Is it possible that someone could hack those merchants or intercept my data and steal my credit card number? Certainly. A thief could also sneak up behind me on the street and try to grab my wallet, but that doesn’t mean I never take walks. I generally avoid walks, though, in certain neighborhoods where I don’t trust the environment. Similarly, I try to be very careful about what websites I trust with my personal information. When you post private content on Facebook or anything other social networking site, I can’t promise you that no one else will ever see that content. What you share with Facebook comes down to how much you trust Facebook with that data. This guide may help you in making such decisions, but ultimately, you have to make them.

2. Facebook Wants You to Share

Security guru Bruce Schneier gave an excellent lecture earlier this year about privacy and different generations. In the talk, he related a hypothetical story from social media researcher danah boyd about a friend who discloses information shared privately in order to gain better social standing with others. He then noted that Facebook is like that friend, gaining much revenue and market position from sharing the content you give it with other parties. As Schneier put it, we are Facebook’s product, not their customers.

You may ask, why would Facebook want to share my data? You may use Facebook simply to chat with friends that about things don’t seem of much importance to a large, high-tech company. I would give three main answers. First, the more Facebook knows about you, the more they can target the advertisements they show you. Companies buying ads want to make sure they reach an audience most likely to buy a certain product and value word-of-mouth recommendations. Right now, if I wanted to, I could buy an ad campaign on Facebook that appears for 25-year-old men who are interested in women, engaged or married, speak English, have a college degree in physics, like both Lord of the Rings and U2, and are not already members of a certain Facebook group I created. Facebook tells me that about 80 users fit that description, and estimates that at average pricing my ad would see 1-2 clicks per day. Facebook has offered this level of ad targeting for several years now.

Second, many companies are looking for data on behaviors and trends across large groups of people, and not simply for advertising opportunities. Since millions of people login to Facebook every day and share information about their interests, habits, activities, friends, and ideas, the company can build huge sets of data to answer general questions about their users.

Finally, Facebook can use your information to let other services provide a more targeted experience as well. For instance, if you list your favorite music artists on your profile, Pandora can use that list to generate an online radio station tailored to your specific tastes without requiring you to re-enter all those artists.

Note that I’m simply describing realities here, not commenting on whether they’re useful or creepy. Some people find Facebook’s targeted advertising disturbing, some people see it as a way to see relevant ads for products they may find of interest. But my main point is simply that Facebook has a vested interest in you sharing information about yourself and your life. They do provide some degree of control over what happens to the information your share, but ultimately, they benefit most from you sharing the most.

3. Some Content is Always Public

Some parts of your Facebook profile are always considered “publicly available information” (also called PAI) by Facebook, and ultimately, you don’t have control over whether another person or application can see that information. In practice, it may be difficult for others to find such data or Facebook may even prompt them for certain authorization first. But regardless of any settings or appearances, you should always remember that Facebook does not consider the data private and it may be shared via other channels you’re not aware of.

As of May 2010, the following content in your Facebook profile is always PAI: your name, your profile picture, and your connections. The “connections” part currently includes your friends, your family, your relationships, your current city or hometown, your education history, your work history, your activites, your interests, the music you like, the movies you like, the books you like, the TV shows you like, and any page that has a Facebook “Like” button you’ve clicked.

4. Focus on Settings Close to Content

While Facebook’s myriad privacy settings can provide great flexibility over certain bits of data, they can also cause great confusion. But generally, the most important setting for any piece of content is the one closest to that content. In other words, while you may come across privacy settings in many corners of Facebook, you’ll often find one right next to an individual bit of information, and that’s usually the one you should worry about most for that particular data.

For instance, when you post a status update or link on your profile, you’ll see a little padlock icon next to the “Share” button. That padlock sets who can access the status or link. When you create a photo album or edit its properties, you’ll find a “Privacy” box, and that box indicates who can access the photos in that album.

Are there exceptions to this rule? Yes, and I describe some major ones in the next few sections. But for a starting point, those little padlocks that sit right alongside your statuses, links, albums, and so on are the biggest controls you have over who can see your content. As a general rule, the more complicated settings you may come across will not override these individual settings if a person tries to load your content via the Facebook website.

Facebook does provide other privacy settings that control the visibility of certain content on your profile, including the public information I described before, but that’s not the same as access. I’ve posted several tricks in the past that demonstrated how people could still load content that seemed to be hidden but still had individual, padlock controls marked as “Everyone.” Such a setting really does mean everyone, and Facebook treats the content as part of the publicly available information described before. Rely most on the padlocks to control who sees what.

The most important exceptions to this advice involve how applications access your data. Facebook distinguishes between what people can access browsing the Facebook site as usual and what applications or websites can access by communicating with Facebook through other technical methods, and so far I’ve only covered the former case.

5. Applications Act on Your Behalf

A few years ago, Facebook added some ways for people to write their own code that made use of Facebook data. Originally these were just applications added to Facebook, such as the quizzes or games you still often see on the site. But more recently, Facebook has added methods for other websites to interface with user information as well. How much data all of these applications could access depended on users “authorizing” them.

I think the best way to understand the access applications have is to treat them as ambassadors or liaisons between you and Facebook. You generally establish this setup when you authorize the application, which happens whenever you click to allow access for applications inside of Facebook (such as those games and quizzes) and “login” or “connect” your Facebook on other websites. An authorized application then has much the same access to data that you do, and may post to your Facebook as if you were posting.

Until recently, this meant your applications could access profile information, photos, links, notes, etc. even if they were set to “Friends Only.” Now, Facebook is in the process of shifting applications to a setup where they have to ask for all the levels of access they want. Of course, you don’t get to choose those levels of access, and an application may not work if you don’t approve them all. You also can’t place blanket restrictions on every application you might use.

Another aspect to application access comes into play when a friend uses one and you don’t. While you don’t have much control over data access for applications you use, Facebook does allow you to set across the board whether your friends’ applications can see your data as your friends would, if you haven’t used the applications as well.

One of the most recent changes to Facebook involves certain the company authorizing certain sites automatically, a feature called “instant personalization.” These sites (currently Docs.com, Pandora, and Yelp) then have automatic access to your publicly available information when you visit them. Applications within Facebook have had this sort of access for a while on most visits. Facebook gives a setting to block the behavior for the three external websites, but they may still receive some of your data when friends use them – an aspect controlled by the settings described above.

Facebook does give you the power to block specific applications, including external websites such as Docs.com, Pandora, and Yelp. When you block an application, it will won’t be able to tell you exist – your friends won’t even see your name in the context of that application.

6. Applications are Not Facebook

When you use an application, such as a quiz or a game on Facebook, you are interacting with code written by someone not part of Facebook. (The company does treat a few specific features as “applications,” such as Photos or Notes, but these are generally marked as such and cannot be removed.) Most of the content you generate within that application, such as your result on a quiz or your score in a game, is stored by the application outside of Facebook. Ultimately, who accesses that information and how long it stays online are up to the people who wrote the application, not Facebook.

In your “Application Settings” on Facebook, you will find many specific settings that relate to individual applications, including whether they can be seen on your profile. These control the ways an application interfaces with Facebook, such as the boxes on your profile or whether it can publish links on your wall, but you put your trust in the application to provide privacy and security beyond these aspects. I’ve found many applications that allow an attacker to access information you might think would only appear on your profile. Also, an insecure application could be hijacked to access Facebook data you’ve authorized it to see.

7. You Have to Live Your Life

Anyone who reads my blog or Twitter feed will realize that I care greatly about privacy issues with Facebook, and I spend a great deal of time understanding the controls available to Facebook users. But when people ask me for recommendations on Facebook, I often include a closing bit of advice: You still have to your life. Think before you post, know what your settings do, try to stay current with changes and understand where your data goes. But don’t get paranoid or spend more time adjusting your Facebook than actually communicating with your real-life friends.

Facebook is only one tool for keeping up with people. If using Facebook becomes too much of a chore, maybe you should find another tool. But whether you use Facebook or not, don’t let all the news reports and check-boxes cause you to lose sight of the big picture. Focus on living a life worth sharing before you worry about what you share on Facebook.