While this was announced last month, nobody really noticed it until this week. Facebook has created new features that allow developers to mine your Facebook inbox for data. In addition to the content of your email, it allows applications to make note of who are the recipients of a mail thread, and the time and date of the emails.
In a related new “feature”, developers can also access the notifications that you receive, which include notifications of a status update, notifications of when your friends have taken a quiz, etc..
While the access to notifications is in and of itself pretty darned intrusive, it’s allowing access into the very depths of your Facebook email inbox that is particularly problematic and concerning. Private – and I guess we now have to use that term loosely – messages on Facebook tend to be more personal in nature, with an assumption of confidentiality and, well, privacy (Tracy Turkish Brooks not withstanding).
Facebook users will almost certainly still have to give permission for an application to access their Facebook inbox, however it’s certainly a small minority of Facebook users who don’t automatically click “allow access” after the most cursory of readings of the request, if they read it at all.
And, as Steve Loyola of Best Web Buys, which allows you to compare prices on books, music, video, electronics, and bicycles points out, it means that any email you send to someone who has allowed access will also be exposed!
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Says Loyola, “It seems that you must also trust all your recipients to not give access to their inbox (where your emails might reside). I think I now need to be more careful with what I send to those people who like those “which character am I?” apps.”
Allowing Mailbox API access will let it have access to all of the content of your Facebook inbox
including who the recipients are, and when the email was sent or received, and do away with
any shred of privacy you had on Facebook. Like our beacons hadn’t already done that.
Explains Sophos senior technology consultant, Graham Cluley, “Obviously we have to hope that Facebook does not enable this functionality by default, and presents a clearly worded warning to its users if they try and add an application which insists on users waiving the rights to a private mailbox to third parties.”
“But my worry is that many of Facebook’s 300 million users will be so keen to see what Sex and the City character they are, or to send a Best Friend Forever ecard to their online buddies, that they’ll glaze over the rights they are signing away when they add an app,” added Cluley.
And worry he should. Here is how Facebook themselves announced and described the new functionality (emphasis ours):
“We’re continuously looking for ways to open core Facebook experiences to developers for innovation. Today we set our focus on two communication channels: notifications and the Facebook Inbox. We’re excited to release two new APIs that will let your applications access your users’ mailboxes and notifications in a structured manner. In addition, you can make your stream applications available as attachments for Facebook messages so that users can more easily share application content with friends.
Mailbox API
Last week we announced an update to the Open Stream API to allow integration of Page streams with applications. Today we are releasing the Mailbox API so you can provide users with even more opportunities to interact with rich Facebook features within your applications. For example, a desktop application geared toward small business owners could enable users to check their company’s Page stream, as well as read messages and receive notifications, all from their desktop.
The Mailbox API allows you to access your users’ messages, once they grant your application the new read_mailbox extended permission. This lets your applications provide an interface for users to view their messages. For example, your application could pop up an alert when the user receives a new message.
To access information about a user’s mailbox, you’ll query any of three new FQL tables:
* mailbox_folder: This table gives you information about a user’s folders; currently all users have three folders: Messages (inbox), Sent (outbox), and Updates.
* thread: This table gives you information about specific threads. For example, you can get information about recipients of a thread, whether a group or event sent the thread, when it was last updated, the subject, whether it is currently unread, and more.
* message: This table allows you to get information about each message in a thread. You can get information about who wrote the message, THE CONTENT OF THE MESSAGE and also information about the attachment to the message, if it exists, in the same format as attachments are returned in the stream.”
Then, almost as an afterthought, Facebook suggest that at some point applications may also be able to send email as you!:
“While we currently don’t allow applications to send messages through this API, we’re always thinking about new functionality to offer through Facebook Platform.”
As Cluley says, “The idea of Facebook applications being given free rein to mine users’ inboxes and sent folders sends a shiver down my spine.”
We’re shivering right along with you, Graham.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
@ #3, yep, if yer gonna get screwed you’re supposed to at least get kissed.
true! after stealing your contacts and emailing listing. they steal you apps,you have dev. no kiss or a thank you.
…also, good on you aunty for supporting both our troops and the scouts! both are getting a lot of undeserved flak these days.
i knew there was a reason i didn’t want (and don’t have) a “facebook” account, and facebook has confirmed that judgement.