Privacy Mirror: A privacy experiment in Facebook

As I previously blogged, I read Canada’s Assistant Privacy Commissioner Elizabeth Denham’s findings on Facebook and it got me thinking about 3rd party applications. I wondered what 3rd party app developers could see in my profile. In my estimation, the easiest way to find out what a 3rd party application developer could see, was to become a 3rd party application developer.
Enter Privacy Mirror

I built a basic Facebook application called Privacy Mirror. The goal of Privacy Mirror was to see, as a 3rd party developer, just what information I could glean from my profile via Facebook’s APIs. At first, I used two Facebook API calls:

I wanted to call these APIs, see what data they returned, and that’s that. I had and have no interest in storing any of the data, and, in fact, Facebook deems most of the data I retrieved as unstorable according to their terms and conditions. For those of you who use Privacy Mirror I want to repeat, I do not store any of the information that is retrieved by the API calls.

Once I got comfortable pulling data out of my profile, I wanted to see how much information I could read from my friends’ profiles. This was especially interesting as none of them authorized Privacy Mirror and none of them knew about it. In essence, I wanted to see how much information a 3rd party application developer to gather from my friends without their knowledge (and barely with mine.) To do this, I added one more API call – friends.get. This gave me a list of my friends, and then I called the above APIs to get their data.

Findings

Without their authorization of Privacy Mirror, I could profile information from all of my friends. I could see all of the profile information that they had allowed 3rd party applications to view via the privacy settings in Facebook. For example, if you were my friend and you allowed 3rd party applications to see your status, Privacy Mirror would show me your status. Now keep in mind, you haven’t authorized Privacy Mirror (i.e. you haven’t added it to your profile).

Cached Privacy Settings

Realizing that applications that my friends have authorized could (and likely do) retrieve information from my profile, I decided to change my Privacy Settings. I had enabled applications to see my profile picture, activities, and basic information. I disabled all of those, except for my profile picture. Rerunning Privacy Mirror – I could see my activities – which I had just explicitly removed form sharing with 3rd parties. I deleted Privacy Mirror, logged out, waited a while, added it back, and low and behold, I could still see data elements that I instructed Facebook not to share. I have repeated this over the last few days with no change in output – Facebook is returning more information than my privacy settings allow. I have talked to other users of Privacy Mirror and they are reporting the same thing; this removes the objection that because I am the developer of the application there is some sort of special behavior going on.

Something is caching profile information and ignoring the privacy settings directives. There are two alternatives I can think of:

  1. Facebook is caching
  2. My application server is caching

I don’t believe that my application server is caching anything, but I’ll leave this open as a possibility. More likely, Facebook is caching information. This makes sense – there is a lot of infrastructure that FB has to truck my profile through. But if this true, then why are my privacy settings being ignored. For now – I have no answers, just more questions.

I’ll keep you posted as I learn more about what is going on. In the meantime, I hope you enjoy Privacy Mirror.