Author Archive

Facebook has been actively trying to keep their title as one of the top “social network” sites by expanding the capabilities of their site to allow their users to do more than on others like MySpace. One of their biggest moves happened about a year ago when they started allowing developers to create fun applications or widgets that users can add to their Facebook profile. This became very popular among the Facebook community, but has recently been met with skepticism as Slide.com, one of the largest Facebook widget creators, got in trouble recently for one of their applications that exploited a security hole in Facebook’s API.

So Why is it a Bigger Problem Than it Seems?

To allow applications to be fully integrated into the Facebook interface, Facebook allows for applications to retrieve any information that you have posted on your profile, except for contact information like email address and phone number. The tricky problem however, is that Facebook has no way of tracking what these applications do with this information once they obtain it because these applications reside on external servers hosted by the applications creators, not Facebook’s servers. To protect Facebook users though, Facebook put in their privacy policy exactly what you can and cannot do with that information. In particular, it states that applications may only store a person’s Facebook ID, all other information must be obtained by making a request to Facebook’s server.

Slide.com got in trouble because it stored users’ information, bypassed the privacy settings Facebook put in place, and displayed that information to anyone who has added the application. Unfortunately, this is not an easy problem for Facebook to solve; many applications in place use people’s information in fun, creative ways that go along the lines of Facebook’s vision, so they cannot remove that functionality. For the Slide.com incident, Facebook’s only available action was to remove the problem application, they can do nothing to fix the “security hole” but to reinforce their policies, because too many applications are dependent on the current functionality.

In an age when everyone’s personal information is digital in one form or another, everyone has become aware of the risk of personal information getting into the wrong hands. This is why I believe that yes, this is an issue. But, if there is concern over the way that Facebook handles personal information, then the quick and easy fix is just to not put any information on the site that you may not want others to see. I have created a couple of Facebook applications, and I can attest to Facebook’s good intentions with information handling and to their general security practices, but I won’t be putting my social security number on it anytime soon.