Your Personal Messages on Facebook Could Be Read By An App – And You May Have Authorized It

January 10, 2012 · Filed Under Facebook, Facebook Applications · Comment 

After over a decade of working online, you might think that there’s not much that surprises me…then again, Facebook, as it stands has not been around that long has it?

I was checking to see that one of my Facebook Applications; namely, HootSuite was set up to properly post.  And so I headed into my application settings within Facebook and clicked the link to edit it.   Now, if you’re anything like me, I usually am pretty quick to allow an application within Facebook (within reason) but rarely do I head back into that application to double-check exactly what it is that I’ve authorized.

I always have good intentions to do so, but quite often get busy and forget.

Now, before I go on here, and before you get a negative impression of HootSuite, I do want to say that it is a great application – it allows me to update multiple social networks at the same time (I’m still waiting for Google+), but all in all, it saves me a ton of time.

In order to use HootSuite, I need to allow it to access my Facebook pages, Twitter account, etc. in order for it to work.  Not a big deal, that’s the whole reason why I decided to use it in the first place.

That being said, however, I was truly (and I mean truly) shocked when I went into Facebook to edit the application. Here’s what I found (see image).  Now, I know that the details of the image are hard to see so let me break down for you the different areas:

  1. Access my basic information (required):  This is pretty across-the-board for any Facebook application.  It allows access to things like your name, gender, other information you’ve made public and so on.
  2. My Profile Information (required):  Again, pretty basic standard stuff.
  3. My Family & Relationships (required):  Not necessarily something that they’d need, but it is required.
  4. Access Information People Share With Me (required).  This one is a little questionable but again, it’s required so if I want to use the application, I need it.
  5. Send Me Email (required):  They’re asking to send me email at my address; fine.
  6. Access my contact information (not required):  This I can remove if I’d like to.
  7. Manage My Pages (not required):  Hootsuite can login to my pages (fine, this is what I want it to do anyway in order to post to them.  Otherwise the whole purpose of using HootSuite in the first place would be null and void).
  8. Post to Facebook on my Behalf (not required):  This means that HootSuite may post for you in the locations you’ve authorized.
  9. ACCESS MESSAGES IN MY INBOX (not required):  Yes, if you don’t catch this little addition to the application, you may not know that HootSuite can access your personal messages contained within your Facebook inbox.  Makes you feel a little violated doesn’t it?
  10. Access Posts in my News Feed (not required):  Again, I can remove this but essentially this app wants to be able to read not only my own messages that I post but also those that my friends post.
  11. Access my Data Any Time (not required):  In other words, if I’m not logged in, HootSuite still wants access to my data (I’m imagining some creepy IT guy who after hours logs into the application and starts reading personal messages).
  12. MANAGE MY EVENTS (not required):  Yes, this application wants to be able to manage your events.  As a matter of fact, it even says “HootSuite may CREATE and RSVP to events on my behalf.”  Yes, I don’t think I want some unknown person creating events for me or responding to events on my behalf.
  13. ACCESS AND MANAGE MY CUSTOM FRIENDS LISTS (not required):  Again, I’m not quite sure why they would need to manage my friends.  (They do mention this in their help files – see below).
  14. ACCESS MY FRIEND REQUESTS (not required):  Again, not certain why HootSuite would need to access my friend requests but again, perhaps related to their answer below.
  15. MANAGE MY NOTIFICATIONS (not required):  This portion of the application allows it to manage your notifications and mark them as “read”.
  16. Insights (not required):  The application may access the data from Insights (statistics) for my page(s) and applications.  Not quite certain why it would need access to other applications that I use.
  17. CHECK-INS (not required):  HootSuite’s app may publish check-ins on my behalf.

Now, let’s put all of this in perspective.  All of these items may be necessary to authorize in the event that HootSuite updates their website to have access to this information.  For instance, if, in the future, they offered you a way to check-in to a location using Facebook through their own site at http://hootsuite.com, then I can see where this will come in handy.

Also, accessing my personal messages, in the event that this feature becomes available, I can certainly see it as a necessity if I want to be able to access my personal messages on Facebook within the HootSuite platform.  However, as it stands today, these are not current features…they are simply placed there “just in case”.

I’ve made multiple references here to what HootSuite has to say on this topic and here is their response:

Hello,
HootSuite requests access to that information because many HootSuite users would like to HootSuite to have much of the same functionality they already have on Facebook. This includes:

  • Monitoring News Feeds
  • Publishing messages
  • Uploading photos
  • Accessing Facebook Insights
  • Displaying information about your profile

Without requesting these permissions, HootSuite would not have the same level of functionality our users expect from us.

We assure you that HootSuite is not obtaining any information from your Facebook account without your consent. In addition, HootSuite values the privacy of our users, and will not publish anything without your approval.

And I again want to reiterate that HootSuite really is a great time-saving program.  What I did want to point out however, is that oftentimes, the access that applications have within Facebook go beyond what we initially thought that they would do.  While most applications give us the ability to remove access to areas we don’t want visited by unknown persons or entities, we don’t often take the time to remove these items and will often just take it for granted that the application is only doing what it is supposed to.  While it’s nice that HootSuite is taking a proactive approach, some of these items aren’t necessary right now. If it comes to pass that I do need them in the future, great, I’ll re-authorize and update the application but until then, I think it’s truly unnecessary.

The moral of the story here is not to pick on HootSuite but rather to point out that you likely use plenty of Facebook applications yourself, and if you do, you may want to take a long look at what those applications are allowed to do.  Not taking action is what other unscrupulous applications are hoping so that they can garner whatever kind of information they want from you.

Take the time today to visit your Facebook applications and double-check what authorizations they do in fact have.  Better to be safe than sorry.

Tags: , , ,

Next Page »