Facebook-Gate: Rethinking How Apps Treat User Profile Data

When it was discovered that Facebook had allowed its users’ profile data – and that of their social networks – to fall into third-party hands, it caused a bit of an uproar.

However, Facebook isn’t the only platform where user profile data – and even that of their personal or corporate networks – is collected and used by third parties without the knowledge of its users. Those are the findings of a new Appthority report, which shows that tens of thousands of ad-supported apps are doing exactly what has created problems of monumental proportions for Facebook.

Appthority co-founder and president Domingo Guerra said that, after what he calls the “Facebook fiasco,” his company grew curious about the prevalence of third-party tools overharvesting personal information when it’s not to support app functionality, but for advertising.

What they found was worse than they had expected.

Guerra said not only are consumers throwing their own data permissions about, willy-nilly – they are also putting their friends, families and other contacts’ data at risk anytime they use Facebook to authenticate themselves at an eCommerce website, rather than completing the more laborious manual registration process or approving a third-party tool or app to access their contacts.

“If you go to the store and buy something, and the clerk asks for your address book, your phone number, your parents’ phone number and your family’s address, you’d never give it,” he said. “But for some reason, when it comes to apps, people just say ‘Yes.’ They want to get on with their lives and get back to the screen they were trying to access.”

Guerra concluded that the current permission models are broken, and Facebook was the Watergate that made the public aware that these platforms – many of which are “free” to download – may be costing them more than they claim.

However, Guerra said, no one is going to repair those broken models unless one of two things happens: Either the public must decide that it cares enough about data privacy to take a stand and demand change, or the government must step in with regulations, like the GDPR in Europe.

Normal Vs. Abusive Data Collection

It should come as no surprise that mobile apps are collecting data about their users. It’s not even news that they often request permission to collect more than they need for app functionality.

Remember the flashlight app that asked users for their address book, location, calendar and more? In what way does mom’s home address or that lunch date with Cynthia have anything to do with turning on the flash function of the device’s camera?

Nothing, but it has a lot to do with the app monetization model.

Guerra said that Appthority has been keeping tabs on millions of apps over the past few years to better understand what’s “normal,” and the above example of the flashlight app is definitely not. It’s one thing for a calendar app to request a user’s schedule, or a map app to request the person’s location. But when an app demands such broad access to the contents of a user’s phone, he said, something is wrong.

“When people share their calendar and contact info,” Guerra said, “they don’t think that info is being taken by that app for monetization.”

In other words, they trust the platform or app – a sentiment that Appthority has now shown to be, unfortunately, misguided.

A Broken System

Guerra said the permission models are broken, because platforms are asking people to grant them access to certain data – when in fact, it’s not only that customer’s data that is being shared, but data belonging to their social connections.

“That’s where more disclosure being required would help us make better decisions,” Guerra said. “But just showing, ‘Hey, I’m going to allow you to log in with Facebook’ – the functionality carrot is big enough for a lot of folks to go through with it. There doesn’t seem to be any consequence or risk.”

Guerra cites a lack of granularity as one key shortcoming. Even when apps ask for permissions, it is not always clear whether they are seeking it only for the user, or only for the app itself, or whether they will be harvesting data from the user’s network and sharing it with theirs to make money.

However, even if apps spell it all out in their permissions, privacy statement, or terms and conditions – which is all that’s required by U.S. law – Guerra said that the disclosure is hardly serving its intended purpose, as consumers aren’t going to open and read a 10-page privacy document on their smartphones.

The Snowball Becomes an Avalanche

Regulators and users alike have looked the other way on a lot of issues with Facebook as the platform continually promises to “do better next time” when people complain. Will this time be any different? Guerra hopes so – indeed, it’s the one silver lining he can see in the whole situation.

Guerra said the surprising thing about the Facebook fiasco wasn’t that data was being collected and shared; the surprising thing was that Facebook was surprised. He pointed out that Facebook knew its users’ data was being collected, or could be collected and shared – but didn’t consider that it could be used by a foreign company in an election setting?

“That shouldn’t have happened,” Guerra said. “It shows a lack of control.”

However, his fingers are crossed that this debacle will push things over the edge in terms of seeing better regulations from the government – as well as more meticulous activity by consumers.

“As users, we have to protect our own data, because if we don’t, no one else will,” Guerra said. “You shouldn’t have to agree to giving up data to use platforms. And if we’re going to agree, then platforms must be held accountable for how they share it.”



Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.