I never want to come across to harshly when talking about Facebook; I honestly believe they want to protect user privacy and security. But while Facebook continues to hone and publicize the privacy controls in their own features, they seem to ignore major issues with Facebook applications. Some might argue that applications are not under Facebook’s control, but this ignores changes Facebook could make which would help protect users. I can only think that Facebook does not want to risk alienating developers any further.
In turn, many developers seem to shift responsibility to end users. Recently I read back over coverage from ReadWriteWeb and the BBC on rogue Facebook applications, along with a discussion on Facebook’s developer forum. While the reports admittedly included sensationalist elements, I was surprised to see commenters taking the position that rogue applications weren’t a problem, since users authorize applications to access their profile data. In essence, if an application steals data, it’s the user’s fault for letting it.
This perspective fails to take into account the average user’s understanding of how applications access and share data, not to mention how little control a user has over applications. And most users would probably be shocked by how even mainstream applications make use of profile information to target advertisements. Many of these applications and advertising networks again take a hands-off approach, noting that a user could opt out of such programs. But what are the chances of a user even realizing this, much less taking the time to figure out how?
Advertising in applications made a few headlines this weekend, after a message on user privacy made the rounds on Facebook. The message did not actually address application ads, but in a statement on the message, Facebook deflected attention from their own ads to talk about application ads, and painted a rather rosy picture of user privacy on the Platform. I respectfully disagree with their assessment.
First, let’s clarify: the original viral message on profile pictures in ads pointed to an actual privacy setting which controls whether your profile picture appears in Facebook Ads. This was never about the application ad networks Facebook brought up in their statement.
Second, consider why Facebook banned SocialHour and SocialReach. From what I understood at the time, Facebook had a problem with the ads falsely implying that friends had taken certain actions (e.g. taking a quiz). Facebook did not seem to address the issue of profile pictures being used in the advertisements, and the practice has continued on many advertising networks to this day.
I was honestly rather surprised by Facebook’s statement, since it seemed to imply that all was well with application advertising. I then became shocked when I read the update Nick O’Neill posted after digging for more information:
I’ve spoken to Facebook and they’ve made some relatively strong statements, the most important of which was that ad networks “need permission from the owner of whatever photo they use.” That means unless an ad network asked for permission to use your image, they can’t use it. Additionally, here are the policies that are applicable according to Facebook:
- The data section of the platform guidelines indicates that just because a developer gets access to user data doesn’t mean that they can use it
- Developers are not allowed to pass user data they get from FB to ad networks.
- Apps cannot break the law, and there are rights of publicity issues that come into play here. Facebook is granted permission in the terms to use a user’s photo in an ad but this permission does not extend to developers or ad networks.
- Not doing anything misleading (indicating a user has taken a quiz when they haven’t is misleading)
Seriously? Seriously? It doesn’t take long to realize how flagrantly these guidelines are being ignored:
- Many application ad networks use the profile pictures of users and their friends.
- Application ad networks routinely access loads of profile data from users and their friends. This information is often processed client-side and not sent back to the ad network servers, but you’d probably be stunned at just how much data is sifted through.
- User data is routinely sent back to application ad networks. I can cite several examples of this, but I hadn’t brought them up sooner as I’ve been working on sorting through them and gathering records of what happens. I did mention one example over a month ago on this very blog, yet the methods of that particular ad network have not changed at all in the mean time, nor has Facebook taken any action against them.
- The session secret of an application is routinely passed on to application ad networks. This enables the ad network server to make requests to Facebook via the API and access user data. Regardless of whether such action happens (and it does, by the way), an application should never share its session secret with outside web sites. In several cases, the session secret is inadverently recorded by Google Analytics – and that includes ad network Analytics accounts.
As an example of ad networks accessing user data, remember SocialReach? This very moment, one application with over 10 million monthly active users is serving SocialReach ads scripts which make Facebook API requests from the SocialReach web site. These are the same FQL queries SocialReach made prior to Facebook banning it a while back. Update: On further investigation, it appears the SocialReach code operates client-side, though the session secret is still passed on to SocialReach and the code does make API requests.
As I said, I’ve been planning to talk more about this, but was still working on putting everything together and making further investigations. With the sudden press about application advertising, I figured I should go ahead and at least note how badly reality differs from what Facebook seems to be trying to portray. If news sites want proof or more specifics on the problems I’ve described, feel free to get in touch.
Part of what leaves me bewildered is that if I can uncover so many problems in my research, how does Facebook not notice them? Some of these issues are even occurring in Facebook Verified Applications. I simply don’t understand how Facebook can make the kinds of statements AllFacebook published in light of all the obvious issues still present.