| |
Adrienne Felt felt@virginia.edu (homepage) David Evans evans@cs.virginia.edu (homepage) Press Coverage & Related Links Washington Chronicle Dark Reading article WCAV TV segment UVA Today article CNET blog article My Fbook XSS hack Joy of Tech comic 
|
 The Facebook Platform lets Facebook users add gadgets to their profiles and play with third-party applications without leaving the Facebook site. It's been a wild success: the most popular Facebook applications have around 24 million users, and competing social networking sites have moved to create their own imitation platforms. However, although these open platforms enable cool features, they also pose serious privacy risks. When Jane installs a Facebook application, the application is given the ability to see anything that Jane can see. This means that the application can request information about Jane, her friends, and her fellow network members. The owner of the application is free to collect, look at, and potentially misuse this information. The Facebook Terms of Use agreement tells application developers not to do this, but Facebook has no way of finding out or stopping them. Users view their profiles on social networking sites as a form of self-expression, but these profiles also have commercial value to marketing companies, competing networking sites, and identity thieves. Data mining through the development platform can potentially affect more people than screen scraping, because it exposes information that might otherwise be hidden (i.e., users with "private" profiles may still install applications).  If a user wants to install an application, she must grant that application full privileges. Privacy settings can be applied to friends' applications, but one standard is set for all applications. There's no way to say, "X gets my hometown but Y only gets my favorite music." The principle of least authority, a security design principle, states that an actor should only be given the privileges needed to perform a job. In other words, an application that doesn't need private information shouldn't be given any. We (with the help of Andrew Spisak) performed a systematic review of the top 150 Facebook applications in October 2007 and examined their information needs. 
We found that 8.7% didn't need any information; 82% used public data (name, network, list of friends); and only 9.3% needed private information (e.g., birthday). Since all of the applications are given full access to private data, this means that 90.7% of applications are being given more privileges than they need. |