Okay, so I’ve gotten your invitations to ‘X Me’ and I’ve declined. What’s the deal?
When you add an app on Facebook Platform, the app can see not only your information but all your friends’ information as well. The moment I accept your invitation to add the app ‘X Me’ (or any other Facebook apps), I’m essentially writing all my friends’ profile and personal information (birthday, first/last name, hometown, birthday) to the database maintained by the makers of ‘X Me’ (see footnote below). I have four issues with that:
1. I shouldn’t be able to give away my friends’ information (as you have already given away mine by adding the app yourself)
2. I hate being ‘baited’ into adding an application (”Your friend has something to tell you: find out when you add ‘X Me’”)
3. It’s false advertising by Facebook. When you add an application, you are offered the chance to allow or deny the following: “Know who I am and access my information”, but if you say ‘yes’ then in fact the app will use the available (lack of) permissioning scheme to access not just your information but your friends’ profile information as well. (And if you say ‘no’ then you can’t use the app at all.)
4. The makers of these apps are just as likely to be identity thieves as software developers (trust me, there are lots of both)
So, what’s a private person to do on Facebook? Of course, you can’t convince all your friends to stop adding suspicious apps. But you can do two things:
1. Blog about this privacy hole in Facebook’s F8 platform.
2. Remove apps that you don’t need (so that further friends are not infected)
3. Don’t add new apps
4. Create a ‘limited’ profile which contains only a small portion of your data which you check by default when you add a friend
Footnote:
from Facebook’s Terms of Use
“If you, your friends or members of your network use any Platform Applications, such Platform Applications may access and share certain information about you with others in accordance with your privacy settings as further described in our Privacy Policy.”
Note about ‘X Me’: ‘X Me’ was created by RockYou in San Mateo, a real company whose primary goal is not identity theft but viral marketing. Unless they’re brain-dead, RockYou has already collected the personal information and friend associations of at least 90% of Facebook users.