My fourth article review for TECH621 is titled Privacy Protection for Social Application Programming Interfaces(API’s). The purpose for this article is to examine privacy risks associated with social networking API’s by presenting a privacy-by-proxy design for a privacy preserving API that is motivated by an analysis of the data needs and uses of Facebook applications. This article uses empirical research of the popular social networking site Facebook and its third-party applications available to users.



This research article focuses on aspects of a the social networking site Facebook, in particular third-party applications and their integration into the Facebook platform itself. Social networking API’s integrate third-party content into the site and give third-party developers access to user data. These open interfaces enable popular site enhancements but pose serious privacy risks by exposing user data to third-party developers. These applications pose serious privacy concerns: an “installed” application receives the privileges of the profile owner and can query the API for the personal information of the user and members of the user’s network. The information available to developers includes hometowns, dating preferences, and music tastes. According to (Felt and Evans 2007), most information on most user profiles is sufficient to uniquely identify their owners, even with the name removed. This loss of privacy directly impacts users. It is also of concern to social networking site operators: if advertisers can independently identify “desirable” users, the importance of the social networking site intermediary diminishes. This research focuses on 150 popular Facebook applications available to users. In conducting this research it was found that all applications maintained the functionality with limited user interface and access to anonymized social graphs and place holders for user data.



The method used in this research involves user surveys of the most popular 150 Facebook applications from on 22 Oct 2007) to determine their information requirements and behaviors. Individuals in the survey had each application installed on their account with minimum information filled out. If an application requested more data, broke, or required the interaction of multiple users, we installed it on a fully filled-out second account to observe the difference.



The results of this empirical research found that third-party applications do not need the extensive personal information that is available to them. Although two-thirds of applications depend on public friend data, far fewer require access to private data. Public data refer to information used publicly for identification or searching. Below is a summary of the findings.


Information Used                               Applications

None                                                                     13 (8.7%)

Yours                                                   133 (88.7%)

PUBLIC Friends                                               99 (66.0%)

Strangers                                           51 (34.0%)

Any                                                      133 (88.7%)

Yours                                                   12 (8.0%)

PRIVATE Friends                                              10 (6.7%)

Strangers                                           7 (4.6%)

Any                                                      14 (9.3%)

It was discovered that only 14 of the 150 applications required personal information with 90% of the applications having access to personal information that is unnecessary for the application to function properly. This is staggering! Ninety-four percent of the applications have information and does nothing more than display it. A mock Facebook account was then set up under the name “Anne”, who was given 500 friends and 750 contact list members. Additionally, there were 249 strangers. The database maintained tables for user data, friend lists, and contact lists, all of which were filled with pieces of fake data. Anne’s profile contains a third-party gadget (which we model with an application running on the same server) that requests Anne’s friend and contact lists, and it has access to the remaining stranger IDs as if they were other application users. The third-party application iterates through friend, contact, and stranger lists, requesting their names, networks, and hometowns using fake markup tags. For each tag that is matched, the ID is compared to contact and friend lists for a permissions check. If permissions are satisfied, the data is retrieved from the database. The average time for a permissions failure is 2.3 milliseconds, and the average total time for a successful data lookup is 3.6 milliseconds.



In conclusion, it can be stated that as social networking sites grow in popularity and the affinity that users have for the ability to communicate with other users through these social portals, third part API’s will continue to grow. With their potential for profit because of user activity, other social networking sites have begun to integrate third-party API’s into their application environments. The host social platform cannot enforce their privacy policies on the third-party contractor which breed grounds for harvesting malicious code and privacy breaches.