Wrangling your Facebook privacy settings—fine-tuning what data friends, advertisers, and apps can access—is a slog. The menus are labyrinthine, the wording obtuse. And it turns out that one of them is completely pointless. In fact, it hasn’t worked in years.
To be clear: This is not a case of Facebook sneaking one past you, at least not the way you might think. These settings no longer work because Facebook no longer allows the kind of data harvesting they control; in fact, these checks address the very data oversharing that let quiz developer Aleksander Kogan turn 270,000 installs into a menagerie of 50 million users, which he then illicitly passed along to political data firm Cambridge Analytica.
But the fact that Facebook never bothered to update that critical corner of its privacy settings, years after those changes went into effect, is downright baffling—and speaks to a general a lack of seriousness in the company’s attitude toward data transparency.
The setting in question is Apps Others Use, which you can find by signing onto Facebook, clicking the downward arrow in the upper right corner, then Settings, then Apps. (See? Labyrinth.)
Click Edit, and Facebook greets you with a list of informational categories about yourself that, a not-so-helpful description reads, your Facebook friends can “can bring with them when they use apps, games and websites.”
In truth, your friends weren’t bringing your information with them so much as developers were spring-boarding off of them to get to you. The data categories include your birthday, your activities, if you’re online, and posts on your timeline. The check-boxes number 13 in and all, with an additional three—friend list, gender, and the very broad “info you’ve made public”—that you can't opt out of.
This is precisely how Facebook used to work. If you downloaded an app, you granted the developer of that app access to scads of information about all of your friends, presumably unbeknownst to either of you, unless you happened to be a close reader of buried preference menus.
It’s not, though, how Facebook has worked since 2014, when it shut off that spigot. Developers haven’t been able to raid someone’s friend list in years—unless both friends have downloaded the same app—despite what that particular setting would have you believe. After the publication of this article, Facebook did identify one edge case in which the setting would apply: If you have the "Posts on my timeline" option checked, an app could access a photo or video that a friend uploaded, but only if it appeared on your timeline, because you also allowed tagged photos of yourself to show up there. Everything else under that setting is useless. Facebook says that it will close that loophole, and get rid of the Apps Others Use setting altogether, as part of a larger privacy settings overhaul it announced Wednesday.1
“These controls were built before we made significant changes to how developers build apps on Facebook,” says a Facebook spokesperson. “At the time, the Apps Others Use functionality allowed people to control what information could be shared to developers. We changed our systems years ago so that people could not share friends’ information with developers unless each friend also had explicitly granted permission to the developer.”
That’s not just spin; the timing of the changes was confirmed by Gergely Biczok of Budapest University of Technology and Economics's CrySys Lab, and Iraklis Symeonidis of COSIC, KU Leuven, two researchers who have spent the last several years studying Facebook privacy. Using the Graph API explorer, which details what Facebook developers could and could not do on the platform through its various iterations, they determined that the kind of permissions Apps Others Use covers have not been available since at least Graph API v2.5, which was released in October of 2015. (It also may have been even earlier; that's just as far back as the Graph API explorer goes.)
“I can’t really make any sense of it, actually,” says Biczok, who says that the data categories in the settings pane line up essentially one-for-one with a permission called friends_XXX, which allowed developers to harvest friend data, and which Facebook says was phased out with the advent of Graph API v2.0 in 2014. “Even if I do a thought experiment and try to imagine myself into their place, it’s maybe just an error in the software development process. But it’s a long-existing one.”
Facebook fails to offer a satisfactory explanation either, although the company does say it plans to introduce improvements to settings to "reflect current practices" within weeks.
But it’s taken years, and the largest scandal in the company’s 14-year history, to even identify the problem in the first place. And it’s that negligence, rather than the specific settings, that concerns privacy advocates.
“In general it makes people think, ‘why should I grapple with these privacy settings anyway? I can’t know what actually is going on,’” says Joseph Jerome, policy counsel at the Center for Democracy & Technology. But Jerome also strikes a sympathetic tone; Facebook isn’t the only company to contend with this issue, he notes, and the act of making an effective privacy dashboard in the first place is challenging for anyone.
Still, Facebook is a multibillion dollar company with certain obligations, no matter how tricky to fulfill. “Individuals are always going to be at an information disadvantage when it comes to understanding their privacy and how Facebook uses data,” Jerome says. “The onus is on Facebook to better design their UI/UX to convey information to individuals.”
The Apps Others Use confusion also underscores just how little benefit of the doubt Facebook has earned. In 2011, the company had to sign a consent decree with the Federal Trade Commission over its deceptive privacy practices, as it had regularly opted users into giving away more data without their explicit consent. In 2014, it tested whether it could manipulate the emotions of users through changes to News Feed. In 2016, it changed encrypted chat app WhatsApp’s terms of service to allow Facebook to harvest the phone numbers and various analytics of users with accounts on both services. And just a few months ago, it automatically applied a five-year-old face-recognition preference to a suite of new uses for the feature.
Biczok and Symeonidis point also to less publicized forms of overreach. A permission called read_mailbox, if granted to an app, potentially allowed a developer to read private messages between friends—even if only one of them had installed it. That was only deprecated in Graph API v2.4, introduced more than a year after Graph API v2.0, which Facebook had identified as the solution to its developer-related data woes.
Biczok says that incident offers a stark contrast to the way Facebook responded to the user_friends debacle. “You have to be friends, install the same app, and give the user_friends permission in order for your data to show up at his side. I think that’s good enough,” says Biczok of the protections Facebook put in place in 2014. “The read_mailbox thing, that was not good enough.”
The pair note also that even today, Facebook’s data policy has holes. A developer with multiple apps, they say, could gather a different, specific set of data about a user from each; if that person installs three or four apps, the company suddenly has assembled close to a full profile, without the user granting those sweeping permissions to any single app.
Still, the good news in all of this: You can safely ignore Apps Others Use. It doesn’t do anything. Facebook really did address the issue. The bad news? It didn’t bother to let you know—a slip that's hard to imagine from a company that truly valued giving you complete control over your data.
- If you're in the market to fix your Facebook privacy settings—or delete your account altogether—here's the comprehensive guide you need
- The implicit deal you make with Facebook—their service for your data—has gone entirely out of balance
- Inside the two days that rocked Facebook, following the Cambridge Analytica revelations
1Update 3/28/18: This story has been updated to reflect belated clarification from Facebook about the single edge case in which Apps Others Use still applies.
