A privacy problem: 90% of applications are being given more privileges than they need.

Users view their profiles as a form of self-expression, but these profiles also have commercial value to marketing companies, competing networking sites, and identity thieves. Data mining through the development platform can potentially affect more people than screen scraping, because it exposes information that might otherwise be hidden (i.e., users with "private" profiles may still install applications).

When Jane installs a Facebook application, the application is given the ability to see anything that Jane can see. This means that the application can request information about Jane, her friends, and her fellow network members. The owner of the application is free to collect, look at, and potentially misuse this information. The Facebook Terms of Use agreement tells application developers not to do this, but Facebook has no way of finding out or stopping them.

When a user wants to install an application, she must grant that application full privileges. Privacy settings can be applied to friends' applications, but one standard is set for all applications. There's no way to say, "X gets my hometown but Y only gets my favorite music." The principle of least authority, a security design principle, states that an actor should only be given the privileges needed to perform a job. In other words, an application that doesn't need private information shouldn't be given any.

Petition:
Application developers should be subject to the same restrictions as any other user. Users understand privacy settings from their experience with a social networking site's web interface, and most likely do not understand what is going on behind the scenes of the Facebook Platform. (The Terms of Service warning screen is meaningless because every application has it.) It is reasonable to believe that users want their web interface privacy settings to be upheld for all users, including application owners. Users should not be forced to sacrifice their privacy to use the latest "cool" features of a website, especially when those features don't even require access to the information!

More: http://www.cs.virginia.edu/felt/privacy/ (read less)

A privacy problem: 90% of applications are being given more privileges than they need.

Users view their profiles as a form of self-expression, but these profiles also have commercial value to marketing companies, competing networking sites, and identity thieves. Data mining through the development platform can potentially affect more people than screen scraping, because it exposes information that might otherwise be hidden (i.e., users with "private" profiles may still install applications).... (read more)