Leaking Information
4 Jul. 2008
One of the topics du jour in Internet research circles is privacy, and whether we're selling our personal information up the river. Facebook tends to be the main focus of such musings. At any rate, blah blah blah - I fired up one of my Facebook applications today (a little thing called "Friend Wheel" that generates a data visualization of the connections between your Facebook friends) and it spat a MySQL error back at me. A quite informative one, as a matter of fact - one that let me know exactly what it is that I am agreeing to when I say that I "agree to allow this application to access my profile information." It's interesting to actually see visual proof of what information you're divulging, and not just hear spinning theories.
Here's the error:
Mysql Error in /opt/lampp/htdocs/facebook/friendwheel/index.php, line 141.
Whole query: INSERT INTO userdetails (application, datetime, sex, birthday, country) VALUES ('friendwheel','2008-07-04 14:04:40','female','197x-0x-0x','United States')
Mysql said:Too many connections
Basically what this says is that this application - which only needs access to my name, friend list, and a list of which friends each of them is connected to - is also writing my sex, birth date, country, and time that I accessed the application to a database and is saving that for later use. Presumably some sort of metrics. But for what? Why do the application developers need this info?
Leaking information, indeed.
5 Jul. 2008 2:20 am
As a developer of a slightly popular Facebook app ( http://apps.facebook.com/medlinepublications/ ), I can tell you that the platform doesn't "leak" personal information so much as it "hands it wholesale off the back of the truck". I can find out pretty much anything that Facebook knows about any of my users, including who's on their "friend" list, their status updates, etc. IIRC, the developer ToS say that us devs aren't supposed to store any of that information... but there's no technical reason why we can't.
That said, FB offers users some control over what information is available to applications... although the level of granularity is pretty high. "Personal Information" refers to maybe five or ten different pieces of information- age, sex, location, etc.- and it'd be nice if FB allowed users to specify exactly which pieces of information go to which apps. Actually, they might already do this, but I sure haven't seen it.
My own app only stores FB user ids along with some application-specific information... but there's no reason why I couldn't store more. As long as FB apps are written by third-parties and run on third-party computers, I can't really think of a good solution to the problem other than a more granular permissions model.
5 Jul. 2008 2:49 am
No, I don't mean to say Facebook leaks personal information....leaking suggests something accidental, and the decision to hand that data around is a conscious business and marketing decision on Facebook's part. But I do think users often leak their information - either out of ignorance or because most businesses make it seem awfully appealing to in one way or another.
As for Facebook's privacy controls, I'm pretty familiar with most of them, and tend to use them a lot more conscientiously than most people I know. You can control some level of information that apps receive or that your friends receive from apps, but part of your agreement in installing an app is that it can access anything in your profile that is visible to your friends.
At any rate, I don't mean this post to be an "OMG teh thought police R stealin' R dataz!" post (another reader's interpretation of what I'm driving at). Rather, I find it 1) useful to be aware of what information is floating around out there about us and 2) interesting to actually see with my own eyes an example of such metrics in action.