Change in policy
Application developers should be subject to the same restrictions as any other user. Users understand privacy settings from their experience with a social networking site's web interface, and most likely do not understand what is going on behind the scenes of the Facebook Platform. (The Terms of Service warning screen is meaningless because every application has it.) It is reasonable to believe that users want their web interface privacy settings to be upheld for all users, including application owners. Users should not be forced to sacrifice their privacy to use the latest "cool" features of a website, especially when those features don't even require access to the information!

Most applications don't need direct access to user data. They simply request information about one user and display it later. We propose a data hiding scheme called privacy-by-proxy, in which third parties are given fake "placeholder" data instead of real information. This is possible because Facebook has control over the output of applications. When the fake placeholder data is displayed by the application, Facebook can turn it back into the real information for the viewer to see it correctly. Users can be made anonymous with this scheme, and third party developers never get to see user information.

Facebook already employs FBML, a proprietary markup language. Reading in FBML and translating it to regular XHTML requires a processing phase. Data transformation and restoration would simply be included as part of this processing phase. FBML would need to be extended with a few new tags to mitigate the effect of the removal of real data, but the majority of applications can be accomodated. From some small-scale experiments, we don't believe the overhead would be too great. A small number of restrictions on the requesting of public information of strangers would need to be put in place to prevent known-data de-anonymization attacks.

We (with the help of Andrew Spisak) performed a systematic review of the top 150 Facebook applications in October 2007 and looked at how they used information. We found that 94% would be satisfied with privacy-by-proxy.

information needs of 150 top Facebook applications

The remaining 6% of applications do some kind of behind-the-scenes processing that will not work with fake placeholder data. (For example, one assigned a word to each letter in a person's name; this won't work if the application doesn't have access to the name.) These applications can directly prompt the user for information, so that the connection between the data request and data use is close and intuitive.