Facebook’s Data-Sharing Mistake

On Tuesday, January 18 2011, Facebook announced its decision to suspend the controversial feature allowing developers to access users’ home addresses and mobile numbers. The announcement comes just days after the social networking website decided to share users’ contact information with third party app developers. Privacy watchdogs have long decried Facebook’s privacy and security failings, which have affected its over 500 million users worldwide.

In a statement on its Developer Blog, Facebook said:

“Over the weekend, we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and we are making changes to help ensure you only share this information when you intend to do so. We’ll be working to launch these updates as soon as possible, and will be temporarily disabling this feature until those changes are ready.”

Data-Sharing Decision & Responses

The original decision to share user information came on Friday, January 14 2011. Facebook pointed out that the new feature would allow a user to “easily share your address and mobile phone with a shopping site to streamline the checkout process, or sign up for up-to-the-minute alerts on special deals directly to your mobile phone.”

The surprising decision triggered public backlash against Facebook’s privacy practices. Although app developers could only gather contact information if users had allowed them to do so, observers pointed out users are often confronted with too many apps that are deceptive about allowing access.

It is also commonly known that many users will click through permission dialogue boxes without pausing to read their contents. As a result of being inundated with too many permissions requests, users will respond to constant dialog boxes by agreeing to everything without considering potential negative consequences.

Critics responded strongly to Facebook’s new data-sharing practices. The marketing and media site The Drum commented:

“[This] raises questions as to how an organization, which ought to have been sensitive to privacy concerns following previous controversies, could have launched such an unheralded change, on a Friday evening, without fully thinking through the consequences.”

Graham Cluley, a technology consultant with the IT security firm Sophos called the new practices a “recipe for disaster,” pointing to the array of scam applications that have overrun the social network.

Suggested alternatives

Commenters suggested that Facebook ought to pre-approve developers before they are able to gain access to users’ information. The suggested approval process would be similar to the compulsory verification system for iPhone apps. According to a recent Sophos poll, over 95% of respondents supported the idea of Facebook verification of all apps before they are released to users. Currently, Facebook app developers only need to verify their accounts by confirming their mobile number or credit card information. After this process, they can write and release any application they like.

While Facebook does not currently offer this feature, many recommend that the network check applications written for its platform to ensure that they are not malicious. As this verification is not done, it is common to see many “rogue applications” appear across the social network. Such apps include revenue-generating survey scams, redirection of users’ browsers to malicious sites, spamming from a user’s account or stealing personal information.

Others suggested that users’ contact information could only be accessed if it was necessary for the purposes of the application. At the very least, the application should specifically request users’ permission before gathering their information. Facebook’s announcement on Friday evening led to many users removing their home address and mobile number from their profiles, as an immediate measure.


This article takes a look at Facebook’s January 14, 2011 decision to share user data with its applications developers. In the face of negative media coverage and public outcry, the social networking site was forced to reverse the changes only three days later. Many users and critics were uncomfortable with the fact that developers were able to access personal information such as their home address and mobile numbers. This article also looks at why this practice is especially problematic, especially in light of Facebook’s developer and applications policies.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Privacy Concerns – Organizational Practices (II.A.b.)
  • Privacy Expectations – Prominent Notice & Opt-In Consent (II.B.b.)
  • Social Networking Services – System Designs (VI.C.i.)
  • Social Networking Services – Privacy Controls (VI.C.ii.)

1 comment to Facebook’s Data-Sharing Mistake

  • Monex

    Please note that these permissions only provide access to a users address and mobile phone number not their friends addresses or mobile phone numbers the Sydney Morning Herald quoted Facebooks Jeff Bowen as saying.However Sophos security expert Cluley has raised doubts over the move.You have to ask yourself – is Facebook putting the safety of its 500 million users as a top priority with this move? he said.It wont take long for scammers to take advantage of this new facility to use for their own criminal ends.Cluley advised that users should take personal info such as home addresses and mobile numbers off their pages.You can imagine for instance that bad guys could set up a rogue app that collects mobile phone numbers and then uses that information for the purposes of SMS spamming or sells on the data to cold-calling companies he said.

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>