Ever downloaded an app through Facebook? Time to check your privacy settings.
Reports that the political research firm Cambridge Analytica obtained the personal data of 50 million-plus Facebook users through a personality-quiz app should have anybody on the social network uneasy over the third parties they’ve let into their account.
Facebook allows apps to access much of users' profile information but has tightened up some controls. For instance, it prevents apps from seeing the personal data of people in your friends' list, the giant loophole the British researcher legitimately used to access data that the researcher allegedly then, against Facebook's rules, sold to Cambridge Analytica — a misuse the social network knew about three years ago.
Things after that depend on what the app or site asked and what you allowed. An app can ask for access to anything in your profile — and can declare some of that information “required” — and you have to decide if you trust it with that data and if you trust the developer to delete your information should you later remove the app.
Apps used to be a big deal on Facebook, leading to the huge popularity of Farmville and Words with Friends, meaning that even if you haven't downloaded a Facebook app, you may already have given an app developer leeway to access your details.
Once you add an app to your Facebook profile or use your Facebook account to log into another site, it’s easy to forget the exposure you incurred and with whom you did business. Both things — the “what” of an app or site’s access to your data and the “who” of that outside company — matter.
You can check both in a desktop browser or Facebook’s mobile apps.
In a browser, click or tap the downward-facing triangle at the top right, then select “Settings” then “Apps.”
In Android, tap the three-line button at the top right, select “Account settings,” then “Apps.”
In iOS, that button is at bottom right, after which you tap “Settings,” “Account Settings” then “Apps.”
In either mobile app, tap a “Logged in with Facebook” banner.
You’ll now see a list of apps and sites, grouped by who on Facebook can see you use them — everyone, friends only, a custom setting or only you.
At a minimum, they all get what any stranger logged into Facebook would: “your name, profile picture, cover photo, gender, networks, username, and user ID.”
Things after that depend on what the app or site asked and what you allowed.
For example, in my account it showed that the Amex Offers app had access to my friends list, Likes and current city. I turned off friends-list and Likes sharing but let the city setting stand: American Express already knows where I live. The reading app Flipboard, however, only had access to my public profile.
To evict an app, click or tap the “X” next to its name. If you don’t recognize it, bring up its details and then click or tap “App Privacy Policy.”
Login with Facebook?
When you add an app or use Facebook to sign up at a different site, you should see a Facebook dialog explaining your data exposure, some of which you can decline.
For instance, using Facebook to log into the Guardian — the British newspaper that, with The New York Times, first reported the extent of the Cambridge Analytica data heist — yields a notice that the Guardian will see your public profile and email address.
That Facebook dialog lets you hide your email, although the Guardian’s own site will then ask you to provide it anyway.
(USA TODAY also lets readers sign up via Facebook, subject to sharing public profiles; in addition, this site employs Facebook’s comments system.)
What happened before the election?
This entire system assumes that an app developer will tell the truth, which did not happen in the Cambridge Analytica case.
As Facebook explained in a Friday night post announcing that British company’s suspension, the “thisisyourdigitallife” app created by University of Cambridge psychology professor Aleksandr Kogan purported to be an academic research exercise.
But Kogan then gave Cambridge the data coughed up by some 270,000 people in 2013 — including details about their Facebook friends, an option that Facebook ended in 2014 and which allowed that app’s reach to hit that 50 million figure.
After this clear violation of Facebook’s rules — “Don't sell, license, or purchase any data obtained from us or our services” — Cambridge used that information to construct a ad-targeting operation used by President Trump’s 2016 campaign, according to The New York Times report.
Cambridge Analytica has said it fully complied with Facebook's terms of service, while the Trump campaign denied using voter data from Cambridge Analytica. Kogan hasn't responded to USA TODAY requests for comment.
Facebook’s post added that it now reviews apps seeking “detailed user information.” In a statement forwarded by Facebook's corporate communications, vice president for global operations Justin Osofsky said, “We actually reject a significant number of apps through this process.”
Facebook did not, however, say if it had individually notified users of Kogan’s app about this treachery. The company does not have a policy requiring any such notification of what it does not consider a data breach. After all, you allowed the app in the first place.
In this case, the social network is leaving you on your own.