Further findings from the Privacy Mirror experiment

I find that I rely on my debugging skills in almost every aspect of my life: cooking, writing, martial arts, photography… And it helps when you’ve got friends who a good debuggers as well. In this case, my friends lent a hand helping me figure out what I was seeing in my Privacy Mirror.

The following is a snapshot of the Application Privacy settings I have set in Facebook:

Facebook Application Privacy Settings

Given these settings, I would expect that the Facebook APIs would report the following to a 3rd party application developer:

  • My name
  • My networks
  • My friends ids
  • My profile status

With that in mind, I asked two friends to look at my information via the Privacy Mirror. They sent me screenshots of what they saw which included:

  • My name
  • My sex
  • My networks
  • My activities
  • Books
  • Location
  • Education history
  • Hometown info
  • High school info
  • Movies
  • Music

With this latest test, I think I can safely say that my privacy settings are being ignored via API calls to the Facebook platform.

Given that next week is Catalyst, I am not going to have a lot of time to devote to Privacy Mirror, but here’s my plan of attack for the week following:

  • Talk to the original complainants in the report issued by the Canadian Privacy Commissioner.
  • Reach out to the Privacy Commissioner’s office to see if we can compare notes.
  • Start working on my network to find a way to talk to Facebook.

In the meantime, I’d ask you to share Privacy Mirror with your friends to start raising awareness about this interesting issue.


There is one condition that I have yet to test. It may be the case that because I have authorized Privacy Mirror on my profile, my friends can see more of my profile. I’ll repeat this experiment later after removing Privacy Mirror and see if we see the same results.

3 thoughts on “Further findings from the Privacy Mirror experiment”

  1. Are you sure there’s no caching going on? I tried two test cases:

    1. A friend’s application privacy settings basically blocked everything, and then I tried the privacy mirror on their profile. Basically nothing came up.
    2. A friend’s application privacy settings allowed everything, tried the privacy mirror on them, everything came up. Then I had their settings changed to basically nothing, tried the privacy mirror on them again, and saw no change from before.

    The app did respect profile restrictions; e.g. I removed access to certain fields for one friend, then tried the privacy mirror on my account from theirs, and the fields did not show up.

    Great work btw – I and a few others have some ideas for raising user awareness on these issues. Send me an e-mail if you’d like to join in the efforts. I think part of the problem lies not simply in users being unaware of how much data an app can access, but not understanding how apps work to begin with.

  2. Just saw your previous post talking about caching – my bad. But I do think it’s related to application based on another experiment.

    In my first test case, the friend was one who had not ever authorized the privacy mirror. After that friend authorized the privacy mirror, I went back to my account and tried the privacy mirror on them again. This time, all of their info came up.

    Removing the application probably wouldn’t have an affect, since an app developer is not notified when an application is removed and thus does not know to delete any data associated with that user.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: