Ever since the Cambridge Analytica scandal broke, there has been a steady amount of scaremongering about Facebook quiz apps such as LolSided and Nametests.
Funnily enough, most of this scaremongering has come from “tech savy” journalists and Twitter personalities who don’t even seem to understand how the Facebook app permission system works.
Let that sink in for a moment.
The people who are so quick to lecture others about the dangers of using Facebook quiz apps haven’t even be bothered to spend 5 or 10 minutes reading up on how they work. They are pontificating and speaking down to others about a topic that they haven’t even taken the time to fully understand.
And that kind of annoys me, to be honest.
Facebook apps must ask the user for permission to access certain information. For example, if an app wants to view your timeline posts, then it must ask for the permission to do so. If an app wants to see your email address, it must ask for the permission to do so.
When you attempt to login to LolSided for the first time, this is what you will see:
This login dialog tells you exactly what information the app wants to access. In the case of LolSided, it is looking for your public profile information and your gender.
If you take a quick look at Facebook’s documentation on app permissions, you will see that LolSided is essentially asking for the following information:
- Your name.
- The image that you selected as your profile picture.
- Your gender.
If you have done any kind of online advertising, then you will know that the information listed above is pretty much useless. There is no location data. There is no age-related information. And there is no information about user interests.
Essentially, there is nothing there that an advertiser will find useful.
If LolSided was in the business of harvesting user information, then the app would need to ask for a lot more information than that.
There is nothing there that can’t already be scraped by a bot.
Facebook apps have to go through a review process before they can even ask their users for certain permissions. i.e. An app creator can’t just wake up one morning and decide to ask you for the permission to access to your timeline posts. Instead, they must first go through a review process.
During this review process, they must provide proof to the Facebook team that the permission is required. This process involves uploading recorded screencasts and providing details about how the information is used.
In the case of LolSided, the user_gender permission would have been approved by the Facebook team. i.e. LolSided would have had to prove to the Facebook team that the app requires access to the user’s gender information.
This really shouldn’t come as a surprise, as LolSided’s quiz results display gender pronouns such as “he”, “she”, “her” and “him”, etc.
Other quiz websites such as Nametests may ask you for the permission to access your friend list. Likewise, Nametests would have also had to prove to Facebook that they are using this information correctly. If you take a cursory glance at their website, you will see that they need this permission to generate quizzes that display friend-related information.
Can it post on my timeline without my permission?
To automatically share stuff to your wall, LolSided would have to you for the permission to do so. If you login to LolSided, you will see that it does not ask for this permission. Thus, it cannot post to your timeline unless you manually click on the share button and post the link yourself.
This is outlined in the FAQ section of the app:
Does your app automatically share results to my Facebook page?
No, we strongly believe that the user should determine what results are shared to their page. We will never automatically share any of our results to your timeline. To share a result, you will have to manually click on the Share button and then post it to your page.
How do these quiz websites make their money?
They make their money the same way that most other websites do: Advertising. Most of these quiz websites display advertisements to their users, which in turn generates revenue.
How do the websites that published scaremongering articles about quiz apps stealing your data and your first born child generate money?
The exact same way. Advertising.
How do Facebook, Twitter, Reddit, Youtube, Snapchat, Instagram and Google make their money? Advertising.
How does this website make its money? Advertising.
To sum it up: Quiz websites do not need to sell your data or engage in nefarious activities. They are already making a profit from page views.
Can they hack my password?
These apps use the official Facebook API and they do not have access to your password.
When you login to a Facebook app, this is what happens:
- A request is sent to Facebook.
- Facebook validates this request. i.e. It makes sure that your Facebook account and the app are both valid.
- Facebook tells the app that everything went OK.
- The app receives this OK and logs you in.
Note: If an app asks you for your Facebook login details, then make sure that the domain name is facebook.com and nothing else. In some cases, you might be logged into Facebook via the app, but not your phone’s default Internet browser.
Today’s Facebook API is almost completely different to the API that Cambridge Analytica exploited to harvest user information. The API is far more restrictive and app developers are subject to a lengthy list of platform policies.
If an app developer steps outside of the boundaries of what is acceptable, they run the risk of Facebook removing their app and banning them from the platform.
With the current level of oversight that is involved, the “Risk/Reward Ratio” of running a shady Facebook app just isn’t worth it in most cases.
It is worth pointing out that most articles about the Cambridge Analytica scandal failed to point out the fact that this user data was harvested years ago and that since then, Facebook has tightened up its API significantly.
Instead of explaining the situation clearly and putting people’s fears at ease, they focused on writing scaremongering clickbait headlines about how Facebook apps are supposedly out to steal all of your data.
It also irks me that Facebook quiz apps are being held to a higher standard for some reason or another. Take the following example:
Here, the creator of AutCraft berates people on Facebook for using LolSided. The idea around AutCraft is noble. There is no debating that. However, if you take a look at the registration form on AutCraft, you will notice:
- It asks for far more personal information than LolSided does.
The phrase “don’t throw stones in glass houses” comes to mind.
Show some commonsense.
When logging into a Facebook app for the first time, look at the permissions that it is requesting. Is it asking for too much? Does it make sense for the app to ask for this kind of information? If not – don’t grant it access. It is that simple.
The advice above should be heeded whenever you sign up to any app or service that requests your personal information. So maybe you should give it some thought before you release your thoughts on Twitter, post all of your personal opinions to Reddit and grant that mobile Flashlight app access to all of your phonebook contacts.