Facebook Limits App Access to Users Data
Facebook has announced a series of changes to its developer platform to implement tighter user privacy controls and limit how apps can access to user data.
The changes were initially mentioned last week, when the social platform came under fire after reports emerged that millions of Facebook users’ personal data was harvested by British firm Cambridge Analytica.
Facebook CEO Mark Zuckerberg apologized for the incident last week and said tighter controls would be coming. Also last week, Facebook paused app review in preparation for the upcoming changes to its developer platform.
The first of the announced privacy improvements have been already implemented, but more are planned for the near future.
“These are critical steps that involve reviewing developers’ actions for evidence of misuse, implementing additional measures to protect data, and giving people more control of their information,” Facebook now says.
The first major change Facebook made toward improved user privacy was to prevent applications from “seeing” a person in one’s friends list unless both users have decided to share their list of friends with the app.
“In order for a person to show up in one person’s friend list, both people must have decided to share their list of friends with your app and not disabled that permission during login. Also both friends must have been asked for user_friends during the login process,” Facebook explains.
Moving forth, the social platform plans investigating all apps that had access to large amounts of user data before that access was restricted in 2014. Facebook will ban developers from its platform if they are found to have misused personally identifiable information and will notify everyone who used the application.
The company will also require for developers who build applications for other businesses to comply with rigorous policies and terms that will be revealed within the following weeks.
Facebook also plans on encouraging people to manage the apps they use, making it easier for them to revoke apps’ ability to use their data. Users will find it easier to learn what apps are connected to their accounts and to control the data these apps have access to.
On top of that, Facebook also plans on expanding its bug bounty program to allow users file reports when data is misused by app developers, a move that many security experts approve of.
Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team, told SecurityWeek in an emailed comment that this move could “start a trend toward more policy-oriented bug bounties from social media platforms.”
“This move by Facebook really makes a lot of sense to me. By expanding their bounty program to include data misuse by app developers, Facebook may have found a way to mobilize their community to self-police. It will be interesting to see if this if spurs new bug bounty participation including people less technical than the typical bug hunter,” he said.
Ilia Kolochenko, CEO of web security company High-Tech Bridge, also believes that this step could determine other companies to start similar moves that would allow them to avoid severe sanctions for privacy violations.
“This is an exciting shift in the bug bounty industry, which untill now has focused on security vulnerabilities. Facebook is the first major company that is asking for researchers to identify data privacy issues. With the GDPR coming into force in a couple of months, data privacy is now high on many organizations’ agendas,” Kolochenko said.
Last week, Facebook said it would make its privacy tools more visible to its users, and today the company announced that it has already implemented the necessary changes.
The settings menu on mobile devices was redesigned, with all the necessary tools now available in a single place and cleared outdated settings to make it obvious what information can and can’t be shared with apps.
Facebook also implemented a new Privacy Shortcuts menu, where users can control their data with just a few taps, in addition to finding clearer explanations of how the controls work.
Now, users can add more layers of protection, such as two-factor authentication, can review the data they’ve shared and delete it, can manage the information the platform uses to show ads, and can also manage who sees their posts and the information included on their profiles.
Users can also find, download, and delete their Facebook data, via the Access Your Information option, where management of posts, reactions, comments, and things searched for is possible. Users can delete any information they no longer want on Facebook and can also download a copy of the data shared with Facebook.
Facebook also plans on updating its terms of service and data policy to make it clearer what data is collected and how it is used.
“These updates are about transparency – not about gaining new rights to collect, use, or share data,” Erin Egan, VP and Chief Privacy Officer, Policy and Ashlie Beringer, VP and Deputy General Counsel, Facebook, said.
Ionut Arghire is an international correspondent for SecurityWeek.