Facebook May Highlight App Permissions for Contact Info, Prevent Minors from Sharing

Facebook has responded to Congressman Ed Markey’s questions about its plan to allow users to grant applications access to their phone number and home addresses. The response explains that Facebook is considering answering widespread criticism of the plan by highlighting contact information requests in the permissions screen and barring apps from asking minors for this info.

On January 14th, Facebook announced in a post on its Developers Blog that it would begin allowing users to authorize applications to access their mobile phone number and home address through that standard “Requests for Permission” dialog that users see when installing apps.

Inside Facebook and others criticized the plan, saying that though it would facilitate innovation, requests for such sensitive data should be more prominent within the permissions flow. On January 18th, Facebook temporarily disabled contact info requests based on the criticism and feedback from users.

Markey and fellow Congressman Joe Barton, the Co-Chairmen of the Congressional Privacy Caucus, sent Facebook CEO Mark Zuckerberg a set of questions on February 2nd asking why Facebook would grant access to contact information, if this would violate its own privacy policy, and how a re-deployed version of the requests would address concerns.

However, the letter’s authors seem to have been confused, asking why Facebook was giving third-parties access to user information, when it was actually permitting users to choose if they wanted to share the mobile phone number or home address the same way they can currently share their photos or email addresses.

Facebook’s response declares “This question is premised on a misunderstanding. Facebook enabled users to choose to share contact information with applications. Our Developer Policies require developers to delete a user’s data upon the user’s request.”

Since contact info requests are covered by the site’s privacy policy and fall within the permissions framework that Canada’s Privacy Commissioner deemed adequate to inform users, Facebook says there was no need to change the policy or a notify users of a change. All product changes are pre-approved for privacy policy compliance with Facebook’s Chief Privacy Counsel.

The response does agree with the Congressmen that Facebook could increase the prominence of contact info requests, and explains that the company temporarily disabled the feature pending this review. Regarding the potential changes to a re-deployed version, Facebook say “we are evaluating whether and how we can increase the visibility of applications’ requests for permission to access user contact information. We are also considering whether addition user education would be helpful.”

The Congressmen also asked whether Facebook factored in the risks to children and minors when deciding to enable the feature. Facebook responded saying children under the age of 13 are prohibited from using the site, and that it always considers the safety of minors. However, though not explicitly mentioned in the Developers Blog post about the feature being disabled, Facebook now says “we are actively considering whether to enable applications to request contact information from minors at all.”

Overall, the response shows that Facebook is willing to take extra precautions to protect users while continuing to expand their choices of what to share. The plan for action syncs with our recommendation to make sensitive  user data requests distinct from more benign requests. By bluntly refuting misinformed questions, Facebook shows that it won’t be framed as a villain while politicians seek to appear as privacy defenders.