Facebook and disclosure of your private information

Posted: October 3, 2012 by Ash Mishra in Uncategorized

This afternoon several colleagues and I have been looking at sites using Facebook to create accounts.  The idea is that if you’re already logged into Facebook, it is easy for us to use Facebook as a conduit to create an account for you on our website; reducing the number of usernames and passwords you need to remember, as well as lowering the barrier of entry in getting you to signup to a website.

You’ve probably seen this as “Register with Facebook” or “Login with Facebook” on many sites.  Below is a screenshot from Rdio, where you can see the Facebook Register button.


Clicking Register on Rdio.com brings up the following page:

Rdio's create an account using Facebook

So if you have a facebook account, you can click on Log in to prefill the form below with your profile information.

Clicking on this link brings up this:

Facebook login panel for Rdio

Now this gets a bit techie, but stick with me.

The url being linked to from Rdio is the following:


What this URL is requesting from Facebook is the following:

  1. Your full name
  2. Your email address
  3. Your gender
  4. Your birthday
  5. Your location

That’s alot of information, and we would hope that there is some way to turn off what can be sent back to websites.  Facebook permits you to turn off what data is passed through your friends (in Privacy settings, below), but I have not been able to find a way to change what can be directly requested by a website.

Facebook's privacy settings

The result is, that without controls to change what Facebook can share with other websites, it will return your private data with any website that asks for it.  Image below of what get’s returned to Rdio (fake data supplied via my Facebook account).

Update:  After reading a blog post by Facebook on registration, the panel below is actually not hosted on Rdio, it’s an iFrame (a partial window) on the Facebook domain.  Only when a user clicks Register does your private information get sent from Facebook to the requesting website.

Facebook details returned to Rdio

The Create your Rdio account panel  – before clicking “Log in to Prefill…” – doesn’t explicitly say what it will request from Facebook.  If you read the Privacy policy very carefully, it’s in there, but please – who wades through mounds of legalese?  Honestly, I think its about time that sites do the right thing and completely disclose what data they are going to get from Facebook.  And Facebook should do the right thing and implement privacy controls – by default opting out user’s details, and allowing them to opt-in and choose what to share.

Rdio is a legit site, and I love it.  But there are many sites out there that we visit, and any number of those could have lesser security or the right intentions.   Any of these could ask you to sign up with your Facebook account – and what you believe is private in your Facebook account – isn’t.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s