Role of Apps in Undoing of Privacy Policies on Facebook

Facebook allows its users to specify privacy settings for the information they share with other users and Apps. Apps seek a set of permissions from the user at the time of installation. There is no check that is performed to evaluate any possible adverse implications of App’s permissions on the in-force privacy settings of an user. In this paper, we have investigated Facebook’s platform for access to users’ data by Apps and Advertisers. By signing up with Facebook, users implicitly trust the platform, which they believe can be held accountable in case of a breach. However, similar expectation of accountability from Apps is hard to imagine and difficult to ensure. At times, Apps have as much access to user data as Facebook and such a common access to user data undermines provenance of data leakage. Recently, though Facebook has reduced the extent of data access for Apps by deprecating certain APIs, a systematic design approach is missing for platform-wide access policy specification and conformance. We have presented several scenarios where App permissions are violating user privacy policies. Our findings have been presented with the help of experiments using Facebook Developer Platform.

[1]  Arnold Roosendaal,et al.  We Are All Connected to Facebook ... by Facebook! , 2012, European Data Protection.

[2]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[3]  Eric Gilbert,et al.  Predicting tie strength with social media , 2009, CHI.

[4]  M. Kosinski,et al.  Computer-based personality judgments are more accurate than those made by humans , 2015, Proceedings of the National Academy of Sciences.

[5]  M. Kosinski,et al.  Psychological targeting as an effective approach to digital mass persuasion , 2017, Proceedings of the National Academy of Sciences.

[6]  R. K. Shyamasundar,et al.  Undoing of Privacy Policies on Facebook , 2017, DBSec.

[7]  Vitaly Shmatikov,et al.  πBox: A Platform for Privacy-Preserving Apps , 2013 .

[8]  Ari Juels,et al.  Targeted Advertising ... And Privacy Too , 2001, CT-RSA.

[9]  R. K. Shyamasundar,et al.  Privacy as a Currency: Un-regulated? , 2017, SECRYPT.

[10]  Danah Boyd,et al.  Social Network Sites: Definition, History, and Scholarship , 2007, J. Comput. Mediat. Commun..

[11]  S. Gosling,et al.  Facebook as a research tool for the social sciences: Opportunities, challenges, ethical considerations, and practical guidelines. , 2015, The American psychologist.

[12]  Jennifer Neville,et al.  Using Transactional Information to Predict Link Strength in Online Social Networks , 2009, ICWSM.

[13]  Philip W. L. Fong,et al.  A Privacy Preservation Model for Facebook-Style Social Network Systems , 2009, ESORICS.

[14]  Dawn Xiaodong Song,et al.  Preserving Link Privacy in Social Network Based Systems , 2012, NDSS.

[15]  C.-C. Jay Kuo,et al.  Security and privacy in online social networks: A survey , 2011, 2011 IEEE International Conference on Multimedia and Expo.

[16]  Hui Ding,et al.  TAO: Facebook's Distributed Data Store for the Social Graph , 2013, USENIX Annual Technical Conference.