Your home address and phone number are now part of the information dump third-party developers can obtain through Facebook-powered Web site logins and applications.
A new policy lets you authorize applications such as Facebook games and quizzes, and Web sites that you log into with your Facebook ID access some of your most personal Facebook data. Facebook announced the changes in a developer blog post on Friday.
How They Can Get Your Number
Whenever you start using a new Facebook application such as Farmville, a pop-up window appears showing you the details from your Facebook profile the application wants to access.
Now, under the heading “Access my contact information,” developers can ask for your home address and mobile phone number if you’ve included this information in your profile. This pop-up window also appears when you use your Facebook ID to log into a third-party website for the first time.
In Facebook’s Friday blog post explaining the expanded permissions, Facebook said users have to explicitly allow access to their address and phone number. The problem is, Facebook’s permissions dialog only gives you two choices: hand over your address or don’t use the product or service you want to access.
That’s really no choice at all. It would be one thing if Facebook gave you the power to deny a developer access to your address and still use the application or Website. But instead, Facebook has given ultimate power to developers who can decide whether to demand your address and phone number.
Questioned about this apparent discrepancy, Facebook responded with a statement: “On Facebook you have absolute control over what information you share, who you share it with and when you want to remove it. Developers can now request permission to access a person’s address and mobile phone number to make applications built on Facebook more useful and efficient. You need to explicitly choose to share your data before any app or Web site can access it and no private information is shared without your permission. As an additional step for this new feature, you’re not able to share your friends’ address or mobile information.”
Disaster Waiting To Happen?
Marc Rotenberg, president of the Electronic Privacy Information Center, challenges Facebook’s approach.
“Facebook is trying to blur the line between public and private information. And the request for permission does not make clear to the user why the information is needed or how it will be used,” he says in a statement.
“This is all part of the FTC’s failure to act on the original EPIC complaint concerning the changes in Facebook privacy setting. EPIC explained to the FTC that self-regulation requires the FTC to investigate companies when they change their practices. The FTC doesn’t need any new laws and they don’t need to issue any reports. They simply need to do a better job protecting user privacy.”
The big question is whether Facebook’s decision to open up your home address and mobile phone number will result in serious or even dangerous breaches of privacy. Security firm Sophos says in a blog post that Facebook’s new policy could encourage rogue applications to collect mobile phone numbers for targeted spam SMS messages or to sell data to marketing companies. Sophos also says the ability to access a users’ home address will “open up more opportunities for identity theft.”
In 2010, Facebook users fell prey to numerous scams and malware attacks such as clickjacking, the Ikea gift card scam, dislike button scam, the Russian hacker who claimed he was selling 1.5 million Facebook user login credentials, Boonana malware, malicious ads found in a Facebook application and likejacking, to name just a few. The idea that malicious applications in 2011 could get access to some of your most personal information is unsettling, to say the least.
Facebook did not specify why the company is opening up some of the most personal user data to developers. One possibility is that handing over your home address will make it easier and faster to fill out Website membership forms. While this may be a convenient way to sign up for a new service, it is not as obvious what kind of data you are handing over compared to manually filling out a Web form or using a security program such as Lastpass to fill out the form for you.
What You Can Do
If you are concerned about revealing your home address and phone number, the first thing you should do is verify whether Facebook has this information. After logging in to Facebook click on “Profile” on the upper right side of your News Feed. Then click on the “Edit My Profile” button at the top right of your profile page. Next, click on “Contact Information” in the left hand column, and check to see whether you’ve included your home address and mobile phone number. You can then edit this information as you see fit.
At the least, however, Facebook’s timing of its latest amendment to its privacy procedures is questionable.
Facebook was recently gaining a measure of respect for giving users more control over their data with new features such as the data export tool and a privacy control dashboard. But the company appears to have taken a gigantic leap backward with Saturday’s announcement. In fact, Facebook’s decision to release this information on the Friday before a long weekend is also a questionable move. With most people going about their weekend, many were unlikely to notice the policy changes–a fact Facebook was probably well aware of when it planned its announcement.