Facebook gives your home address to developers

Want to access a third-party app? Be prepared to share -- or not play.

Your home address and phone number are now part of the information dump third-party developers can obtain through Facebook-powered Website logins and applications.

A new policy lets you authorize applications such as Facebook games and quizzes, and Websites that you log into with your Facebook ID access some of your most personal Facebook data. Facebook announced the changes in a developer blog post on Friday.

How They Can Get Your Number

Whenever you start using a new Facebook application such as Farmville, a pop-up window appears showing you the details from your Facebook profile the application wants to access.

Now, under the heading "Access my contact information," developers can ask for your home address and mobile phone number if you've included this information in your profile. This pop-up window also appears when you use your Facebook ID to log into a third-party website such as PCWorld.com for the first time.

In Facebook's Friday blog post explaining the expanded permissions, Facebook said users have to explicitly allow access to their address and phone number. The problem is, Facebook's permissions dialog only gives you two choices: hand over your address or don't use the product or service you want to access.

That's really no choice at all. It would be one thing if Facebook gave you the power to deny a developer access to your address and still use the application or Website. But instead, Facebook has given ultimate power to developers who can decide whether to demand your address and phone number.

Questioned about this apparent discrepancy, Facebook responded with a statement: "On Facebook you have absolute control over what information you share, who you share it with and when you want to remove it. Developers can now request permission to access a person's address and mobile phone number to make applications built on Facebook more useful and efficient. You need to explicitly choose to share your data before any app or website can access it and no private information is shared without your permission. As an additional step for this new feature, you're not able to share your friends' address or mobile information."

Disaster Waiting To Happen?

Marc Rotenberg, president of the Electronic Privacy Information Center, challenges Facebook's approach.

"Facebook is trying to blur the line between public and private information. And the request for permission does not make clear to the user why the information is needed or how it will be used," he says in a statement.

"This is all part of the FTC's failure to act on the original EPIC complaint concerning the changes in Facebook privacy setting. EPIC explained to the FTC that self-regulation requires the FTC to investigate companies when they change their practices. The FTC doesn't need any new laws and they don't need to issue any reports. They simply need to do a better job protecting user privacy."

The big question is whether Facebook's decision to open up your home address and mobile phone number will result in serious or even dangerous breaches of privacy. Security firm Sophos says in a blog post that Facebook's new policy could encourage rogue applications to collect mobile phone numbers for targeted spam SMS messages or to sell data to marketing companies. Sophos also says the ability to access a users' home address will "open up more opportunities for identity theft."

Previous Problems

In 2010, Facebook users fell prey to numerous scams and malware attacks such as clickjacking, the Ikea gift card scam, dislike button scam, the Russian hacker who claimed he was selling 1.5 million Facebook user login credentials, Boonana malware, malicious ads found in a Facebook application and likejacking, to name just a few. The idea that malicious applications in 2011 could get access to some of your most personal information is unsettling, to say the least.

Facebook did not specify why the company is opening up some of the most personal user data to developers. One possibility is that handing over your home address will make it easier and faster to fill out Website membership forms. While this may be a convenient way to sign up for a new service, it is not as obvious what kind of data you are handing over compared to manually filling out a Web form or using a security program such as Lastpass to fill out the form for you.

What You Can Do

If you are concerned about revealing your home address and phone number, the first thing you should do is verify whether Facebook has this information. After logging in to Facebook click on "Profile" on the upper right side of your News Feed. Then click on the "Edit My Profile" button at the top right of your profile page. Next, click on "Contact Information" in the left hand column, and check to see whether you've included your home address and mobile phone number. You can then edit this information as you see fit.

At the least, however, Facebook's timing of its latest amendment to its privacy procedures is questionable.

Facebook was recently gaining a measure of respect for giving users more control over their data with new features such as the data export tool and a privacy control dashboard. But the company appears to have taken a gigantic leap backward with Saturday's announcement. In fact, Facebook's decision to release this information on the Friday before a long weekend is also a questionable move. With most people going about their weekend, many were unlikely to notice the policy changes -- a fact Facebook was probably well aware of when it planned its announcement.

Connect with Ian Paul (@ianpaul) and Today@PCWorld on Twitter for the latest tech news and analysis.

Join the CSO newsletter!

Error: Please check your email address.

Tags online securityInternet-based applications and servicesonline privacysocial mediainternetFacebook

More about Electronic Privacy Information CenterFacebookFTCIkeaSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place