For a few days, Facebook was providing a user’s phone number and address available, with the user’s permission, via its Facebook Graph API. Likely fueled by distrust of Facebook’s previous approaches to privacy, users and press reacted negatively to the concept. Based on this feedback, Facebook reversed its decision and neither phone or address is returned to applications at this time. Privacy is a big concern, especially for APIs, but Facebook took appropriate steps for gaining user permission. The reaction to Facebook’s platform change was an overreaction, which points to a need for more granular privacy controls and a better method of granting access.
In Facebook’s original announcement, it made clear that the new data requires a specific request from a user and that only their own data is accessible:
Please note that these permissions only provide access to a user’s address and mobile phone number, not their friend’s addresses or mobile phone numbers.
Still, All Facebook correctly guessed that it was trouble waiting to happen. Users flocked to the announcement to complain and plenty of technology blogs covered the hoopla. Some saw the new feature as allowing applications access to phone numbers and addresses of a user’s friends, which Facebook does not share. Most felt that even making a user’s own data available to applications was too much.
Though Facebook made the contact information portion of its permission box visually distinct, most felt that it was not distinct enough. GigaOm was one to make a common argument, blindly provide permission to an app:
Many people probably won’t notice the addition of the words “current address and mobile phone number” to the text in the request window, and will likely click “allow” without realizing they’re granting so much access to their data.
Facebook apparently agrees and is “making changes to help ensure you only share this information when you intend to do so.” Others have given the social network ideas in the comments and blog posts. Ideas range from highlighting the most private information, to allowing users to deselect certain types of data.
Jules Polonetsky, former Chief Privacy Officer at AOL, commented that the solution is better communication to the end user. “If folks understand clearly why an app wants to use phone/address, say to ship an item you ordered, they may be cool going ahead with sharing,” Polonetsky wrote.
Privacy is something that companies, developers and users all need to learn to manage. Facebook is taking the brunt of the arrows because it is leading the way with identity on the web. Many other sites are also collecting our personal information, such as when we share our location on Foursquare. Great apps can be built when we agree to allow developers access to our data, but that requires everyone understanding exactly what that means.