>Facebook Apps: Truly Transparent Or Really Creepy Profile Peekers?


> Explosive ScamSniper Report

Facebook Apps: Truly Transparent Or Really Creepy Profile Peekers?

Do the apps you install sneak your profile data behind your back?
Let’s find out?
Back in December of 2010 Vanessa Dennis of PBS NewsHour explained that facebook users should take the time to remove or reinstall any older apps which have been installed to their profile for a period of six 6 months or more. The reason for doing so is that apps which had been installed to their profile for a long time may basically have what amounts to full access to their profile and much of the information in their Friends profiles as well. This is because the older installed apps are still adhering to the old profile access standards. See an example of this below..

Example (App which has not been reinstalled )
 View Via the Application Settings dashboard’s – Introduced 10-2010
Click to Enlarge

Due to a settlement made with Canadian government , facebook announced back in August of 2009 that several privacy changes would be implemented. These changes would offer it’s users more control over their profile information and the information they choose to share with the apps they install to their facebook profile. One of the new features would be a Applications Request for Permissions dialog. 

Quote from: 
http://www.facebook.com/press/releases.php?p=118816
Facebook Announces Privacy Improvements in Response to Recommendations by Canadian Privacy Commissioner. Paragraph 6

Increasing the understanding and control a user has over the information accessed by third-party applications. Specifically, Facebook will introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. 

-In addition, the user will also have to specifically approve any access to their friends’ information, which would still be subject to the friend’s privacy and application settings.

Example (App Request Dialog)-Property of Facebook
Click to Enlarge

Example (Facebook App Request Dialog Explanation)Property of Facebook
Click to Enlarge

This new data model was introduced in April of 2010, but the new Applications permissions dialog didn’t become mandatory until June of 2010. It was designed to make it easier for people to weigh in the privacy versus functionality trade-off when installing apps. However, it also gave the developers a few new features as well. This included: The ability to store user data once given permission to access it, A real time update, which allows developers to be notified immediately when a users data changes and full access to the users basic information, which they could now use in any way they saw fit to make the users experienced better..

Quotes from:
A New Data Model
http://developers.facebook.com/blog/post/378
Section 1: New Data Permissions Dialog – Paragraph 1

By default, users grant you access to their public data. If you need private data or friends’ data, the new dialog will clearly present these requests, so users can understand what you need, make informed choices, and quickly get started.

Section 2: New Data Policy – Paragraph 1 & 2

As part of today’s changes, you can store data — only the data users have granted you access to, of course — and more easily write fast, high-quality applications.With the new real-time updates feature, you can also be immediately notified when your users’ information changes, including their profile information, friends, and Wall posts.

For users who connect with your application or website, you will now have full access to use basic account information, including user ID, name, and email (once a user grants permission) in any way you believe provides a richer experience for your users. In addition, with explicit user consent, you can use their data for purposes beyond displaying it back to the user. However, you’ll now need to have your own privacy policy and enable users to delete all of their data from your app

Enter the new problem
While Facebook was clear about these aspects with it’s app developers,  they failed to inform the users that the apps they already had installed on their facebook profiles would not automatically re-install or adhere to these new privacy guidelines. The older apps would still retain the data access given to them under the old system. This is apparent when looking at the new Application Settings dashboard’s “This Application Can” section, which facebook also added as of October 2010. The dashboard lets users see exactly when and how their data has been accessed through the Facebook Platform, plus gives the users the option to remove unwanted apps, games, or sites, or revoke persistent permissions such as the ability to post on their wall, all in one place.  As we can see in the screenshot below, many apps which have been installed to a facebook users profile for a long period of time show an egregious amount of user profile access. See below

Example FarmVille (Before Reinstall)
Click to Enlarge
Now many users will state that they never remember giving an app like this, basically a “free for all” when it comes to their profile or their friends profile info. I would be one of those users. However, Under the older platform, when you installed some of these apps, this is exactly what you agreed to let them access. As explained by Vanessa, the only way to remove all of this access is to uninstall the app if you are not using it any longer, or if you still use it, you must re-install the app. 
This is done by simply by:
  • Click in “Account then Privacy Settings“.
  • Under the heading “Apps and Websites” click the “Edit your settings” link. 
  • You will be taken to the “Apps, Games and Websites” screen, from there simply click on the “Edit Settings” button next to the heading “Apps you use“. 
  • Find the app you want to remove in the list and click “It’s Name“. 
  • This will expand the apps current permissions. If you find the app has a ton of access like the one shown above, simply click the “Remove Application” link to remove it. 
  • Once removed if you wish to reinstall it, simple re-locate the app on facebook and re-install it. 
You will notice the new install will show much less requested or required access. In the screen shot below, you will see the new install screen for FarmVille. Take a note of the permissions requested, as it states what will be accessed and is needed for the app to function on your profile.

Example FarmVille (Reinstall Screen)
Click to Enlarge
Notice how it now seems to state that it only needs “Basic Information” access and the extra profile information consisting of “Birthday and Current City“. Much, much less information is requested, which makes this application seem more agreeable to install. Once installed, if you navigate back to the expanded installed applications screen, and view exactly what this app can access, you should see something similar to the shot below.
 Example FarmVille (Re-installed)
Click to Enlarge
At this point I would like to stop and tell you that you’ve just regained control of what the apps you have installed to your account can see or get at, on your profile. Unfortunately, I can’t. Why? Because back in October of last year, when I noticed facebook had given us this new way to see what the apps we installed on our profiles are really accessing, I saw what was just described to you above. Apps with an egregious amount of  access to my information. I then took the steps to reinstalled many of my apps back in October, way before anyone said I should or needed too…
However, During the course of the last few months I have found that many apps are still accessing bits and pieces of profile information that they have not asked permission to access. Below you will see this particular re-install of farmville and what facebook has recorded it accessing, in it’s applications Last data access, “Access Log”.

Example 1 FarmVille (Installed)
Click to Enlarge
Example 2 FarmVille (Short Play of the game)

Click to Enlarge
Example 3 FarmVille (After Short Play of the game, New Accesses With Post Function)
Click to Enlarge
Example 4 FarmVille (After Short Play of the game, Access Log Shows Friends Info Accessed)
Click to Enlarge
As we can see in the last screen shot, right above, farmville seems to have either attempted to access or did access My Friend’s Birthdays and Current Cities. I find this strange since during the re-installation of the app it does not mention this information will be accessed at all. During the game play it doesn’t ask for this info and neither does it show up in the “This Application Can” section. So my question would be: Why and how is this app going after this info? It’s has clearly been stated that any and all applications must explicitly ask for your permission to access any information that is not basic information or marked public in your profile. They also must get your permission first, before they can access friends data. Plus to top that off, developers are to only request the data they need to operate their application. Reference the quotes above and the follow one.

Quotes From:
Applications Ask, You Receive: Simplified Permissions Launch

Paragraph 1

With this new authorization process, when you log into an application with your Facebook account, the application will only be able to access the public parts of your profile by default.To access the private sections of your profile, the application has to explicitly ask for your permission.

Paragraph 3 

For example, JibJab is an interactive greeting card website that needs access to my photos and my friends’ birthdays and photos so I can create personalized greeting cards. Based on the new model, JibJab must specifically ask for that information.

Unfortunately seeing the activity depicted above makes me believe that it does not matter if you reinstall your older apps, that maybe you shouldn’t believe what those “Request For Permission” dialogs are telling you. They maybe showing one thing to make you comfortable with installing the app, while the developers motives are simply to get what they can without telling you about it. I mean who’s actually paying that any attention. Do you troll your “Access Logs” after you install an app? Can app developers simply sneak the information they want from your profile at anytime, without asking or telling you about it? In the quote below, from the Facebook Privacy Policy page, is a statement which leads me to believe they can, but shouldn’t.

Quote From: Facebook’s Privacy Policy

http://www.facebook.com/policy.php

Section 4. Information You Share With Third Parties.
Sub-SectionConnecting with an Application or WebsiteParagraph 3

You should always review the policies of third party applications and websites to make sure you are comfortable with the ways in which they use information you share with them. We do not guarantee that they will follow our rules. If you find an application or website that violates our rules, you should report the violation to us on this help page and we will take action as necessary

The problem I have with this statement is that with the number of apps I have seen appear to sneak bits of data, facebook users would not have an effective way to report each one. Not withstanding the fact most users will never pay attention to the area of the site which would show them the profile peeks the apps may be taking. Further up within the same section of the privacy policy, facebook states that they require developers to agree to terms that limit their use of your information and use technical measures to ensure that they only obtain authorized information. But honestly just having them agree to not do something, means absolutely nothing to me and when trying to view the “About Platform” page, which is said to explain the tech restraints facebook claims to use, Umm, I get a blank page?

What has made this even more concerning to me, is that facebook has recently stated they will be allowing app developers to request a users address and phone number, through these request for permission screens. Yes, this has been put on hold, so that facebook can rethink it’s strategies for implementing this feature, but the key words here are “On Hold“.

Example (Address & Phone # Permission Request)-Property Of Inside Facebook
Click to Enlarge

As we can see in the screenshots provided below, older applications which have not been re-installed are beginning to add a new field named “Access my contact information“. My thoughts are once facebook decides to re-implement these contact features, these older app install are going to automatically place this information in the required section and start to access it without notifying the users. And it’s possible that even if you re-install your older apps, you may still be subjected to this info being collected without you being notified, since the new installs seem to access data without asking..

Example 1: Cafe-World (Old Install Shot taken 10-19-2010 ) 
Click to Enlarge
Example 1: Cafe-World (Old Install Shot taken 01-22-2010 )
Click to Enlarge

If a newer app can “appear” to or “actually” sneak my friends Birthdays and Current Cities, what’s to stop it from sneaking their address and phone number info? I have watched this type of activity over the course of 4 months. I have tested many apps on my personal account, which is set to a “Friends Only” privacy setting. Farmville & the other apps displayed here are just some of my examples. I have found many apps, by many different developers and they all seem to sneak something or the other under the new permission based data access model.. A peek at your or friends notes, groups, relationship statuses, you name it..

I’m simply looking for a explanation to what I’m seeing and recording. I would like someone from facebook to address what I and many others have seen. Can you explain it? Please tell us, “The Users”, What is happening here?

In Addition: 
This additional information and example have been added to this document as of 01-21-2011, due to a report that was release.

In a report released by The Registry, facebook made this statement:

We have built extensive controls into the product, so that now when you add an application it only gets access to very limited data and the user must approve each additional type of data (so we do more than anyone else to educate users about passage of data, and force disclosure and user consent for each category beyond the basics).

This statement can be read here:
Facebook defends security strategy
Shy social network responds to criticism
http://www.theregister.co.uk/2011/01/21/facebook_security_analysis/

This statement simply leads me to provide another example of a facebook application doing the exact opposite of what facebook claims they are suppose to do.. See the example below.
Example Application Zoo World

As we can see in the screenshot below, The Zoo World Applications Request for Permissions dialog informs the user that Zoo will be accessing “one” specific area of the users data. This includes “Basic Information“. If the user agrees, by clicking allow, Zoo World will have access to that area of info within the users profile.
Zoo World Install Screen (The Data it Request)
Click to Enlarge
Most users, once they have installed a facebook app, such as a game, will then proceed to play the game or use the app. The 2 screenshots below show the Zoo world game in action. During this time, I noted no additional request for data access from this app. Screenshots taken 01-16-2011.
A short play of the game Snapshot 1
Click to Enlarge
A short play of the game Snapshot 2
Click to Enlarge
After a short play of the game and then navigating to the Apps You Use settings page, you can see a detailed assessment of the Zoo world App installation on your profile. You can see in the screenshot that the app still  list that it only requires Basic Information. See Example

Zoo World Install (Detail View – Apps You Use Screen)
Click to Enlarge

 However, if you then click on “See Details” under the heading “Last data access:“, you will see and “Access Log” dialog open. This dialog shows you the Zoo World app not only accessed the basic information it requires, but several others fields of information it does not list or request from you during the install of the app or in the This app can heading.

Zoo World Install (Detail View – Access Log – True Data Accessed)
Click to Enlarge
Again if the apps are suppose to request access to the each field or area of user data that they wish to access on the users profile, why do many of them appear to fail to ask the user for certain data accesses? Is this a glitch in the system or is this the developers failing to inform users of exactly what data they will be accessing on their profiles? Am I missing something? Are My Friends’ Birthdays, Family Members, Relationship Statuses, and Education History all part of MY Basic Information and necessary for Zoo World to function? Can the same be said for peeking at my news feed as well?

Can facebook and the app developers please explain this to us?

What you, the user should do in the mean time.
I know many of you will say: Well what am I suppose to do about this? I don’t want the apps my friends install or I install, accessing my profile information whenever they want and without notifying me or the friends about it.

Well, you have 2 options and 1 duty.

The Duty:
Make sure that you have reinstalled any and all apps that your currently have on your profile. If you open your Application Settings dashboard’s “This Application Can” section and see apps with huge list of access permission, you must “Re-install” the app immediately. (Refer to the previous how to written a bit further up in this doc.). This will or is suppose to remove all the extra data access apps have under the older apps data permissions platform. Do not worry that you will lose your setting or levels in any game or app: MOST GAMES can be uninstalled, then re-install without loss of your game data. I have reinstalled most of my apps and have not lost any game or app data/settings. Once you have done this, then you must watch and record exactly what the new installs of your apps access. Record what each app, claims to be it’s “Required Permission” and look for any data accesses outside these areas, in the “Access Log” for each app. If you find any, take record of it.

The 2 Options For Partly Securing You Profile Information:

1. If you are not a facebook app user, then you can turn off the app platform all together. This will disable any sharing of your profile information through apps and partner websites. You won’t be sharing information to any apps or partner websites and your friends won’t be able to share your information through any of their apps or partner websites. Please see the short how to video below.
2. If you are a facebook app user, then you can adjust the privacy settings for the “Information accessible through your friends” and make sure you have “Instant Personalization” disable. The “information accessible through your friends” settings, controls the information friends can share about you through the apps they install and the third-party sites they visit. The Instant Personalization setting controls whether or not any of facebook’s third-party partner websites will be able to customize your experience with them via the information they can access in your facebook profile. Adjusting the settings in these 2 areas should provide you some protection from friends sharing your info through the apps they install and the sites they visit. However, this will not stop it all. As the privacy policy seems to state in section 4: Applications have access to the users and the users friends basic profile information and any information that is shared to everyone in your or their profile. Which I find strange since up to that point, all the press releases’ facebook made to their blog about the subject, suggest only the app installers basic and everyone data is to be accessed by default? The only way to protect the non-basic information would be to make sure you don’t have its privacy settings set to “Everyone“. Lock your profile down to Friends of Friends or Friends Only. Below is a short how to video for adjusting the “information accessible through your friends” and Instance Personalization settings. If you would like more info on adjusting your other privacy settings, please see the other links below the video.
Video 1: How To Turn Off The Apps Platform (Avail. In HD)
Video 2: How to Adjust Info Sharing through friends on facebook. (Avail. In HD)

Additional Privacy Settings video’s can be found on facebook at the links provided below.

Learn More #1 – Controlling Your Sharing’ video guide:
http://www.facebook.com/video/video.php?v=681506488373
Learn More #2 – Controlling Your Sharing’ video guide:
http://www.facebook.com/video/video.php?v=681507022303
Learn More #3- Controlling Your Sharing’ video guide:
http://www.facebook.com/video/video.php?v=684554250633
New Dashboard for Applications You Use [HQ]
http://www.facebook.com/video/video.php?v=10150292661560484
Controlling Your Information on Places [HD]
http://www.facebook.com/video/video.php?v=697692691093

Report By: Mr. Black Knight – All Rights Reserved – Intellectual Property Of Scam Sniper ©

With assistance and support from:
The Administration of The Unofficial Guide to FB Privacy and Security

http://www.facebook.com/PrivacyGuide

Since I first notice these particular issues, the administration of the Unofficial Guide to FB Privacy and Security has been a strong partner in documenting and investigation of the issue with me. Together we have spent many hours digging and trolling through privacy policies and supportive information, in effort to explain these finding.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: