Facebook Updates Developer Data-Retention Policies, Tries to Stop User Abuse

Until a month ago, developers on Facebook’s platform were not allowed to retain user data for more than 24 hours (even though many did, anyway). Then Facebook said at its f8 developer conference in late April that it would let them store user data indefinitely — provided they continued to follow its policies around data retention.

Yesterday, along with a wider range of privacy changes, like the ability for users to block Platform completely, Facebook updated its developer data policies. From a brief mention in a blog post yesterday:

We added a few clarifications in our simplified data policies to help address some confusion around your rights and responsibilities with respect to user data. For example, our removal of the 24-hour caching policy eliminated a technical burden but does not change the rights you have to data, which continue to be subject to explicit user consent.

We’ve confirmed the specific new wording with Facebook — see below. The gist is that Facebook is concerned that developers are abusing user data; indeed, we have heard reports that some developers and advertisers have been scraping user data via applications and ads, breaking Facebook’s policies to create their own databases of users.

It’s not clear how big of a security issue this is; we think it could be a bigger problem than many other security issues that critics have cited. But the changes to the policies are indicative of the abuse.

III. Storing and Using Data You Receive From Us

1. You must give users control over their data by posting a privacy policy that explains what data you collect, and how you will use, store, and/or transfer their data.

2. You may cache data you receive from the Facebook API in order to improve your application’s user experience, but you should try to keep the data up to date. This permission does not give you any rights to such data (including the right to transfer) absent explicit consent from the users who own the data.

3. Users give you their basic account information when they connect with your application. For all other data, you must obtain explicit consent from the user who provided the data to us before using it for any purpose other than displaying it back to the user on your application. A user’s friends’ data can only be used in the context of the user’s experience on your application.

4. If you stop using Platform or we disable your application, you must delete all data you have received from the Facebook API unless: (a) it is basic account information; or (b) you have received explicit consent from the user to retain their data.

5. You cannot use a user’s friend list outside of your application, even if a user consents to such use. You can use connections between users who have both connected to your application, subject to your privacy policy.

6. You will delete all data you receive from us concerning a user if the user asks you to do so, and will provide an easily accessible mechanism for users to make such a request. We may require you to delete data you receive from the Facebook API if you violate our terms.

Going by the highlights, you can guess what the different methods of potential abuse have been. Per 2, some developers have apparently been using and transferring user data without gaining consent; per 3, they have been re-appropriating user data to use in ways that they lack user permission to do; per 4, they have not been deleting all the data they should have (though with Facebook launching the bulk app deleter yesterday, this clause may have been added commensurate with the launch of this feature).

[Update: Facebook product director Bret Taylor tells us in the comments that the policy changes were not in response to specific abuses. Rather, they were intended to generally clarify how data can be used, following the announcement at f8. Whatever rationale Facebook has for the changes, however, our understanding is that 1) there has been abuse involving developers improperly using and transferring Facebook user data, and 2) Facebook has been taking measures to stop the abuse.]

The problem, for Facebook, is the terms only really matter to the more legitimate developers on the platform. If someone is willing to accept the risk of being taken to court by Facebook, there’s no other mechanism stopping them from abuse. Some countries do not effectively enforce laws against data theft and other security crimes, so it’s possible that the worst abusers are running free, with chunks of Facebook’s social graph at their disposal. We’ll be covering this issue as more evidence emerges about what’s really happening.