Permission Granted: The Link Between Recent Privacy "Breaches"
Facebook has been the subject of intense scrutiny over privacy concerns...again. Or, is it still? Facebook is not alone, however, as Twitter and Android have also been recent targets of privacy ire. Each of these privacy incidents has something else in common as well--they are a result of relationships with third-parties that users have approved.
Don't get me wrong--I am not suggesting that Facebook, Google, and Twitter don't have a responsibility to protect privacy, or that they shouldn't play a part in identifying and implementing solutions to provide better privacy controls. However, I am very much suggesting that users look in the mirror and take responsibility for protecting their own privacy before casting stones.
The privacy issue getting all of the attention on Facebook this week is related to Facebook User IDs being inadvertently shared with advertising and Internet tracking entities. However, the issue is being blow severely out of proportion by privacy advocates and the media. The User ID isn't all that private to begin with and doesn't divulge any information that couldn't be found anyway.
A post on the Facebook Developer blog explains, "Press reports have exaggerated the implications of sharing a UID. Knowledge of a UID does not enable anyone to access private user information without explicit user consent. Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy."
More importantly, the privacy backlash is being directed at the wrong target. The data is being shared by third-party apps like Farmville, not by Facebook itself. The reason that the apps have access to marginally sensitive data like the Facebook UID is because users expressly granted permission to those third-party companies and willingly engage in sharing information with them.
This is similar to what researchers from Duke University, Penn State University, and Intel Labs found when conducting a study of how Android apps share data using a proof-of-concept tool called TaintDroid. According to a report prepared by the researchers, "Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, we found 68 instances of potential misuse of users' private information across 20 applications."
The privacy issue with Direct Messages (DMs) in Twitter is related to third-parties as well. Various apps and add-ons that the Twitter account holder has approved to access the Twitter data can also access the DMs even though they are ostensibly private communications between the two parties.
The common thread linking each of these heinous breaches of trust, is that it is the individual user that granted permission for the third-party to access the data. The problem is a result of the broader network of apps and add-ons that extend the functionality and value of platforms like Facebook--not the platform itself.
Facebook, Google, and Twitter can continue to improve security controls in general, and should continue to work with third-party providers to ensure that privacy protection efforts extend beyond the source platform to the broader ecosystem of apps. But, ultimately, users have to take responsibility for their own personal data, and should exercise more discretion in approving access by third-parties to potentially sensitive information.