The last part of my series on apps and privacy has gone up over at Gartner.
I had let Privacy Mirror languish for a bit, and having found a free few hours, I decided to update Privacy Mirror to take advantage of Facebook’s Graph API. (For those of you not familiar with my Privacy Mirror experiment, it is a very basic app that explores what personal data apps can see via your friends.) Since I last updated Privacy Mirror, Facebook rolled out two major features. The first was the previously mentioned Graph API, which is a RESTful API that results Facebook data as JSON.
The second, and frankly the more interesting, was extended permissions. The newish extended permissions govern how apps can access data and how users are informed of this use. It is these extended permissions at the bottom of the recent kerfuffle over Facebook allowing app developers access to phone numbers and addresses. (Ars Technica did a good job over covering this, and here is Facebook’s current response.)
Extended permissions work like this. First, an app developer encodes a request for access to various pieces of your profile data, as well as pieces of your friends’ profile data. Second, when you add the app to your profile, the app asks you for your permission. The following is a picture of what it looks like when Privacy Mirror asks for access to your and your friends’ information.
It is crucial important to notice that you as an app user can only agree to the use of all the requested information (as opposed to individual pieces.) Also, the app user cannot say that the app can have permission to her own data but not that of her friends. (See my series “I ‘like’ you, but I hate you apps” for the implications of this coarse-grained control.) Third, once the app has your permission, it goes off and does what it doe
I have to say, I like the spirit of the extended permissions. I like the fact that developers must ask for permission and I like that users must grant that permission. But I am very troubled by the lack of granular control afforded to the user.
Also, Facebook has not addressed what I feel to be a much bigger privacy issue: the mistreatment of relationship between people and their apps. If I have an app and you don’t use the same app, then that app can only see the elements of your profile that you have allowed applications to see. (This is controlled via the Account > Privacy Settings > Apps, Games and Websites > Info accessible through your friends settings.) But if you and I both have the same app on our profile, then the app can see the elements of your profile that you can granted me access to see. In this sense, the app executes with my permissions based on our relationship. But you have a relationship with me, not my apps. This is subtle and remains an critical unsolved problem.
I’ve been doing a lot of thinking lately about how the apps on our smartphones and Facebook profiles introduce strangers into our interactions. I’ve broken my thoughts up into a three-part post over on my Gartner blog. Check out part 1 and give me your thoughts on it.
My series of posts related to Facebook and The Washington Post has become very interesting today. Luke provided some insightful feedback on WaPo’s use of an iframe served up to provide a socially-connected experience, and in doing so he raised an interesting point. He said:
The opt-in question is interesting. Since no information is being transferred, it’s not clear that there’s anything to opt into. I think the social plugins work the same as myriad other plugins and ad networks around the internet, with the exception that it’s more obvious to the user what’s happening. If users needed to click a button in order to see personalized stories, then the vast majority wouldn’t get to experience the value that’s created.
For a little clarity here, the opt-in refers to The Washington Post’s Network News feature. If you opt-in (which was the default) you get the Facebook iframe which shows you friend activity with respect to the Post. If you opt-out, your version of www.washingtonpost.com doesn’t include the iframe.
Two points. First, the Washington Post’s decision to opt all of their users in by default is an awful one because it presents an asymmetry of relationship to people not prepared to deal with it. I have a relationship with WaPo. I have a relationship with Facebook. By opting me in, I suddenly see that WaPo and Facebook have a relationship and it seems to center around me. (Now in reality, it isn’t all about me, but from a user’s perspective it is.) This sudden presentation of relationship, even though no data is being passed, lacks a context and explanation that would make it more palatable, if not more desirous, to users.
Second, even though there is no data transfer, there very clearly is something to opt-in to: an N-way relationship. Me, the Washington Post, Facebook, and my friends who also read the Washington Post are all connected in the social graph once I opt-in. I’ll give Luke that no data is transferred, but by forming edges between between up-until-then disconnected nodes something new is created (a relationship) and users ought to have control over that. This is very similar to my Privacy Mirror findings. I have a relationship with my friends. I do not have a relationship with my friends apps, and likely I don’t want one. And yet, it seems that the social graph doesn’t make that distinction: an edge is an edge is an edge.
By revealing asymmetrical relationship and by opting me into a ready-baked relationship without providing choice leads to uncomfortable users to say the least.
In the end, this thread is more an illustration of how the transition to a social web cannot, should not, and must not be made in one bound. Websites like The Washington Post have to better educate their users about the richness of experience connecting to the social graph can bring while respecting user choice.