Design could help Facebook members limit security leaks

When Facebook members sign up for apps developed by third-party companies, they may not know that these apps are sometimes overriding their global settings on privacy preferences and information sharing, said Heng Xu, assistant professor of information sciences and technology.

“One illusion is that people think that they have set global privacy settings, so it's secure,” said Xu. “But the broken element is in the third-party applications that people use to play games and interact in different ways with each other on Facebook.”

Members who sign up for an app must agree to new terms of information disclosure that are often different from their main Facebook privacy settings when they sign up for an app, Xu said. The sign-up screen currently is a general agreement that shows information third-party developers are requesting. If the member does not agree, the member cannot use the app.

The screen designed by the researchers allows members to decide what types of information they are comfortable sharing and with whom they want to share it.

Xu, who worked with Na Wang, doctoral candidate, and Jens Grossklags, assistant professor, both of information sciences and technology, designed two alternative third-party privacy agreement screens to clearly show members what data and privacy details they agree to share with the developer.

The researchers, who presented their findings today (Dec. 4) at the Association for Computer Machinery Symposium on Computer Human Interaction for Management of Information Technology, Boston, asked a group of Facebook members to try two app sign-up page designs, a single-color scheme and one that used three colors — green, yellow and red — to designate critical information. The design also features three boxes to offer members the option to share their app activity history with all the members of their network, just specific people, or keep all of the information private.

Of the 11 participants, all said that improving the security and privacy of the sign-up pages is important. Six of the testers preferred the multiple-colored scheme to the monochromatic version.

Privacy settings allow members to determine how much information the member wants to display or share with their members of their network and Facebook. This data can include birthdate, hometown and current city, as well as pictures the members uploaded to their pages.

Members may not consider data like hometown or birthdates vital information, but Xu said that hackers can use such information to guess social security numbers.

Xu said that people may not even know that they may expose their friends' personal data if they use apps. A calendar app, for example, could allow developers to access the member's birthdate, as well as the birthdate of friends who are part of the member's network.

“Some people may know that they are allowing these companies to access their data,” Xu said. “However, they might not know that their info will be leaked through their friends, use of games and other applications on Facebook.”

According to Xu, many Facebook app developers try to make money from their games and tools by selling or sharing the data with advertisers and other companies.

“The only way to find out how the information is going to be used is to go to each app's website and review the terms of use,” Xu said. “And many people won't do that.”

The National Science Foundation supported their work.