Chicago: Sarah Brown is unusually cautious when it comes to social networking. The college sophomore does not have a MySpace page and, while she is on Facebook, she does everything she can to keep her page as private as she can.
“I do not want to have to worry about all the different online scandals and problems,” says Brown, an education major at St. Joseph College in Connecticut. She would like to control her personal information and keep it out of the hands of identity thieves or snooping future employers. “It’s just common sense.”
It sounds like her info is locked down and airtight. But is it? Turns out, even the privacy-conscious Sarah Browns of the world freely hand over personal information to perfect strangers. They do so every time they download and install what is known as an “application,” one of thousands of mini-programs on a growing number of social networking sites that are designed by third-party developers for anything from games and sports teams to trivia quizzes and virtual gifts.
Brown, for instance, has installed applications on her Facebook page for Boston Bruins fans and another that allows her to post “bumper stickers” on her own page and those of her friends. It is a core way to communicate on social networking sites, which allow friends to create pages about themselves and post photos and details about their lives and interests.
Applications can be accessed by non-users
People often think Facebook profiles and sometimes MySpace pages, if they are set as private, are only available to friends or specific groups, such as a university, workplace, or even a city.
But that is not true if they use applications. On Facebook, for instance, applications can only be downloaded if a user checks a box allowing its developers to “know who I am and access my information,” which means everything on a profile, except contact info. Given little thought, agreeing to the terms has become a matter of routine for the nearly 70 million Facebook users worldwide who use applications to spruce up their pages and to flirt, play and bond with friends online.
News Corp.’s MySpace, which has about 117 million unique visitors each month, recently added an applications platform, giving developers access to the profiles of anyone who downloads them. Unlike Facebook, though, MySpace users don’t have to include their names on their profiles.
Third-parties put contact info to multiple use
So what do these third-parties do with the information? Sometimes, they use it to connect users with similar interests. Sometimes, they use it to target ads, based on demographics such as gender and age (something Facebook and MySpace also do).
Facebook and MySpace say they hold application developers to strict standards _ and boot them if they don’t comply. They also point out that some information, such as e-mail addresses and phone numbers, aren’t made available.
But experts who track online security issues think there’s too much personal information flying around out there, with few guarantees that it’s safe. They also think social networkers have little understanding where their information goes and how it is used and as a result, have a false sense of security.
“I suspect that there is a whole lot of clicking without a lot of thinking,” says Mary Madden, a senior research specialist at the Pew Internet & American Life Project who studies privacy issues. “So much of this sharing happens in a way that users don’t see the consequences. It is kind of a big, black hole.”
Part of the risk stems from Facebook applications being created by anyone, some of them tech-related companies and others individuals with know-how. And they could be anywhere in the world, as is Jayant Agarwalla, co-founder of Facebook’s popular Scrabulous application, a takeoff on the game Scrabble.
Reached by e-mail, he says Scrabulous does use demographic information to target ads that show up as a person plays the game. But Agarwalla, who’s based in India, stresses that that information is provided in “real time” and not stored. “In my humble opinion, users have nothing to worry about,” he says.
Some would argue that it’s much like trusting an online vendor with your credit card information. Still, it is an honour system, says Adrienne Felt, a computer science major at the University of Virginia. A Facebook user herself, she decided to research the site’s applications and even created her own so she could see how it worked.
Most of the developers Felt polled said they either didn’t need or use the information available to them and, if they did, accessed it only for advertising purposes.
But, in the end, Felt says there is really nothing stopping them from matching profile information with public records. It also could be sold or stolen. And all of that could lead to serious matters such as identity theft.
Privacy models should be in place
“People seem to have this idea that, when you put something on the Internet, there should be some privacy model out there, that there is somebody out there that is enforcing good manners. But that is not true,” Felt says.
Last year, Facebook users revolted when the company started using a tool called Beacon, which tracked its users’ purchases and actions at dozens of Web sites and then broadcast the data on the pages of the users’ friends.
But many others are much less cautious, seeing the risk of social networking “as low and the reward as high,” says Patricia Sanchez Abril, an assistant professor at the University of Miami’s business school who studies privacy law.
“It is the chosen mode of communication of everyone they know. So if you are not in it, you are just not in the loop,” she says. “There is a lot of peer pressure.”
Little legal back up
What they don’t realize, she adds, is that there is little legal backup if their information is used in a way they did not intend.
“This is an area that is completely unregulated. Yes, there are contracts. But if the receiving end doesn’t abide by the contract, you’re still out of luck,” Abril says. And applications, she notes, are only one worry when it comes to online threats.
A social networker’s friends can, for instance, give access to personal information or photos in a profile. That happened to the call girl involved in the recent sex scandal with former New York Gov. Eliot Spitzer.
Researchers at Indiana University also published a study last year showing how they “scraped” information from students’ social network profiles. Posing as people’s friends, they then used the information to fool the students into providing their university ID and password on a bogus external Web site.
Whether the profile is private or not, users should limit the information they post, said Tom Jagatic, one of the researchers and now a senior information technology consultant at the Massachusetts Institute of Technology.