Apps connected to Facebook have long been a threat to users’ privacy, and the recent news about Cambridge Analytica is the very sort of danger that we’ve been warning people about for some time. Facebook has made a substantial effort to improve users’ privacy in terms of other Facebook users and non-Facebook users who might be Googling them, adding a long list of settings to its privacy menu.
However, apps connected to Facebook have their own privacy settings that aren’t covered in the obvious menus. Furthermore, while developers on Facebook’s platform are required to abide by strict data protection rules, it would appear that Facebook’s enforcement of those rules only extends to banishment after a violation has occurred. Facebook can do little to stop bad behavior until after the damage is done.
When you connect an app to Facebook, you are often required to give that app permissions to view information about your profile. This happens any time you log in with Facebook on another site, ranging from shopping sites like Amazon to tools, music and media streaming services, quizzes, surveys, and games. An app developer can request some 40 different permissions, all but three of which require review by Facebook staff before the app can be connected to the social network.
Those three “basic” permissions include a user’s friends lists, email address, and public profile info—what appears to non-Facebook friends who look at your account. In turn, the app developer can get their hands on the public profiles of everyone on the app user’s friends list. This is why even though only 270,000 people used the app to take a survey, the data of over 50 million users was accessed by Cambridge Analytica.
According to Facebook, basic profile information can include:
- Name
- Profile picture
- Cover photo
- Gender
- School
- Workplace
- Username
- User ID
- Age
- Language
- Country
If you installed the app, the developer can access all of this information from everyone in your friends list without your friends’ consent. Similarly, if your friend connects an app to Facebook, that app can extract data from your profile without your knowledge or direct consent.
How to stop companies like Cambridge Analytica from accessing your account
Facebook users can and should take matters into their own hands. Short of deleting your account, you can disable the option to allow friends’ apps to glean information from your account. This setting is not in the Privacy menu as you might expect, but rather in the Apps menu—most people don’t look here, and Facebook never instructs users to do so in its “Privacy Checkups.” By disabling this feature, you can prevent companies like Cambridge Analytica from getting their hands on your data through friends’ apps.
If you believe your data has already been compromised, Facebook offers a little-known resource:
- In Facebook’s Apps menu, click on an app and hit the Edit button.
- Scroll down through the permissions (which you should also set to a minimum) to find your application ID.
- Contact the developer, request your information be deleted, and give them the application ID so they know exactly what information to delete.
Whether a company like Cambridge Analytica would actually comply is questionable, though, and the company stated it already deleted Facebook user data from its servers.
Facebook users should also limit what information is available on their public profiles. Remove info like age, location, gender, school, and workplace.
Remove your Facebook profile from search results. Even if you block friends’ apps from accessing your profile, some information is publicly posted and can be found via other means such as Google. You can stop Google and other search engines from indexing your profile in the Privacy tab of Facebook’s settings menu.
Remove any apps you don’t use in the apps menu. For the apps you insist on keeping, limit their permissions to the minimum.
Facebook has several other privacy and security settings worth sifting through to limit access to your account by third parties. Follow along through this Facebook privacy checklist to make your account as secure as possible.
On a general note, be picky about what apps and services you connect to Facebook. Don’t be tempted by games, surveys, and quizzes that require a Facebook login. Once you connect an app to your profile, it remains there indefinitely until you remove it, and it can collect data about you the whole time. Haphazardly connecting apps not only puts your own data at risk but also your friends’ data.
Did Cambridge Analytica violate Facebook’s rules?
Facebook actually has quite strict rules for developers about how they use account data, and Facebook says Cambridge Analytica broke those rules. To Facebook’s credit, its platform policy states, “Only use friend data (including friends list) in the person’s experience in your app.” The platform asks developers to get user consent to use any Facebook data outside an app or in an ad.
Cambridge Analytica didn’t create the app. It was contracted out to a professor who built the app as a seemingly harmless survey. That professor then allegedly handed over the user data collected through the app to Cambridge Analytica. This would also appear to violate the social network’s platform policy:
“Protect the information you receive from us against unauthorized access, use, or disclosure. For example, don’t use data obtained from us to provide tools that are used for surveillance.”
Furthermore, the policy states:
“Don’t sell, license, or purchase any data obtained from us or our services.”
Cambridge Analytica denies using Facebook data in its work for the Trump campaign and says it deleted the data after finding out it was obtained in violation of Facebook’s rules. A whistleblower who worked for the company, however, says the data formed a foundation for Cambridge Analytica’s work, and the data was not deleted as it should have been.
But more to the point, what enforcement mechanisms other than banishment after the fact does Facebook have to prevent such incidents from happening again? It would seem that Facebook can do little to stem abuse until after the damage has been done, despite its review process.
Isn’t basic profile info public?
Some onlookers have pointed out the information contained in public profiles is, well, public. Indeed, the information that Cambridge Analytica took via app users’ friends lists can often be found just by Googling a particular person’s profile.
In order to get 50 million users’ public profile data using publicly available channels, though, Cambridge Analytica would have had to use a scraper or some other form of automated data collection. This would violate Facebook’s terms of use, but again, Facebook has little means of enforcement until after the damage is done. Facebook does give users the option to stop search engines indexing their profiles and posting them in search results.