Facebook Apps Have Access to More Info Than They Need

« Senate Pushes FISA Overhaul to the Wire | Main | Senate Spikes FISA Bill Cloture Vote »

January 25, 2008

Facebook Apps Have Access to More Info Than They Need

Chris Soghoian has some interesting thoughts on a recent University of Virginia study on Facebook application security. Nutshell: Facebook apps have access to way more information than they need to do their jobs.

"Some applications may make use of all this data, but as researchers from the University of Virginia have detailed in a recent report, Facebook provides applications with access to far more private user information than they need to function. Adrienne Felt, a student and lead researcher on the project, told me that of the top 150 applications they examined in October 2007, '8.7 percent didn't need any information; 82 percent used public data (name, network, list of friends); and only 9.3 percent needed private information (e.g., birthday). Since all of the applications are given full access to private data, this means that 90.7 percent of applications are being given more privileges than they need.'

"Felt condemned this practice, and said that it violated the the idea of least authority, an important security design principle that states that an actor should only be given the privileges needed to perform a job. In other words, she said, an application that doesn't need private information shouldn't be given any.

"'Regardless of the click-through disclaimer that Facebook makes users accept, I don't think people understand what's happening to their data behind the scenes. If applications don't appear to use private data--but then they all have this same standard click-through screen--how can users differentiate between applications that really need access to data and all the rest?'"

And I think, based on this comment from Facebook Chief Privacy Officer Chris Kelly, that it's time to start punishing ill-considered "wisdom of the crowds" invocations:

"Kelly said that users can determine a developer's trustworthiness by looking at their profile page, and that somehow, users can combine to form some kind of intelligent hive mind. 'One of the factors is what applications your friends are installing. Untrusted applications don't get added very often as the collective mind is choosing what is trusted in real time.' He further added that it is 'up to your friends to make that determination in real time. If an application is going to give them some utility, they'll know that the applications have to obey the rules.'"

Soghoian says "I fail to see how thousands of 18-year-olds can collectively assess the data protection practices of some random developer in a foreign land. Remember, these are the same 18-year-olds who post photos of themselves passed out drunk on their public profile pages."

Uh huh.

Hell ... these are the same people, let alone 18-year-olds, who are using Facebook to begin with. The UVa student researcher Soghoian spoke with admitted to installing an app she didn't want to install because she "had a hard time saying no."

Maybe someday, when we have to have the little blue and white "f" logo tattooed to our foreheads to buy groceries or travel in commercial airplanes I'll regret dumping my account. Until then .... eh.

(Link)