Demo: How Apps Access User Friend Lists on Facebook
A step-up for privacy triggers an antitrust lawsuit
In August 2021, a group of app developers asked the U.S. Courts of Appeals to reconsider their antitrust lawsuit against Facebook. At the center of the contention is Facebook’s decision in 2014 to restrict app developers’ access to users’ friend lists.
The plaintiff claims that Facebook whitelists a few apps whose products do not compete against it while shutting competitor apps out of its data ecosystem. But users often see it as a positive move towards privacy: being friends with someone doesn’t give him or her control over your data.
As an experiment, I created a Facebook app to test what types of “friend data” third-party developers can see on Facebook now, and how it compared to the pre-2014 situation.
As it is impossible to fully re-create the pre-2014 situation, I found a 2013 YouTube tutorial from an official Facebook account that can help us travel back in time. Back then, after a user gave an app permission to access its friend list, the app could get every friend’s name, username, and profile picture, whether the friend uses the app or not.
Prior to 2014, the app could also pull more private information like friends’ birthdays if the user granted permission, even if friends themselves did not give express consent.
Now, in 2021, Facebook has tightened developers’ access to users’ friend information. Now third-party developers can still know how many friends a user has in total. But they can only access detailed information about friends who also installed their apps. Since none of my friends installed my test app, requesting “friend_list” from Facebook gives me an empty output. This is even after the user granted me permission to access her friends’ information.
In the next step, I installed my test app on a hypothetical test user Daniel, who has 3 Facebook friends. I then installed the app on one his friend, Betty, and obtained Daniel’s permission to share his friends’ information with me. Now requesting Daniel’s friends’ data from Facebook would only return Betty’s public information.
Accessing Betty’s private information, like her birthday, is now no longer possible if Betty does not expressly grant me, the developer of this test app, such permission. This is even after Daniel agrees to share Betty’s information with my app.
My quick demo suggests that Facebook does make user data more secure after tightening how apps access user friends’ data in 2014. But this is not to say that the class action lawsuits proposed by third-party developers have no merit at all. Instead, it points to a policy dilemma between safeguarding user privacy and maintaining a competitive marketplace with free flow of data.
Find out more stories like this at:
