New Facebook Social Features Secretly Add Apps to Your Profile (Updated)
Editor's Note, 12:15 PM PDT: We have updated this story with a response from Facebook.
When a piece of software is automatically installed on your computer without your knowledge, it's called malware. But what do you call it when Facebook apps are added to your profile without your knowledge? We discovered Wednesday that this is actually happening, and stopping it isn't as easy as checking a box in your privacy settings.
If you visit certain sites while logged in to Facebook, an app for those sites will be quietly added to your Facebook profile. You don't have to have a Facebook window open, you don't need to signed in to these sites for the apps to appear, and there doesn't appear to be an option to opt-out anywhere in Facebook's byzantine privacy settings.
These apps appear to be related to Facebook's sharing tools. The sites currently leaving this trail all have Facebook Connect integration, and the list includes heavyweights such as the Gawker network of blogs, the Washington Post, TechCrunch, CNET, New York Magazine, and formspring.me.
It isn't entirely clear what information these apps are pulling from user profiles or feeding back to Facebook. They don't show up automatically on profile pages, but if you go to an application's profile page, you can see a list of your friends who also have that app installed, essentially getting a unintentional peek at their browsing habits. On the other side there are sites like the Washington Post's, which has a Facebook Network News box showing a list of your friends who have recently shared a Washington Post article on Facebook.
How to block the apps
Opting out of Instant Personalization does not stop these apps from appearing. Unfortunately, removing these kinds of applications requires more vigilance than just un-checking a box.
To see a list of your current Facebook applications, click Account in the top right corner of Facebook, then select Application Settings from the drop down menu. If you click on the Edit Settings link for one of the new applications, you'll always see one tab called Additional Permissions that has a box that's unchecked by default. Checking it will give that application permission to "Publish recent activity (one line stories) to [your] wall." Sometimes there is a second tab with an option to add a bookmark for that link to your wall. And a few apps also have a Profile tab where you can add a Tab to your profile for that site and pick its privacy level.
Clicking the X to delete an application will temporarily remove it from your applications list, but it will just be re-added as you return to that site. One work-around is to always log out of Facebook before surfing the Web. Another is to block each application after they appear. In order to permanently block an application, you have to click on the Profile link for that application, then click Block Application.
What Facebook intended
There is some evidence of how Facebook's newly rolled-out Open Graph API are supposed to be used for cross posting comments and reviews on Facebook and external sites. For example, if you are logged in to a site like PCWorld or Macworld using Facebook Connect and you leave a comment on an article, you'll see a pop-up message asking if you'd like to publish the comment as a story to your wall. If you click Publish, the comment will show up in your friend's news feeds. They can choose to block all stories from that site.
It's already been a rough week for Facebook and privacy. Recent issues have revealed a disorganized and buggy platform, and raised concerns about Facebook's ability to responsibly store and manage users' private information. Hopefully this latest issue is just another bug and not a new way of operating for the social networking site.
After this story was published, Facebook spokesperson David Swain contacted us and confirmed that the appearance of unauthorized apps was a bug:
"In this case, there was a bug that was showing applications on a user’s Application Settings page that the user hadn’t authorized. No information was shared with those applications and the user’s list of applications was not shown to anyone but the user. This bug has been fixed."
It does appear that unauthorized apps are no longer being added to users' pages, however any unwanted applications that were previously added will still need to be removed manually.