When you share with Facebook friends, you share with all the apps they use

Raganwald describes a Facebook privacy-leak that's creepy even by Facebook standards. When you sign up for apps, the app-maker has the power to extract all your friends' personal info, assuming they've shared it with you. So anything you share with your friends can be hoovered up by any app they trust. If you'd prefer not to do this, there is a setting buried in the Facebook preferences, and Raganwald walks you through checking it off.

Here’s an app that purports to help people build their “professional network:"

If you share your work history with friends and they use this app, you’ve just silently shared your work history with the people who built this app. And your locations data! I have visions of them selling an employee profiling service: "Mr. Braithwaite claimed to be employed with Initech, but he spent an awful lot of time at Sense Appeal Coffee Roasters during that time period..."

... Look at what you're sharing by default with all of your friends' apps! Selfish bastards that we are, we do not wish to make our friends’ experiences “better and more social” when they use apps that we don’t personally authorize. Turn everything off and save changes. Voila! You’ve stuck another finger in the dike holding back the endless flood of Facebook privacy loopholes.

When you share personal data with Facebook friends, you're sharing your personal data with every app your friends use


  1. I must have made the right sacrifices to the privacy godesses, cuz almost everything in there was already unchecked for me.

  2. Here (such as this post) and on many other Internet sites there are articles (such as this one) that paint (usually minor) Facebook leaks and flaws as potentially catastrophic creators of mayhem and maliciousness. I know it’s probably not good to post one’s social security number and home address on Facebook or other social networks, but is there any real, hardcore statistical evidence that by unchecking a Facebook preference or two you can assure yourself a safer life

    Nowadays, whenever I see a small article about Facebook security I tend to simply ignore it (except for this one, of course!) – I mean, are there real stats that show employers are making biased decisions about employees based on Facebook meta-data?

    1. Facebook seems like a very obvious place to look for easy information about a job candidate. It’s often one of the first results if you google a person’s name. If their profile is public, there’s nothing stopping an employer from taking a look. And, to confirm, yes, employers do take a look.

      1. And if they do, and you are homosexual, or an atheist, it should be just and proper to simply assume they didn’t employ you on that basis and sue accordingly. 

        1. Not in France, from my experience. I know of an employer who discovered via Facebook that a candidate was a member of a lesbian taiko drumming group. They just thought it was an unusual hobby to have. They didn’t give two hoots about the candidate’s sexuality. 

        2. If an employer doesn’t hire me because I’m Gay or an Atheist I wouldn’t want to work for them anyway. And I’m not into that whole “suing” thing

          1. You can walk away from a job. Good for you, but so what? Maybe some people, like you, don’t have to care, but others have dependents and debts and must care. And that’s why privacy matters, why fair hiring maters.

          2. “If an employer doesn’t hire me because I’m Gay or an Atheist I wouldn’t want to work for them anyway”

            A very privileged assumption. Plenty of my trans-friends just want to work.

      2. But what if your profile info is private but one of your friends has an app that leaks all that info?

        Facebook is NOT free, you pay for it with your information.

        1. “Facebook is NOT free, you pay for it with your information.”

          Not so granularly, but thanks for giving away my privacy.

    2.  Just those employers demanding you hand over your password or log in so they can troll your account before they will hire you.
      And this isn’t a flaw, this is how Facebook works.
      Remember that whole lawsuit against their app makers for pulling to much info about people?  The issue wasn’t they were doing it, it was that they COULD do it because Facebook cared so little they never turned off that access.  Of course the big ones that make they money weren’t beaten down like the others who did the same thing.

      There was the whole panic over that Girls near me App (or whatever it was called) and everyone called it creepy and exploitative… except all they did was use info people made public (if they paid attention or not about it being out there).  The problem is people are often unaware that a friend of a friend can troll your profile because they aren’t using the same settings you are.

      Insurance companies are making decisions based on Facebook data they troll, because they had a picture of someone clinically depressed smiling they decided she was obviously faking.  Ignore all of the Dr’s she smiled.

      Courts have forced people to make public apologies over Facebook posts, even when they went the extra mile to keep it private.

      Facebook is more concerned about getting paid, they get paid the more data you share (knowingly or unknowingly) that can be scraped and used by someone.  Ask the guy who’s Facebook profile pic became the poster child for the 50 gallon drum of lube we all made fun of on Amazon.

      It is one thing to punish a user for being stupid and sharing a post that they are out of town.  It is another thing to allow a 3rd party access to your profile, bypassing your imagined privacy, because someone your friends with is a tool who can’t focus long enough to get down 15 levels of privacy settings to untick the boxes leaving your info exposed via them.

      Of course if Facebook cared, there would be a simple setting to bar apps your friends install from getting anything more than your name.  But then it wouldn’t be social, and social in this setting means getting bags of cash for providing that sort of access.

      1.  I don’t disagree with your rant, but your understanding of how the settings work here is incorrect. The Facebook privacy settings do allow you to restrict Facebook from letting your friends’ give apps access to your profile information. The instructions in the article describe exactly how to do it. Whether or not they work as advertised is another thing, but that thing you were saying that Facebook would do if they cared? They did that.

        1. One shouldn’t have to think about if a freind installs a stupid app that their profile will be up for grabs.
          And one wonders if the ability to shut it off has to do with keeping the FTC happy and out of the way of the IPO?

        2. I don;t disagree with your rant, but when they opt everyone in, rather than out, they’re not “offering” anything. 

    3. “Facebook leaks and flaws as potentially catastrophic creators of mayhem and maliciousness.”

      Because Facebook does everything to reduce and remove privacy, and revert your settings with each overhaul.

  3. I’m not sure I’m too worried about the specified scenario either, but what worries me more is I’ve got a few friends that tend to accept rather questionable application requests on Facebook.

    I’m more concerned that through one of them an outright malicious app may get their hands on my personal details without me ever knowing about it or having a chance to stop it.

    All un-checked now though… I feel temporarily safer.

    I reckon it should be illegal for major social platforms to make non-privacy the default. All sharing should be opt-in only.

      1. Really why is Facebook so popular.  No one cares.

        Also when you go and check these horrible evil settings you will that they are set to exactly the same settings as all your other privacy settings.  I have never set these settings but they match exactly the amount of information anyone not on my list of friends will see.

        1. Because most people cannot imagine that Facebook could be acting as horridly behind their backs as it is.

    1. I love how you have some sort of special insight as to what everyone cares about. Any other grand prognostications to offer?

      As for me, this post has little relevance, because I reached the conclusion FB is inherently malicious long ago, what with the deceptively-styled ads and labyrinthine privacy options replete with pushy and presumptuous defaults… in short, I don’t care how many people are doing it; fuck that noise.

      And you can bet I’m not alone.

    2. Considering the litany of sins committed by FB on a nearly daily basis, I would say that BB is relatively conservative with the amount of related stories they post. 

      Fear mongering is not the same as concern – and you have every reason and right to be concerned about what Facebook is doing with your information. The “sky is falling” indeed, slow though it may be. 

      Once it affects you in a negative manner perhaps you’ll realize why vigilance was so important.

  4. That explains why I couldn’t display the current location of my girlfriend in an app I’m developing right now: she must’ve gone and un-ticked every box she could find. Let’s suggest for a moment that all of one’s friends un-tick all the boxes: Facebook no longer has a platform. My particular app is mostly using friends’ information, e.g. current location, client-side. It greatly enhances the user-experience and never goes near server-side. There’s a balancing act in there, alright, but judging from what’s inaccessible to me via the API, I think Facebook have put a lot of consideration into the pros and cons of information sharing.

    How do you like BranchOut?

    1.  I’ll bet that unsuspecting user action (ie. not checking the privacy settings) is part of their business model.  So every once in a while FB “improves” the site which causes a loss of privacy, then there’s some press about it and they plug the “leak”.  Meanwhile your info is now out there and there’s nothing you can do about it.

  5. I currently have the “Apps you use” setting set to “turn off all apps.”  This disables access to the “How people bring your info to apps they use” menu.  I take this to mean that personal information is blocked from friend’s apps as well, but the setting is not clearly explained.  Can anyone confirm?

  6. I don’t trust my friends which is why I’ve had platform apps disabled since day one. And if you think you can trust your friends then it’s YOU who your friends shouldn’t trust.

    1. I’m boggled by the number of people who use apps.  Mine also have been turned off since day one. 

      What gets me are the people who get irritated when you won’t join the party by sharing all your info with some dumb app they’ve got going.

      1. Why have that sort of people as friends in the first place?

        And as FB friends in the second place?

        1. You must be loads of fun of at parties.

          “I’m sorry, I can’t talk to you any more, I just found out you play Farmville.”

          1. I haven’t said that out loud, but I have thought similar things to myself. I don’t talk much at parties anyway though. It’s not an unreasonable filter IMO.

  7. File this under “welcome to the internet”. When you tell someone something … they might tell someone else. When you tell your 800 friends something … they might pass it along to their 800^2 friends and/or corporations as well.

  8. When I was still on Facebook — which I haven’t been for way over a year — I had unchecked every single box on this settings page. I looked through all the privacy settings very carefully. But most people don’t, and FB exploits that in every way they can. And everyone is complaining about Google *shakeshead*. There’s one of the reasons I dumped the crap. Zuckerberg’s infamous leaked “dumb fucks” chat logs and his arrogant comments about privacy and social norms were another.

  9. That farming came must be really nice to make millions of people (and their pets) accept this stuff year after year.

  10. I don’t have a single app on my FB, and now thanks to this post none of my friends can share my information without my consent either.

  11. I wouldn’t use Facebook without the app platform disabled.
    However, about a year ago I just stopped using it, because I don’t trust that they won’t make changes in secret to share my data anyway, and I won’t find out about the checkbox that they hid 14 levels deep in options menus for weeks.

    If they had ONE checkbox that said “don’t ever share anything, ever, with anyone, and I don’t care what “exciting new feature” you add, I really mean it” I’d think about going back.

    But they don’t, and they won’t, because that would strangle their business model.

  12. fortunately, using fb is so optional.

    people that never needed it, nor even felt curiosity about it, are counted by the million; and just like myself, they give a rat ass about this outrage.

  13. Facebook has always been – and always will be – a privacy hazard.  Users are nearly always “opted-in” to every creepy new “feature” by default and nearly always, without their knowledge. It will be none too soon when that festering scab on the face of the World Wide Web goes away.

  14. The thing about social media that concerns me is that it is now reaching a level of pervasive use that being invisible to it could be considered a mark against a person. Not necessarily overtly, but imagine the hiring process where later round candidates are evaluated. On the one hand you’ll have people about whom you have access to this personal information, you can see their friends, their family and their pictures, and on the other you’ve got a person about whom you know basically nothing. Which do you think hiring managers will feel more inclined to trust?

    I value my privacy quite highly and do what I can to make my use of the internet something I can control a prospective employer’s access to. But I also maintain a social network profile tied directly to my professional email and discoverable by the information on my resume. Because I’d rather not seem like a potential Creed Bratton by human resources. I’d rather my private life remain distinct from my professional, which is why I find apps like branchout kind of appalling. Who wants to use the network where their friends invite them to drunk makeout parties to also be where they do their professional networking? Who are those people?

    1. “The thing about social media that concerns me is that it is now reaching a level of pervasive use that being invisible to it could be considered a mark against a person.”

      As if you don’t get to choose who to associate with?

      When I see people taking facebook seriously, I see a red flag, and I go find one of the other 6 billion people in the world to converse with.

  15. What Facebook needs is a system that sends alerts that say:

    “Your friend Bob Smith just subscribed to SomeDumbApp. SomeDumbApp automatically shares everything that you have shared with Bob with Sleaze-O Data Resellers. Sleaze-O Data Resellers now has access to your name, age, gender, sexual orientation, home town, recent status updates, list of friends and other personal data. There is nothing that you can do to prevent this in this case, but if you want to stop this in future, here’s what you have to do …”

    every time it leaks your private information somewhere. 

    Of course the likely result is that about 10% of users would probably be so horrified that they’d never use Facebook again, but the other 90% would just blindly click through all the notifications and bitch about how tiresome Facebook is for bothering them with this stuff.

  16. I’ve said it before and I’ll say it again kids, just because FB asks for all sort of personal information, it does not mean you have to give it. Personally I like the service FB offers. I live far from my family and childhood friends. I love keeping up with what they are doing with their lives. But since they are my friends and family they already know my address, marital status, religion, political views, cell phone number, personal email and what college I attended. Why would I give up this info to Facebook?

  17. Exactly why I deleted my account a year ago. The number of privacy issues is just out of hand.

  18. Except this is so amazingly old.  I changed these settings at least a year ago, if not more.

    I also hate that anything that requires more than a single click, is repeatedly said to be “buried” in the settings.  Sorry if FB actually made different sections to their settings and actually requires you to click on things.  Next time I’m sure they will make one long list, which will no doubt be “to long to find anything.”

  19. It’s not *that* hidden and I’d alread turned mine off.

    If you’re really concerned with privacy I suggest going though every privacy screen and check out what it does. Don’t wait for someone to post “The sky is falling – here’s the latest thing you should turn 0ff.”

  20. BranchOut is particularly vile. When somebody you know starts using it, BranchOut immediately posts an advertisement on YOUR wall. Not their, your. BranchOut needs to die.

Comments are closed.