At Facebook’s f8 conference, founder and CEO Mark Zuckerberg announced that the company was removing restrictions on user data retention within Facebook applications. Previously, the company had a policy where developers couldn’t “store and cache any data for more than 24 hours,” Zuckerberg said while speaking to the audience of Facebook developers crowded into the San Francisco Design Center on Wednesday. “We’re going to go ahead and…get rid of that policy,” he said. The audience cheered.
But should Facebook end users cheer this news, too?
The Change is for Developers, “No Effect” on End Users?
For developers, the removal of this technical limitation is great news. Apps had to constantly connect to Facebook’s servers in order to refresh their data. Application load speeds were also affected as the apps would have to do this server pinging process upon first launch. Now the data the apps need will already be there – a change that may even result in noticeable performance gains for the end users of the applications.
Yes, Facebook Apps Have Your Data
The new policy, however, brings to light something that your average Facebook user may not have ever known at all: Facebook applications access your personal data.
We’ve looked at this issue before (see: “What Facebook Quizzes Know About You“) after the ACLU put together an awareness campaign surrounding the privacy issues of Facebook applications. Using a sample app, the ACLU’s Facebook Quiz, many everyday Facebook users were shocked to find that applications (like quizzes) could access almost everything on a user profile, including hometown, groups you belong to, events attended, favorite books, and more. What’s worse is that your profile information becomes available to developers when your friends take the same quiz.
Why the Policy Change is Riskier Than It Appears
On its own, the new data retention policy doesn’t change how developers can use the data they store. In fact, for some developers, it won’t change much of anything at all – many simply ignored Facebook’s rules about data retention in the past. Even with the change, it’s just business as usual for those developers and their apps.
That said, the indefinite storage now permitted is concerning for a few reasons. As security engineer Joey Tyson points out on his blog, a site where he has detailed numerous hacks and security holes for Facebook, Google and more, the change makes Facebook apps “far more valuable targets for attackers.”
A popular application’s database could be filled with literally millions of users’ personal details (Facebook now touts 400 million users and Facebook’s most popular app, Farmville, for instance, boasts over 81 million users). If such a database was targeted for attack, the payload for hackers could be incredible.
In addition, Tyson explains, opportunities for behavioral targeting and visitor tracking are increased since developers can now maintain complete archives of profile information.
It’s also worth noting, as tech blog VentureBeat points out, it’s impossible for Facebook to know about how application developers are using the data they collect. If a developer chooses to use that data in ways that are misleading, malicious or that break the company’s terms of agreement, Facebook may not be aware. With 500,000 supported applications, Facebook just doesn’t have the resources to police the apps they house.
How to Remove Facebook Applications
To the end user, these changes may sound overwhelming and even scary. But there is something very easy everyone can do to minimize their risk and that’s delete the Facebook applications you no longer use.
The process of doing so is incredibly simple.
After signing into Facebook, do the following:
- Click on “Account” at the top-right of the screen.
- Click “Application Settings”
- Change the “Show” drop-down box to “Authorized.” This will show all the applications you’ve ever given permission to.
- In the resulting list, click the “X” button on the far right next to each app you want to remove to delete it.
- On the pop-up box that appears, click “Remove” then click “Okay” on the next box confirming the app was deleted.
Repeat this process to remove all the apps you no longer use on a regular basis.
Doing this won’t eliminate risk entirely – nothing can do that – but it’s a good first step in reducing risk. However, as long as you have a Facebook account, your data won’t be private. If true privacy is really a concern for you, it may be time to find that account delete button instead. (Hint: it’s under “Account Settings.”)