- Facebook has responded to the Cambridge Analytica scandal by saying that it’s already restricted the kinds of information developers can get from users and will further limit that data.
- The company has vowed that users are “in control” of their privacy on its service.
- But when it comes to older apps, users still don’t have control. Many aren’t covered by Facebook’s more restrictive rules.
- Older apps can continue to get access to your data even if you haven’t used them in years.
- Even if you uninstall an app, its developers can hold on to your data unless you specifically ask them to delete it — something that Facebook doesn’t make easy.
At the heart of Facebook’s Cambridge Analytica scandal is something that’s at the core of privacy — the degree to which people can control their personal information.
What’s outraged many people about the scandal is that they lost control of their data. Facebook allowed an app developer to glean information about them and transfer it to a company that planned to use it to influence how they thought about politics — all without their knowledge or consent.
In response to the uproar, Facebook executives have promised— as they have in the past — to give users greater control over their personal data.
“You’re in control of privacy and security on Facebook,” the company states in the new Privacy Shortcuts area of its app.
Except you’re not. At least when it comes to apps, Facebook makes it difficult and sometimes even impossible for users to assert control over their personal data.
Facebook apps have been in the spotlight because of Cambridge Analytica. The research firm convinced a university researcher to design an app to collect data on Facebook users. Although only 270,000 downloaded the app, the researcher was able to get data on some 50 million unwitting users, thanks to a Facebook feature in place at the time.
Company executives have noted that they put in place changes in 2014 that restrict developers’ access to certain user information and bar them from gathering data on their users’ Facebook friends. In response to the crisis, Facebook CEO Mark Zuckerberg announced additional steps, saying the company will look into developers that had access to large amounts of user data in the past and would turn off apps’ access to users’ data if they hadn’t been used in three months or longer.
Those are positive, and much-needed steps. But they don’t really add up to you really being in control of your data.
It’s all about the apps
The big boom in Facebook apps took place before the 2014 rule changes. Users installed dozens, even hundreds of apps, including games they played on Facebook, tools that helped them share photos and other information from smartphone apps with their Facebook friends, and logins that allowed them to identify themselves to web or smartphone apps with just their Facebook credentials.
During this boom, apps could gain access to just about any information that users listed on Facebook, including not just their names and birthdays, but their friends’ lists, religious affiliations, and even the religious and political leanings of their Facebook friends. Users had no way to limit what kinds of data an app accessed. Instead, they faced a binary choice. If they wanted to install an app, they had to grant it permission to access all the data it requested. The only other choice was to just not install the app.
Facebook did give users more say over their data with its 2014 changes. Apps and developers could no longer go through their users to get access to data on users’ friends. The company also said it would start reviewing the kinds of information developers were seeking to get from users, with the threat that it might reject some requests.
Additionally, Facebook gave users the ability to opt out of sharing particular bits of information with developers. If an app requested access to what they listed as their political leanings, users could say no.
But those changes didn’t put users fully in control of their data when it comes apps.
Facebook’s assumptions about your feelings may not be accurate
One big reason: Facebook grandfathered in older apps. Apps that users had installed before Facebook changed the rules could continue to get access to the same data they were able to glean before the rule changes, including information the company now considered out of bounds for newer apps. Facebook might now frown on an app that wanted access to your stated religious beliefs or your relationship status, but if you had installed the app before 2014, it could continue to access that information about you, no problem.
Another reason the changes didn’t empower users is that, when it came to older apps, Facebook adopted an opt-out model for its new granular controls over the information users shared. The company assumed that if users had installed an app in the past, they were comfortable continuing to share with its developers the kinds of information they had shared with it up to that point — even if Facebook itself now felt like developers shouldn’t have access to that information.
So, if you installed Apple’s iMovie, for example, Facebook assumed that you wanted to continue sharing with it your friends’ stated religious beliefs. Users could now turn off access to such information in many cases, but it was up to them to do so.
And Facebook forced users who wanted to opt out of sharing certain information to do so on a one-by-one basis. Instead of being able to say they didn’t want any app to know their relationship status, for example, they’d have to go into the sharing settings for each app and turn off that option.
And before they did any of that, users would have to realize how many apps they had previously installed, know they now had control over what they shared with those app, and could figure out how to navigate to the right area on Facebook to change those settings. My guess is many were like me and didn’t make it that far.
I had lots of apps installed; you probably do too
Until the Cambridge Analytica scandal cropped up, I didn’t have any idea which Facebook apps I’d installed or what data I might have given them access to. It turned out I’d installed dozens and they had access to all kinds of information I don’t necessarily feel comfortable sharing. I wasn’t alone in this realization; my colleague Kif Leswing discovered he’d installed more than 200 Facebook apps.
I installed many of my apps because I was testing out a feature or a smartphone app. I haven’t used the vast majority of them in years. Despite that, their developers have continued to have access to my up-to-date information until the present. You’re likely in the same boat; Facebook permits apps to continue to glean your updated information as long as you have them installed, even if you don’t use them anymore.
The company’s new rules will restrict that access. If you haven’t used an app in three months, Facebook will cut off its access to your latest information — but only your latest data.
You might think that if you delete an app or no longer use it, that should be a good indication to Facebook that you don’t want the app’s developers to have your information anymore. But that’s not the assumption Facebook makes. Instead Facebook allows developers to hold on to any information they’ve gleaned. If you want developers to delete your data, it’s up to you to request that of them.
Getting developers to delete your data is not simple
Potentially Facebook could make that process easy. When you delete an app, Facebook could include a button that says, “click here to ask the developer delete your data.” But the company doesn’t give you that option. Instead, it instructs you to contact the developer yourself. And it may or may not give you an address.
When I deleted Tango app — a messaging app I installed years ago to test for an article I was writing and hadn’t used since — Facebook told me I needed to contact the developer or view its privacy policy if I want Tango to delete my data. Facebook didn’t provide me with an email address, but did link to Tango’s privacy policy, at the bottom of which was an email address I could copy and paste into a mail message.
As Facebook surely knows, by making it so difficult and tedious to figure out how to request that a developer delete your data, few people will likely do it.
Just for kicks, I actually tried with Tango. I emailed the company at the address listed on its privacy policy and asked that it delete my account and any data it had gleaned about me from from Facebook. I included the email addresses I’d used to log into Facebook, figuring Tango could use that to find my account.
Instead, I got back a form email from Tango asking for (yet) more information, including my phone number, the type of device I use and a “brief description of the issue” I’m having. I guess the subject line of my email — “Privacy request//Delete account and personal data” — and the email address to which I sent it — privacy@tango.me — weren’t clear enough about what I wanted.
A Facebook representative declined to comment on the record about whether it was appropriate for Facebook to force users to jump through so many hoops to regain control of their personal data.
The situation is worse if you’ve already deleted an app
But the situation is even worse than all that. If at any time you’ve deleted one of your Facebook apps but no longer remember which ones, you’re out of luck. There’s no way to look up on Facebook which apps you previously had installed — or what data they had access to from your account.
Because Facebook doesn’t require apps to delete your data by default when you remove an app, the developers of those apps may still have access to your data months or even years after you deleted them. And there’s no way for you to know who has access to that data, what data they had access to, what they’re doing with — or even how to contact them.
Again, I ran into this problem myself. Prompted by the Cambridge Analytica scandal, I started going through and deleting my older Facebook apps, many of which I hadn’t used in years. At the time I didn’t think much about contacting developers to ask them to delete my data, figuring it would be a pain to contact them each one-by-one and thinking I could just get around to it after the fact. I found out only later that assumption was wrong.
It’s a good thing that Facebook is giving users more say over who has access to their information. But the control it’s providing is far short of what’s needed — and of what Facebook would do if it truly understood the meaning of privacy.
Leave a Reply
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
