Role of Apps in Undoing of Privacy Policies on Facebook

  • Vishwas T. PatilEmail author
  • Nivia Jatain
  • R. K. Shyamasundar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10980)


Facebook allows its users to specify privacy settings for the information they share with other users and Apps. Apps seek a set of permissions from the user at the time of installation. There is no check that is performed to evaluate any possible adverse implications of App’s permissions on the in-force privacy settings of an user. In this paper, we have investigated Facebook’s platform for access to users’ data by Apps and Advertisers. By signing up with Facebook, users implicitly trust the platform, which they believe can be held accountable in case of a breach. However, similar expectation of accountability from Apps is hard to imagine and difficult to ensure. At times, Apps have as much access to user data as Facebook and such a common access to user data undermines provenance of data leakage. Recently, though Facebook has reduced the extent of data access for Apps by deprecating certain APIs, a systematic design approach is missing for platform-wide access policy specification and conformance. We have presented several scenarios where App permissions are violating user privacy policies. Our findings have been presented with the help of experiments using Facebook Developer Platform.


Social network Privacy Linkability 



This work is carried out as part of research at ISRDC (Information Security Research and Development Center), supported by Ministry of Electronics and Information Technology, Govt. of India (15DEITY00-004). The authors would like to thank Anshu S. Anand, Abhishek Behra, Ankush Dubey for their participation in discussions and experiments.


  1. 1.
    Acar, G., Alsenoy, B.V., Piessens, F., Diaz, C., Preneel, B.: Facebook tracking through social plug-ins. Technical report, KU Leuven, June 2015Google Scholar
  2. 2.
    Bronson, N., et al.: TAO: Facebook’s distributed data store for the social graph. In: USENIX ATC 13, pp. 49–60 (2013)Google Scholar
  3. 3.
    Cadwalladr, C.: ‘I made Steve Bannon’s psychological warfare tool’: meet thedata war whistleblower (2018). The Guardian.
  4. 4.
    European Union: Data Protection - Rules for the protection of personal datainside and outside the EU (2018).
  5. 5.
    Facebook: Data policy (2016).
  6. 6.
    Facebook: About facebook pixel (2018).
  7. 7.
    Facebook: Cracking down on platform abuse (2018).
  8. 8.
    Facebook: Graph API overview (2018).
  9. 9.
    Fong, P.W.L., Anwar, M., Zhao, Z.: A privacy preservation model for facebook-style social network systems. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 303–320. Springer, Heidelberg (2009). Scholar
  10. 10.
    Gilbert, E., Karahalios, K.: Predicting tie strength with social media. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2009, pp. 211–220. ACM (2009)Google Scholar
  11. 11.
    International Personality Item Pool: The 3,320 IPIP items in alphabeticalorder (2018).
  12. 12.
    Joshi, P., Kuo, C.C.J.: Security and privacy in online social networks: a survey. In: 2011 IEEE International Conference on Multimedia and Expo, pp. 1–6, July 2011Google Scholar
  13. 13.
    Juels, A.: Targeted advertising... and privacy too. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 408–424. Springer, Heidelberg (2001). Scholar
  14. 14.
    Kahanda, I., Neville, J.: Using transactional information to predict link strength in online social networks. In: International AAAI Conference on Web and Social Media (2009)Google Scholar
  15. 15.
    Lee, S., Wong, E.L., Goel, D., Dahlin, M., Shmatikov, V.: Box: a platform for privacy-preserving apps. In: NSDI 13, pp. 501–514. USENIX (2013)Google Scholar
  16. 16.
    Levy, H.M.: Capability-Based Computer Systems. Digital Press, Burlington (1984)Google Scholar
  17. 17.
    Matz, S.C., et al.: Psychological targeting as an effective approach to digital mass persuasion. PNAS 114(48), 12714–12719 (2017)CrossRefGoogle Scholar
  18. 18.
    Michal, K., et al.: Facebook as a research tool for the social sciences: opportunities, challenges, ethical considerations, and practical guidelines. Am. Psychol. 70(6), 543–556 (2015)CrossRefGoogle Scholar
  19. 19.
    Mittal, P., Papamanthou, C., Song, D.: Preserving link privacy in social network based systems. CoRR abs/1208.6189 (2012)Google Scholar
  20. 20.
    Patil, V.T., Shyamasundar, R.K.: Privacy as a currency: un-regulated? In: SECRYPT 2017, vol. 4, pp. 586–595 (2017)Google Scholar
  21. 21.
    Patil, V.T., Shyamasundar, R.K.: Undoing of privacy policies on Facebook. In: Livraga, G., Zhu, S. (eds.) DBSec 2017. LNCS, vol. 10359, pp. 239–255. Springer, Cham (2017). Scholar
  22. 22.
    ProPublica Data Store: Facebook ad categories (2016).
  23. 23.
    Roosendaal, A.: We are all connected to Facebook... by Facebook! In: Gutwirth, S., Leenes, R., P Hert, P., Poullet, Y. (eds.) European Data Protection. In Good Health? pp. 3–19. Springer, Dordrecht (2012). Scholar
  24. 24.
    Sam Biddle: Facebook uses artificial intelligence to predict your futureactions for advertisers, says confidential document (2018).
  25. 25.
    Youyou, W., Kosinski, M., Stillwell, D.: Computer-based personality judgments are more accurate than those made by humans. PNAS 112(4), 1036–1040 (2015)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  • Vishwas T. Patil
    • 1
    Email author
  • Nivia Jatain
    • 1
  • R. K. Shyamasundar
    • 1
  1. 1.Information Security R&D Center, Department of Computer Science and EngineeringIndian Institute of Technology BombayMumbaiIndia

Personalised recommendations