Facebook Creating Fourth-Party Privacy Rules for Facebook Connect Widget & Plugin Developers

In a recently-written post on the Facebook Developers Wiki, Facebook had added new rules for information sharing between websites that have implemented Facebook Connect and any third party widgets that they might also work with – particularly “plugins” for Facebook Connect.

In the wiki article, Facebook lays out the rules which require widget/plugin developers to develop applications which only communicate with the website, and not directly with the users themselves.  Plugin developers are to leave user communication up to the website owner. Facebook writes,

The widget developer can have a relationship with the site owner, but not directly with the user. Any Connect buttons or functionality needs to be done in the context of the website that hosts the widget. This means:

  • Each site needs its own application key, with a callback url of the domain
  • Connect Javascript code needs to execute in the context of the website domain
  • User data cannot be passed into iframes, unless it complies with the Data Sharing Policy

The user has established a relationship with two parties: Facebook and the website. A widget developer should not create a third connection.

Facebook seems to be trying to protect the websites that install the code, giving control to the website owner over the relationship the website has with the user.  What isn’t quite clear though is how far a plugin or widget developer must go to break these rules.

For instance, this would appear to put any future Google Friend Connect integration completely out of the picture, as Friend Connect attempts to create relationships with the user, followed by the sites it supports.  Is this targeted directly at Google?  Other unclear examples would be sites like Disqus, which store your comments on their servers, on behalf of the user – would they be able to continue to do so if they are to integrate Facebook Connect into their service and provide a widget for blog owners?

Two Rules of Fourth Party Support to Live by

From the wiki entry, Facebook has defined two modes of 4th-party support.  One will be for plugins, similar to self-hosted WordPress or MovableType or even Drupal where developers can write code that deeply integrates into the blog or website owner’s application.  The other mode is for “widget support.”  This will enable developers to write code that can just be copied and pasted into a website and has no deep integration.  It appears that Facebook is creating rules for both modes of operation, but they have not been publicly defined at the time of this writing.

New Plugin Directory

As Facebook begins to track Facebook Connect integrations on its own wiki, it is also creating a new directory just for plugins in which they plan to track widget and plugin applications of Facebook Connect.  Facebook wants to create an easy way for website owners to find Facebook Connect-enabled (and Facebook approved) plugins.  This is good for plugin developers who will want increased exposure of their apps, while at the same time ensures the protection of the site owner as Facebook can monitor plugins and how they interact with the websites they are installed on.  It would be very interesting to see if Facebook ever provides a way for developers to monetize these widgets and plugins.

Facebook is working hard to stay true to its commitment on privacy as Facebook Connect extends access to user data across the web. There has been no official announcement by Facebook on this article as of yet.