![](\"https:\/\/media.wired.com\/photos\/5ab97d152ef59456bdd53176\/master\/pass\/FacebookPrivacySetting.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Tue, 27 Mar 2018 16:00:00 +0000<\/strong><\/p>\n Wrangling your Facebook privacy settings<\/a>\u2014fine-tuning what data friends, advertisers, and apps can access\u2014is a slog. The menus are labyrinthine, the wording obtuse. And it turns out that one of them is completely pointless. In fact, it hasn\u2019t worked in years.<\/p>\n To be clear: This is not a case of Facebook sneaking one past you, at least not the way you might think. These settings no longer work because Facebook no longer allows the kind of data harvesting they control; in fact, these checks address the very data oversharing that let quiz developer Aleksander Kogan turn 270,000 installs into a menagerie of 50 million users<\/a>, which he then illicitly passed along to political data firm Cambridge Analytica<\/a>.<\/p>\n But the fact that Facebook never bothered to update that critical corner of its privacy settings, years after those changes went into effect, is downright baffling\u2014and speaks to a general a lack of seriousness in the company\u2019s attitude toward data transparency.<\/p>\n The setting in question is Apps Others Use<\/strong>, which you can find by signing onto Facebook, clicking the downward arrow in the upper right corner, then Settings<\/strong>, then Apps<\/strong>. (See? Labyrinth.)<\/p>\n Click Edit<\/strong>, and Facebook greets you with a list of informational categories about yourself that, a not-so-helpful description reads, your Facebook friends can \u201ccan bring with them when they use apps, games and websites.\u201d<\/p>\n In truth, your friends weren\u2019t bringing your information with them so much as developers were spring-boarding off of them to get to you. The data categories include your birthday, your activities, if you\u2019re online, and posts on your timeline. The check-boxes number 13 in and all, with an additional three\u2014friend list, gender, and the very broad \u201cinfo you\u2019ve made public\u201d\u2014that you can't opt out of.<\/p>\n This is precisely how Facebook used to work. If you downloaded an app, you granted the developer of that app access to scads of information about all of your friends, presumably unbeknownst to either of you, unless you happened to be a close reader of buried preference menus.<\/p>\n It\u2019s not, though, how Facebook has worked since 2014, when it shut off that spigot. Developers haven\u2019t been able to raid someone\u2019s friend list in years\u2014unless both friends have downloaded the same app\u2014despite what that particular setting would have you believe.<\/p>\n \u201cThese controls were built before we made significant changes to how developers build apps on Facebook,\u201d says a Facebook spokesperson. \u201cAt the time, the Apps Others Use functionality allowed people to control what information could be shared to developers. We changed our systems years ago so that people could not share friends\u2019 information with developers unless each friend also had explicitly granted permission to the developer.\u201d<\/p>\n 'I really can't make sense of it.'<\/p>\n Gergely Biczok, CrySys Lab<\/p>\n That\u2019s not just spin; the timing of the changes was confirmed by Gergely Biczok of Budapest University of Technology and Economics's CrySys Lab, and Iraklis Symeonidis of COSIC, KU Leuven, two researchers who have spent the last several years studying Facebook privacy. Using the Graph API explorer<\/a>, which details what Facebook developers could and could not do on the platform through its various iterations, they determined that the kind of permissions Apps Others Use<\/strong> covers have not been available since at least Graph API v2.5, which was released in October of 2015. (It also may have been even earlier; that's just as far back as the Graph API explorer goes.)<\/p>\n \u201cI can\u2019t really make any sense of it, actually,\u201d says Biczok, who says that the data categories in the settings pane line up essentially one-for-one with a permission called friends_XXX, which allowed developers to harvest friend data, and which Facebook says was phased out with the advent of Graph API v2.0 in 2014. \u201cEven if I do a thought experiment and try to imagine myself into their place, it\u2019s maybe just an error in the software development process. But it\u2019s a long-existing one.\u201d<\/p>\n Facebook fails to offer a satisfactory explanation either, although the company does say it plans to introduce improvements to settings to "reflect current practices" within weeks.<\/p>\n But it\u2019s taken years, and the largest scandal in the company\u2019s 14-year history, to even identify the problem in the first place. And it\u2019s that negligence, rather than the specific settings, that concerns privacy advocates.<\/p>\n \u201cIn general it makes people think, \u2018why should I grapple with these privacy settings anyway? I can\u2019t know what actually is going on,\u2019\u201d says Joseph Jerome, policy counsel at the Center for Democracy & Technology. But Jerome also strikes a sympathetic tone; Facebook isn\u2019t the only company to contend with this issue, he notes, and the act of making an effective privacy dashboard in the first place is challenging for anyone.<\/p>\n Still, Facebook is a multibillion dollar company with certain obligations, no matter how tricky to fulfill. \u201cIndividuals are always going to be at an information disadvantage when it comes to understanding their privacy and how Facebook uses data,\u201d Jerome says. \u201cThe onus is on Facebook to better design their UI\/UX to convey information to individuals.\u201d<\/p>\n The Apps Others Use<\/strong> confusion also underscores just how little benefit of the doubt Facebook has earned. In 2011, the company had to sign a consent decree<\/a> with the Federal Trade Commission over its deceptive privacy practices, as it had regularly opted users into giving away more data without their explicit consent. In 2014, it tested whether it could manipulate the emotions of users<\/a> through changes to News Feed. In 2016, it changed encrypted chat app WhatsApp\u2019s terms of service<\/a> to allow Facebook to harvest the phone numbers and various analytics of users with accounts on both services. And just a few months ago, it automatically applied a five-year-old face-recognition preference<\/a> to a suite of new uses for the feature.<\/p>\n It\u2019s taken years, and the largest scandal in the company\u2019s 14-year history, to even identify the problem in the first place.<\/p>\n Biczok and Symeonidis point also to less publicized forms of overreach. A permission called read_mailbox, if granted to an app, potentially allowed a developer to read private messages between friends\u2014even if only one of them had installed it. That was only deprecated<\/a> in Graph API v2.4, introduced more than a year after Graph API v2.0, which Facebook had identified as the solution to its developer-related data woes.<\/p>\n Biczok says that incident offers a stark contrast to the way Facebook responded to the user_friends debacle. \u201cYou have to be friends, install the same app, and give the user_friends permission in order for your data to show up at his side. I think that\u2019s good enough,\u201d says Biczok of the protections Facebook put in place in 2014. \u201cThe read_mailbox thing, that was not good enough.\u201d<\/p>\n The pair note also that even today, Facebook\u2019s data policy has holes. A developer with multiple apps, they say, could gather a different, specific set of data about a user from each; if that person installs three or four apps, the company suddenly has assembled close to a full profile, without the user granting those sweeping permissions to any single app.<\/p>\n Still, the good news in all of this: You can safely ignore Apps Others Use<\/strong>. It doesn\u2019t do anything. Facebook really did address the issue. The bad news? It didn\u2019t bother to let you know\u2014a slip that's hard to imagine from a company that truly valued giving you complete control over your data.<\/p>\n