Sometimes when a big consumer technology company is caught failing to protect the privacy of its users’ personal information it is tempting to compare it to a child caught with one hand in the cookie jar. All that personal data are so valuable, how could anyone resist an illicit dip every now and then?

The danger, if junior doesn’t learn to keep his or her hands out, is that someone in a position of authority will try to put a tighter lid on the jar.

In other cases, though, there is a better analogy: the overpowered muscle car given as an 18th birthday present. It’s an awesome machine – but was it a good idea to put it in the hands of someone who has barely learnt to drive?

That’s the image that springs to mind from the latest privacy embarrassment to hit Facebook. The world’s favourite social network (users: 550m) admitted this week that it inadvertently passed some information to the “apps” – things like games you play with friends, or family trees – that can be accessed through the site. Some apps, in turn, handed the information over to advertisers who, under Facebook’s rules, had no right to see it.

A system that is supposed to be sealed, keeping data in the hands of Facebook and the apps personally selected by its users, turned out to have a leak.

Facebook’s explanation of this glitch was somewhat disingenuous. It blamed a basic flaw in the design of web browsers for the problem. But if that was the case, then why, by its own estimate, did only a handful of app developers fall foul of its rules?

In the overall scheme of things, this is not a big deal. The information at issue – the personal identification numbers of Facebook users – probably has little value unless it can be combined with other types of personal information, and Facebook says it does not believe the data were collected. But the slip was instructive.

The architecture of the new world of social networks and smartphones is starting to throw up some vexing questions of control. Unless they are resolved, a potentially highly profitable way of delivering services to consumers will fail to reach its full potential, as users shy away and regulators start to interfere.

The Facebook issue echoed a US academic study last month which found that two-thirds of the apps tested on Google’s Android operating system (admittedly, a small sample of only 30) passed some kind of personal data on to advertisers. Like Facebook, Google has a strict rule forbidding this.

Previous technology platforms that won a mass audience have not been in the habit of handing out sensitive personal information like this. PCs, for instance, don’t automatically give data about their owners to whichever software applications are installed on the machine. And when the web emerged as the next mass computing platform, websites were in much the same position: users approached them anonymously, and could choose how much about themselves to reveal.

True, that anonymity has been eroding fast. Cookies (which sit in computers and track the websites they visit) and beacons (code embedded on websites that monitors the behaviour of visitors) have become a fact of online life.

However, the latest computing platforms – social networks and smartphones – go further, treating the passing on of personal information as a key design feature. In the case of Facebook, that means 550,000 different applications that do things such as draw on a user’s social connections and other personal information. Likewise, smartphone apps – of which Apple now has more than 300,000, by one estimate – often seek to tap into things such as a handset’s location and the user’s address book.

Anyone using these apps must first give them permission to access personal data – and the platform companies have taken steps to make this process more explicit. But such permissions are often lightly given and quickly forgotten.

This has been making regulators in Europe and Canada – who worry about how companies such as Facebook can control the hundreds of thousands of developers that draw on their vast banks of personal data – nervous. Facebook plays down the risks. It says that of the thousands of applications that it has banned, very few transferred user information without authorisation. By definition, though, transgressions like this are among the hardest to identify.

The encouraging news is that the new platform companies have every incentive to improve the policing of their systems and reassure users. Shortly before its latest slip, for instance, Facebook took an important step by giving its users a way to see what data their apps had accessed.

Ultimately, proving they have mastered their powerful new machines – and are prepared to hand more of the control to their users – will be the surest way for companies like this to make sure no one tries to take the keys away...
(more)