April 2008 - The Facebook Economy: Deficits in Data Privacy

Letters, Speeches & Filings

April 2008 - The Facebook Economy: Deficits in Data Privacy

Submitted by admin on Tue, 03/10/2009 - 02:22.

A CDD Report
By: Adam Mayle

In May 2007, Facebook launched Facebook Platform, which opened up the site to outside developers, granting them unprecedented access to its core functions and changing Facebook from a closed social network into an open business forum.^[1] The calculus behind this decision was simple: in exchange for allowing developers extraordinary access to Facebook’s then twenty six million users,^[2] Facebook would become a richer social environment, attract more users and improve its “social graph,” the network of connections and relationships between its members.^[3] As Facebook founder Mark Zuckerberg stated at the time, “the Facebook platform is optimized for building applications in Facebook, and with more value for people to develop on our base than we could do on our own… With this, any developer worldwide can build full applications on top of the social graph inside the Facebook Platform.”^[4]

Developers were quick to seize this opportunity. Before Facebook launched the new platform, there were about 100 applications listed in Facebook’s developer directory.^[5] In less than a year, the number of these “widgets,” another name for applications developed by outside developers, exploded to more than 20,000.^[6]

This new “Facebook Economy” has been widely heralded as a model for online media and some commentators have even suggested that the company could be “the next Google.”^[7] Whether or not Facebook achieves that level of success, the new platform has been a golden opportunity for some of the 200,000 developers active on the social network.^[8] Although most of these companies are private and financial information is scant, available revenue information for some of the top-performing companies is impressive. One company, SNAP Interactive, the maker of the popular Are You Interested? application, saw its 4th quarter revenues in 2007 jump from $35,383 to $388,000, a more than ten-fold increase.^[9] Slide, maker of applications Top Friends and FunWall and arguably the most successful single developer on Facebook with 4.5 million members^[10] using its applications, was valued at $500 million in January 2008.^[11]

Developers aren’t the only ones capitalizing on this opportunity. In recent months, numerous venture capital firms, such as Sequoia Capital and Lightspeed Ventures, have invested millions of dollars in companies with Facebook-based businesses. Dozens of social advertising networks have also cropped up, offering widget makers a variety of ways of monetizing their applications, ranging from traditional options like cost-per-click advertising to more unconventional alternatives such as video advertising and lead generation. Facebook itself has profited too. In the last year the number of its members trebled to 67 million, making it the 5th most-trafficked website in the world and the 2nd largest social networking site.^[12]

But while this platform has benefited many, it raises concerns about user privacy. Because of their deep integration into Facebook, developers have extensive access to user information, but it is often unclear if, when and how they exploit this data. This situation is perpetuated by Facebook’s unwillingness to regulate the widgets that operate on the site. As a result, users often have no idea who is collecting their data, how information is obtained as one interacts with these applications and how such data – even so- called not non-personally identifiable information – is subsequently used. By eschewing liability and placing the burden of responsibility on developers to police their own applications, Facebook unnecessarily exposes its users to cyber-threats like adware, malware and hackers. In many ways, Facebook has created a dynamic social network, but because of the practices that it has adopted, it needlessly places the privacy and security of its users in harm’s way.

Widget Business Models and Data Issues

Widgets come in many forms. They can be simple games, quizzes, interaction tools or more complex applications that allow users to modify their profiles, compete in fantasy sports leagues and even buy goods and services. But, regardless of their function, the developers that create them almost universally share the same two priorities. First, they try to maximize the number of people that use their widgets. Second, they attempt to leverage this user base to make money.

There are nearly as many ways to monetize a widget as there are kinds of widgets. The most common means of monetization is advertising. Applications can generate advertising revenue by serving ads from social advertising networks, like SocialMedia or Google’s AdSense, often through a cost-per-click or cost-per-action arrangement. Widgets are occasionally used for branding purposes too. Late last year, Coca Cola’s Sprite brand debuted an application called Sprite Sips that allowed users to create a customizable animated character. Similarly, energy-drink manufacturer Red Bull created a branded version of rock-scissors-paper called Roshambull.

Besides advertising and branding, some widgets sell goods and services. iLike, which has received funding from a number of companies, including Ticketmaster, sells downloads to Facebook users, charging record companies a commission for each song that they sell.^[13] Other widgets are simply built to attract an audience (in the parlance of Facebook gurus, “build real estate”) and then are sold once they have a sizeable user base. Some widget makers have begun to help other developers’ widgets acquire users for a fee. A notable example of this is RockYou!, which has made deals to promote other developers widgets, collecting 50 cents when a user installs one of those applications based on an ad on a RockYou page.^[14]

Perhaps the most complex forms of monetization are data collection and lead generation. Although Facebook’s privacy policies don’t allow personally-identifiable user data from profile pages to be sent outside of Facebook, some developers have circumvented this rule by serving surveys or giveaways that require users to disclose personal information, which is then sold to marketers and other data aggregators. Sometimes these offers are broadcast in advertisements. But they are often creatively incorporated into the widgets themselves.

For example, a widget called (fluff)Friends allows users to place a cartoon pet on their profile page, which they create and alter using credits called “munny.”^[15] It is through this “munny” concept that (fluff)Friends conducts its lead generation activities, which is the process of collecting contact information for potential sales leads.^[16] In order interact with or modify your pet, one must use “munny.” The easiest way to get “munny” is to take marketing surveys. Although it is unclear how widespread this practice is, data gathering has been facilitated by a number of popular applications, including Food Fight!, My Aquarium, Hockey Pool Pro and Free Condoms.

Privacy and Security Concerns

This imperative for developers to monetize their applications creates a scenario that inherently puts user privacy at risk. To a certain extent, this is predictable and users should be cautious about what information they voluntarily disclose on a social network. However, decisions and policies made by Facebook have aggravated this problem, needlessly increasing the vulnerability of users’ personal data.

Facebook performs little oversight of the outside developers whose applications run on the social network. According to its Developers Terms of Service, it claims to have virtually no liability for the applications on its platform.^[17] Most developers are individuals or privately owned companies, which infrequently publish information about their business relationships, revenues or, in some cases, their identities. For instance, a company called Zoosk created a dating application of the same name that had nearly 500,000 daily active users in February 2008.^[18] In spite of the fact that a 500,000 user base would make Zoosk one of the top 20 applications on Facebook, there is almost no publicly available information about the company. This lack of transparency is more the rule than the exception for developers and their applications.

Similarly, it is often unclear how developers utilize the user information they have access to. Outside developers are privy to an enormous amount of user information. According to Facebook’s Platform Application Terms of Use, applications know a user’s name, profile picture, gender, birthday, location, political views, hobbies, interests, musical preferences, favorite television shows, relationship status, dating interests and even their summer plans.^[19] This level of access often far exceeds what is necessary. According to a University of Virginia study, 90.7 percent of applications are given more access to user information than they need.^[20]

It is not always apparent how widget makers use this information. Although Facebook maintains policies ostensibly restricting the flow of user information to third parties, it is not evident how well it polices these rules.^[21] Compare People, an application with nearly 580,000 daily active users as of February 2008,^[22] was the subject of controversy last year when a blogger hacked into the application and discovered that its developer, Chainn, was breaking the Facebook’s Developer Terms of Service by sending user information to Google for analysis. Although it was reported that none of this information was personally- identifiable and that it was not intended for long-term retention, it was confirmed by Facebook that this was a breach of the network’s rules and Chainn has since stopped this practice.^[23] However, two things are disconcerting about this incident. First, Chainn does not seem to have been penalized for this violation of user privacy. Second, as one writer put it, “if it takes a blogger to whistleblow…how many other breaches are going undetected?”^[24]

The possible relationship between developers and data aggregation companies also raises concerns about user privacy. This link has been cited by a number of sources, including Jason Bailey of the online advertising network Millnic Media. During a presentation at a Facebook Developers Garage in October 2007,^[25] Bailey stated that Millnic Media conducts information gathering and lead generation activities through surveys and promotions that its serves to Facebook developers. He specifically mentions that one of the buyers of this information is the online marketing company Value Click.^[26] Independent research by the Center for Digital Democracy has also shown a connection between one Facebook widget, Hockey Pool Pro, and the data collector Experian, a global credit information group.^[27] In February 2008, Hockey Pool Pro published a marketing survey from WinningSurveys.com, which is owned and operated by Vente, Inc., a subsidiary of Experian. In the past, the CDD has told the Federal Trade Commission that online sites need to disclose to users exactly what data is being collected, shared, sold, analyzed inc. from user actions. Users must be given the right of affirmatively agree, op opt-in to such data practices.

While this relationship between developers and data aggregators is not a violation of Facebook’s terms of use, it is nevertheless worrisome and poses a palpable risk to users’ information security. In general, marketers and data collectors have not been the best custodians of personal data. In 2004, a data aggregation company named ChoicePoint failed to prevent criminals from improperly accessing the information of 150,000 U.S. citizens.^[28] This security breach resulted in at least 750 cases of identity theft.^[29] In March 2008, Value Click was fined $2.9 million for sponsoring deceptive online advertisements and not sufficiently securing customers’ personal information. To date, this was the largest CAN-SPAM settlement since the law was enacted in 2003.^[30]

In addition to the questions arising from developers’ use of personal data, Facebook members face threats from malware and hackers. In January 2008, it was discovered that a company called Zango was bundling adware with its application, Secret Crush, which informed users that one of their friends had a “crush” on them. The application asked users to reveal personal information and were eventually prompted to install a “Crush Calculator,” which is in fact Zango’s ad-serving software.^[31] Although Facebook disabled the Secret Crush by the end of January, Fortinet, a network security firm stated that four percent of Facebook users had already installed the application.^[32]

This incident is not an isolated case. Other bloggers and commentators have reported scattered incidents of unidentified adware distributors on Facebook.^[33] This danger is so palpable that Richard Stiennon, a leading commentator on computer and network security, predicts that Facebook widgets distributing malware virus will be the number one emergent threat on the internet in 2008. He states that “we will see attempts to exploit Facebook through these widgets. It could be through a vulnerability in an existing application that could for instance allow the download of a malicious Trojan. Or, it could be a new application deployed to steal information or infect visitors’ computers.”^[34]

Will Facebook face up to ensuring privacy protections?

Through its policies and practices, it is evident that Facebook would prefer to take a laissez-faire approach to privacy issues, enjoying the benefits of its social network while doing little to regulate it. It all but states this outright in its Developers Terms of Service, where it claims to have virtually no liability for the applications on its platform and charges outside developers with the responsibility to “accurately and adequately disclose” how they “collect, use, store, and disclose data collected from visitors, including, where applicable, that third parties (including advertisers) may serve content and/or advertisements and collect information directly from visitors.”^[35]

Recently, public concern about the security of user information has compelled Facebook to become more responsive to privacy issues. Last year, the company revised its Beacon initiative, a controversial online ad system that collected information about Facebook member activities on third party sites in order to facilitate targeted advertising. In March 2008, the company introduced new privacy controls that gave users the ability create and manage lists of friends that are granted different levels of access to personal information.^[36]

Despite these gestures, Facebook has not done enough. Before a widespread public outcry against the Beacon system, which included a major campaign by MoveOn.org and the petition of almost 70,000 Facebook users,^[37] the company showed little regard for user privacy. Similarly, its new user controls are inadequate. Less than a week after these privacy settings were instituted, The Associated Press reported that a Canadian computer technician had successfully circumvented them and accessed restricted personal data.^[38]

Facebook must do more to guarantee the security and privacy of its members’ information. First, it should ensure that developers comply with basic standards of disclosure about who they are, what user information they collect and how they use it. It should be necessary for users to give permission to each application to collect information, once they are told what data is collected and how it is used. Furthermore, Facebook should actively police the network, identifying malicious or other vulnerable widgets that could compromise information security on the site.

Second, Facebook should make access to user information by applications contingent on a need- to-know basis. Most applications don’t require direct access to user data. In many cases, having the ability to access this data puts Facebook users at unnecessary risk. A possible solution to this problem could be a “privacy-by-proxy” system, a data-hiding scheme proposed by researchers at the University of Virginia. These researchers have suggested that developers be given fake "placeholder" data instead of real user information. They state that “this is possible because Facebook has control over the output of applications. When the fake placeholder data is displayed by the application, Facebook can turn it back into the real information for the viewer to see it correctly. Users can be made anonymous with this scheme and third party developers never get to see user information.”^[39]

Third, there should be an investigation by the FTC and state attorney generals into the link between Facebook applications and data collectors. Although lead generation is a legal business activity, Facebook members should be aware of how their personal information is being used and who is storing it for what purposes.

By opening itself up to outside developers, Facebook is a rich and dynamic social network that is in many ways valued by its users. The 67 million Facebook members are plain evidence of this fact. However, this vibrant online community also represents a threat to its user privacy. Facebook can and should do more to ensure privacy and the security of their personal information.

Adam Mayle is a freelance writer based in the Northeastern United States.

[1] http://www.techcrunch.com/2007/05/24/facebook-launches-facebook-platform-they-are-the-anti-myspace/

[2] http://www.techcrunch.com/2007/07/06/facebook-users-up-89-over-last-year-demographic-shift/

[3] http://www.techcrunch.com/2007/05/24/facebook-launches-facebook-platform-they-are-the-anti-myspace/

[4] http://blogs.zdnet.com/BTL/?p=5156

[5] http://mashable.com/2007/05/02/10-awesome-things-built-on-the-facebook-api/

[6] http://www.adonomics.com

[7] http://publishing2.com/2007/05/25/facebook-platform-could-be-a-google-like-market-driven-growth-engine/

[8] http://www.adonomics.com

[9] http://investing.businessweek.com/research/stocks/snapshot/snapshot.asp?capId=11790940

[10] http://adonomics.com/company/Slide

[11] http://www.businessweek.com/technology/content/jan2008/tc20080118_811726.htm?chan=technology_technology+index+page_top+stories