Facebook Inbox Privacy and Security

Facebook Privacy

Any privacy you thought you had on Facebook went away in August 2009. Facebook unveiled what they term an Inbox API (Application Programming Interface) for their developers. This is basically a framework that allows applications to access and utilize information in your Facebook inbox. The idea is that Facebook apps would be able to utilize this information to do things like pop-up a message on your desktop when you've received new mail in your Facebook inbox, or receive messages directly.

Just how safe is this API? Should you be concerned about your Facebook inbox privacy? Do prying eyes have access to your Facebook inbox and if so, what does it mean for your security? According to Facebook, the applications can only access your inbox if you've granted them "an extended permission". But, how many times have you logged into Facebook only to be greeted with a new privacy announcement? Or maybe you've had some random application you signed up for send you an email or post on your wall and you were surprised that they did?

The Personal Information Market vs. Privacy Concerns

With the growing value of the personal information market (ie. the growing value of your personal data), the balance between businesses leveraging their opportunities to use your data for profit and the need to protect it to satisfy your privacy concerns remains a shaky one. Facebook, along with most other online businesses, stands to make a killing by giving businesses access to your personal information - which they can then use for targeted marketing initiatives. The increased relevance of advertising based on personal data usually results in much higher conversion and sales figures. Just look at how Google has been monetizing its Adwords/Adsense programs (Adsense "senses" the content on a page and uses it to deliver highly targeted ads).

Facebook Privacy - Does it Exist?

While Facebook is constantly under pressure from Washington to keep your personal data secure and away from prying eyes, there will always be the profit incentive. For this reason, you'll probably see Facebook only do the absolute minimum to protect your information.

The Facebook Inbox API

The access developers of Facebook apps have to your inbox is only the beginning, but your inbox also contains potentially some of the most sensitive information in your account. On the Facebook Inbox API page for developers, they wrote:

To access information about a user's Inbox, you'll query any of three new FQL tables:

  • mailbox_folder: This table gives you information about a user's folders; currently all users have three folders: Messages (inbox), Sent (outbox), and Updates.
  • thread: This table gives you information about specific threads. For example, you can get information about recipients of a thread, whether a group or event sent the thread, when it was last updated, the subject, whether it is currently unread, and more.
  • message: This table allows you to get information about each message in a thread. You can get information about who wrote the message, the content of the message and also information about the attachment to the message, if it exists, in the same format as attachments are returned in the stream.

As you can see, the framework for accessing your inbox content is in place. While recent privacy reform measures have shortened the access developers have to your inbox, the capability is still there. Which leads us to our conclusion:

Don't Post Any Sensitive Information on Facebook

Or anywhere online for that matter. No matter how tightly controlled an online service's privacy policy may be, your personal information will never be 100% safe from prying eyes. Facebook is a great service that helps you connect with your friends and colleagues, and we are thankful for all the hard work that's gone into it. But we are also growing increasingly weary of the growing privacy concerns that are being raised, not the least of which is the access apps may have to your inbox.

In our opinion, a perfect Facebook would default to not allowing access to any of your information, and you would carefully choose who and what access what and when they have access to it. Right now, it's the other way around - Facebook grants access by default, and waits for you to adjust a setting (which is somewhat difficult to find) that will prevent access.

We can only hope that by making our privacy concerns heard, we can help make Facebook more secure, and thereby in the long run make it a more viable service for all, and ultimately, help it survive (just look at the thousands of people who have quit Facebook as a result of its privacy issues).

Frustrated with Facebook?

Wanting to deactivate your Facebook account and delete it forever? Here's a quick how to video to make your Facebook problems go away.

Facebook Apps and Privacy: 

What's going on? Besides the inbox API, is there any other proof that Facebook is selling its users' personal data gathered by any of its other features?

As most readers are probably well aware of, Facebook has engaged in a record-setting IPO, which has made Mr. Zuckerberg and other company insiders very wealthy once again. Looking at the documents, which the company filed during the buildup to this IPO is very instructive in terms of what exactly Facebook plans on doing with their members’ personal information. Indeed, these were also some of the first revelations that show exactly how the company is making money.

Is Facebook Selling Users?

According to their year end financial summary, the company had 1.23 billion monthly active users at the end of 2013. From this user base, they generated about $7.87 billion in revenue, which equates to a bit over $6 per user. The vast majority of this number comes from selling your information to advertisers. These advertisers then turn around and try to sell you things, which they think you want based on the data they were provided from Facebook.

Are We Walking Billboards?

Once going public, things will certainly not improve for users. Then, the whole goal will be how they can improve value for their shareholders. In other words, they will be continually trying new things to earn more than those $6 per user. Turning everything that a user does on the site into a sponsorship will do this. Everything that a user likes, or suggests or shares with others is going to be packaged and sold. Anyone who is a friend is going to be approached to buy things that their friends like (on the theory that both share similar interests). People that are common friends of several others will be pitched things on the basis of the unwitting recommendation of others.

Facebook Apps and Privacy

Another area where privacy concerns are rampant is that of Facebook apps. It is true that the site requires these applications to ask a user for permission before accessing their personal information. The problem is that the apps usually are also able to access the information of their friends. Of course, the friends do not need to be notified by the app.

There are also incidents, which show that from time to time, Facebook itself might not be very alert about following their own policies. For starters, there are many applications on Facebook, which allow advertisers that have not been approved by Facebook into their apps. This enables many advertisers to track their users. Many apps even appear to collect information that is not essential to their operation. This is especially true regarding quiz and game applications.

What Does Facebook Say About This?

Facebook has issued some statements to try to counter many of these claims. Take this one for example: "We're focused on helping people make informed decisions about the apps they choose to use. App developers agree to our policies when they register. If we find an app has violated our policies—through our automated systems, internal policy teams, or user reports—we take action." This statement, delivered by a Facebook spokesman still does not really address the issues at play here. The bottom line is that many of the apps are indeed directly violating the terms and service of the site.

The Facebook site also has the following question and answer blurb (from November 2014):

Does Facebook sell my information?

No, we don't sell any of your information to anyone and we never will. You have control over how your information is shared. To learn more about the controls you have, visit Facebook Privacy Basics.

The answer to this question previously said the following in 2011:

No. You have control over how your information is shared. We do not share your personal information with people or services you don't want. We do not give advertisers access to your personal information. We do not and never will sell any of your information to anyone.

Notice the bold print that was removed from the answer.

What's The Verdict on Facebook Inbox Privacy and Security?

The thing is, that many different companies and businesses are engaged in similar practices. Verizon became the first mobile phone provider in 2011 to publicly acknowledge that it is selling information gleaned from its customers directly to other businesses. Practically every company imaginable is doing this today. The moment you land on one of the Facebook trusted partner sites you have likely lost what little privacy you already enjoyed. Every member needs to be much more vigilant and aware of the situation.