Setting Permissions for Facebook Apps

Many websites are starting to use Facebook logins to register you for the site, a feature called Facebook Connect. Which is something I quite like, for two reasons. Firstly it makes my life easier as I don’t have to go through a registration process and remember my login and password for every site, secondly it removes anonymity so people are responsible for their interactions and can’t leave nasty comments and hide behind a fake email address (I think this is important for the future of the internet, but I’ll write a separate post on it).

However, when you register for a website using Facebook Connect, the website asks you to approve certain permissions. Not many people pay attention to these permission requests. They should, as these permissions can give the website the ability to use and abuse your private information and more than that.

To give you an example, I have recently noticed applications/websites asking for permission to write to my wall. Now some applications need that permission, for instance Twitter for Facebook which takes my tweets from my Twitter account and posts them as status updates on my wall. But unless the app is specifically meant to be writing on your wall, why would it need that permission.

This happened to me yesterday, I registered for a site with Facebook Connect and was surprised to see it wanted permission to write on my wall. I approved the permissions and next minute there was a status update on my Facebook says “I’ve joined this website, you should too, it’s so awesome” or something along those lines. Now I don’t know how you feel about that, but I don’t like it. It’s intrusive and abusive of my trust. I haven’t even used the site yet, I don’t know whether it’s any good but it’s already telling all my friends that I love it. That is not acceptable.

So I decided to do some digging and see if I have control over these permissions. The first thing I did was delete that status update by clicking the cross in the upper right corner of the status update itself. It also gave me the option to revoke the permission to write to my wall for that app, which I did.

Then I went to my application settings in Facebook to see what other apps were installed and what permissions they had. I was shocked at what I found and decided to write this post to warn everyone.

To get to application settings, in Facebook go to the account menu at the top right of the page. Select privacy settings, then at the bottom of that page select edit your settings under apps and websites.

Then click the edit settings button for Apps You Use. You will then be at the permission editing screen which looks like this:

The first thing I noticed was that there were many more apps/website than I expected. Some I didn’t even remember ever using. Some I had used once a long time ago. So the first thing I did was remove the ones I knew had no business having access to my Facebook. To remove any of the apps/websites, just click the cross to the right of the Edit settings button for the relevant app.

Then I clicked Edit settings for the remaining apps to see what permissions they had. I was quite shocked to find how many permissions some of them had, and for no good reason.

Here’s a sample of one of the apps, Klout. Klout is a service which determines your influence in social media circles but looking at your Twitter account and how many people follow you, how often you engage with them etc. It also gleans information from your Facebook account to paint an accurate picture of your online klout.

Every application will need the Access My Basic Information permission, and some apps need only that. You will see that some of the permissions say Required and others have the option to Remove. The latter are voluntary permissions which are not necessary for the app to be able to fulfil it’s function. So technically you could remove any that have that option.

At first I was confused by why Klout would need access to my photos and videos, then I realised it is looking to see how many photos I am tagged in, etc. Which would be an indicator of popularity. So I’m happy with the required permissions. Post to my wall is a permission I am seldom happy with. The only reason Klout would want to post to my wall is to say something like “I love Klout, you should also use it”, which I would not want. So I removed that permission. Access posts in my news feed, I also removed. I can’t see why it would need that permisssion. Access my data anytime is quite a hectic one, it means that even if you are not logged into the app/website it can still glean data from your account. Now for Klout I don’t mind, because if it’s keeps my info up to date then when I log into Klout I don’t have to wait ages for it to go and get the info again and update my profile. But many other apps have this permission when they don’t need it. So I turn it off for most apps. I assume that Access my Custom Friends List and Access My Friend Requests are also useful to Klout in seeing how many people want to befriend me at any point in time so I’ve left them.

So there you have it. I’d recommend taking the time to remove apps you don’t use or need and then double check the permissions that the remaining apps have and remove those you’re not happy with.