As a result of its dialogue with the privacy commissioner of Canada, Facebook this morning announced significant changes to the ways application developers have access to Facebook user data. While no specific API changes were announced this morning, the new permissions model will essentially make the way that users will grant developers access to both their own profile information and their friends’ profile data more granular and explicit.
According to Facebook, “Facebook will introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. In addition, the user will also have to specifically approve any access to their friends’ information, which would still be subject to the friend’s privacy and application settings.”
In other words, instead of granting access to all of their profile data when engaging with an application for the first time, users will now authorize only specific categories of user data – like interests, gender, or their current city, for example. With the changes, when developers want to access new profile information fields not granted in the original application authorization, they’ll need to ask for explicit permission.
In addition, users will have to specifically opt-in to sharing any of their friends’ data with an application. This means that there will now be more friction for developers who want to integrate users’ friends into the application experience in a way that intelligently takes friends’ profile data into account. However, the new rules will also make it harder for developers or ad networks to create misleading social context or deceptive advertisements.
Essentially, the assumptions around access to user data within the Facebook ecosystem are changing. Now, developers will have to be explicitly clear about what profile information they’re requiring users to grant them access to in order to engage with the application – the rest of users’ profile data will no longer “come for free.”
Ethan Beard, Facebook’s Director of Platform Marketing, says, “We are still very much in the conceptual stages of development and many of the details are yet to be determined. However, we’ve committed to requiring developers to specify in advance what categories of user data they will need. When users authorize an application, they will have the opportunity to opt out of giving certain pieces of information. There may be some fields that, at minimum, are necessary for the application to function. We will make it clear that the user must authorize the required fields in order to use the application. We also anticipate that users will need to opt-in to giving applications access to their friends’ data.”
Facebook says that while they are starting work on the changes now, the company expects the “entire process” will take about a year. Over the course of the next year, Facebook will be developing the specifics of the new user data APIs, and working with developers to make the transition as smooth as possible.
“We certainly sympathize with developers that this will be a process,” Facebook Senior Platform Manager Dave Morin said this morning. “We will work with the developer community to make sure that the changes are as least disruptive as possible and as easy to understand as possible.”
“We don’t think this will hinder developers’ abilities to build businesses on the Platform. In fact, by putting users in more control, we think users will be more engaged over time, and developers will be able to build bigger and better businesses because of it,” Morin added.
In addition to the Platform privacy changes, Facebook said it will also be making a few other updates as a result of its dialogue with the Canadian privacy commissioner, including:
- Better explaining why Facebook requires users to enter their birthday when signing up for the site (so that it can restrict adults from viewing minors’ profiles, and so that it can limit the site to users over 13).
- Better explaining account deactivation vs account deletion. (Facebook retains user data indefinitely when users deactivate their accounts, but removes it within a couple of weeks when users delete their accounts.)
- Giving new users a tour of Facebook’s privacy settings during the signup process.
Developers do not need to make any immediate changes to their applications today, but should be preparing for a Facebook Platform framework in which user data must be requested and granted more specifically and explicitly than it is today.
“This is a constant conversation that we’re having developers with a variety of ways. Being able to have a contextual experience powered by your friends is a pretty standard part of the social web,” Morin says.