Who Gets Your Personal Information on Facebook?

Are you one of the 350 million Facebook users? I’m a big fan of Facebook and like many I connect daily to see what my friends are doing and to share photos. As a security professional I am very careful about what I post and what information I allow to be shared. In that respect I’m unique. It surprises me how many of my friends will refuse to allow companies to share their information but eagerly give away their personal information to application developers on Facebook.

My friend Diana sent me some Christmas cheer. How could that be a bad thing right? Well, if I accept her cheer I’m sharing my personal information and all my friends with a company called Mob Science who has no physical address or privacy policy posted on their website.

Who are these application developers you’re giving your personal information too. One of the most popular developers is San Francisco based Zynga. They’re responsible for the games Farmville, YoVille, Mafia Wars, RollerCoaster Kingdom, Scrabble and dozens more. You’ll never be offered a chance to read Zynga’s privacy policy but the information is typical. They say only your name, address and gender are collected. As in most privacy policies they protect themselves with vague statements like “we don't generally collect any “Personally Identifying Information” about our users”.

I’m not saying the folks at Zynga are evil or have bad intent but I doubt most users realize they’re providing information to this or other little known companies. Most people mistakenly believe it’s just all part of the Facebook experience.

It’s not just the games. When you take a quiz, or even donate to “Causes” you’re providing access your personal information. When you create or join a “Cause” you’re registering your personal information with Berkeley based Philotic Inc, started by Sean Parker, one of the brilliant co-founders of Napster.

If you’re a fan of Farm Town, you’ve registered with Florida based SlashKey. Popular game provider MindJolt.com is another one that doesn’t include any physical address or privacy policy on their website. The number two Facebook developer Playfish acknowledges “We collect the following personal data from you … : your date of birth, gender and your contact details including the country where you live and any phone number(s) or email address(es) that you provide.” In addition, “We may use a third party to serve advertisements on our site. Cookies may be associated with these advertisements … We do not have access to or control of cookies placed by third parties.”

In the grand scheme of things the dangers from sharing your information with these companies may still be minor compared to other risks. I wanted to focus on 3rd party Facebook Applications because most people don’t understand why their Email Spam seems to know specific personal details.


Did you know when your friend allows an application, they give away all your information too?

When you sign up for Facebook all these boxes are checked as the default setting. That means if your friend allows an application, all the information you may have set to "Friends Only" is made available. Click Here to change your settings. (Update 12/9: Facebook has made some changes do don't be surprised if this page looks a little different)

Facebook has been slow to react to customer concerns but recently announced new privacy options. It’s still up to the individual user to check out their rights and options to protect themselves. If you’re a Facebook user please click here to read how you can update your privacy settings.

Updated 12/9
Facebook has updated their privacy options. Here's the replacement for the screen allowing you to restrict information shared by your friends.

Facebook Simplifies Sharing your Personal Info