Update 19/1/11 10am: Looks like Facebook have suspended this scary new feature for now.
Facebook, by now almost synonymous with online privacy woes, has made another change to its platform that has privacy experts worried.
The latest move, reported in several outlets, expands the information available to Facebook application developers. Now, users can grant applications permission to read their mobile phone number and current address. While it doesn’t appear to be retroactive, and users will have to explicitly grant access, this raises concerns because of the nature of the information itself.
There are many legitimate uses for this information. The delivery of goods, coordinating local social networks, or SMS notifications of important events of interest to the user. Allowing a user to share address and mobile phone information with a third party is not an inherently evil thing.
However, the illegitimate uses are out there as well. From Junk mail or spam SMS, to abuse by bill collectors, to exploitation by thieves and stalkers. When your other online activities can be linked to a physical address, risks arise, as we are likely to be in the habit of considering internet speech to be relatively anonymous.
What we will find is that the legitimate and illegitimate will both be present on Facebook, and it won’t be easy for users to tell the difference. Facebook apps aren’t vetted or reviewed to weed out the less reputable players, and we can be sure the dodgier operators will be working on ways to masquerade as legitimate and trick users into pressing the “allow” button. It’s reasonable to suspect that many people will be in the habit of clicking “allow”, especially if something is recommended by a friend. It’s only a matter of time before we hear tales of some unfortunate outcomes.
For this reason, we would want to err on the side of caution, and keep address and phone information more private, at least as far as applications by developers without any track record of accountability are concerned.
Once again it’s clear that commercial pressures drive a lot of Facebook’s privacy decisions. There is commercial value in highly localised services, or access to the mobile phone number of potential consumers. That explains why this change has been made, but an explanation is no substitute for warning or discussion.
Speaking practically, we have to expect Facebook to continue moves like this. In some cases they will be well within their rights to make changes; other times, it will be less defensible. But opportunities to get any sort of redress will be few and far between.
We have to remain vigilant about our privacy online, difficult as this may be. One of the big challenges of safely using a service like Facebook is the shifting landscape it presents. No matter how carefully you checked your privacy settings or reviewed the possibilities for information leakage, an announcement like this could change your risk assessment instantly. The bar for leaving is likely to be higher than joining in the first place, which is something Facebook may be counting on.