On the Grey Zones of Privacy

Facebook apps operate on the principle that you explicitly agree to each access requested. The app requests certain permissions, and you then consent to the information exchange. But what happens when consent reaches into the details of your contacts? 

First Published 23rd March 2018

On the Grey Zones of Privacy

Enter angry emoji here.

4 min read  |  Reflare Research Team

Data privacy appears to be self-evident on the surface. When posting, liking, commenting or sharing, these actions should only be visible to the audience defined in the settings - Friends, Friends of Friends or Everyone.

When using a Facebook app such as a messaging client, social game or quiz, the app should only receive the access requested on the confirmation page. This access may range from “Basic Account Information” to “Let this app post for me”. Everything is relatively straight forward.

But what happens when one of your friends is granting an app access to their basic information, friend list and feed? The app will now be authorized to see that you two are friends and would also see any posts, likes and comments of yours that your friend can see. Your friend can effectively grant access to your data to a third party even though you may not want to have it.

What appears to be a grave privacy oversight at first glance actually makes sense when viewed through the lens of a wide variety of applications. For example, a Facebook client app for mobile devices or an app allowing groups of friends to coordinate events would be useless without access to the user’s friends’ posts, friendship status and likes.

Malicious actors may then take the data collected by legitimately authorized Facebook apps, save it and use it for further purposes.

Privacy thus quickly becomes complicated and much murkier than most users expect.

What can be done to change this?

Rules and social norms governing data privacy are an evolving concept that will need more time to mature fully. However, three main elements play a role in better protecting user data from abuse.

Limiting Authorization

In the early days of social networks, apps used to be authorized to either access all of a user’s data or none of it. Over time these authorizations have become more fine-grained to allow access to only basic information, only posts and so on. More fine-grained authorizations - especially such that allow users to opt-out of having their data shared by friends - may be necessary. However since these restrictions would break compatibility with existing apps and ultimately lead to a sharp decrease in user engagement, they are not popular with social network operators.

Timing Authorization

While users are in theory able to deauthorize apps that they no longer use, this rarely happens in practice. Many users - especially those very active on social networks - have tens or even hundreds of apps authorized to access their data. Some of these apps may have been malicious from the start, have become abandoned and insecure or have been acquired by malicious actors. Automatic deauthorization of unused apps appears to be a reasonable step. However, the challenge of determining whether an app is being actively used will be tricky to implement well.

Public Awareness

The last element is growing awareness of privacy and the impact that one’s actions may have on the privacy of friends and acquaintances. Since such awareness is rooted in social norms and cultural conventions, we cannot predict how it will evolve over time. However recent years have seen an increasing global trend towards awareness of - if not care for - privacy concerns.


Data privacy is a constantly evolving topic which will gain in importance over the coming years. While much data privacy regulation focuses on preventing outright data breaches through cyber attacks, the prevention of authorized but unintended uses of personal data may play an even larger role in the long run. While this plays out, users will become considerably more attentive to precisely what the small print within their digital footprint actually means. And should user behaviour move faster than the social media platforms to address data privacy, then the consumer may well set the terms and pace of change ahead.

Subscribe by email