Uh oh, Facebook pre-approved third-party sites
Internet
Facebook's constant terms of service changes almost seem designed to test the limits of what they can get away with, much like Microsoft in the 1990s. This is the creepiest part of their proposed privacy policy:
Pre-Approved Third-Party Websites and Applications.
It's as if they took slides from a Security and Privacy 101 lecture and used the headings to construct a sentence.
In order to provide you with useful social experiences off of Facebook, we occasionally need to provide General Information about you to pre-approved third party websites and applications that use Platform at the time you visit them (if you are still logged in to Facebook).
In other words, they know many people will be using Facebook with other browser tabs open, so they'll be exploiting them using a "legitimised" kind of XSS. Oh well, I suppose I could run Facebook in a sandbox or a separate browser that deletes cookies and history each session. Wait, no, that won't work because…
Similarly, when one of your friends visits a pre-approved website or application, it will receive General Information about you so you and your friend can be connected on that website as well (if you also have an account with that website).
I already knew my less security and privacy conscious friends were making a worryingly large slice of my information available when they installed any application, but this means it'll extend to sites as well? Really?!
Fortunately, we have nothing to fear because of all this stuff:
In these cases we require these websites and applications to go through an approval process, and to enter into separate agreements designed to protect your privacy. For example, these agreements include provisions relating to the access and deletion of your General Information, along with your ability to opt-out of the experience being offered. You can also remove any pre-approved website or application you have visited here [add link], or block all pre-approved websites and applications from getting your General Information when you visit them here [add link].
Malicious users who are able to exploit a bug in the implementation of this on a pre-approved third-party server don't sign agreements. They're also banking on the fact most users don't know or care about the technical workings of their Facebook accounts and won't do anything.
In addition, if you log out of Facebook before visiting a pre-approved application or website, it will not be able to access your information.
So you're admitting that as long as they're logged into Facebook in another tab in their browser you'll continue to perform your aforementioned suspect activities, while legitimising it by saying once they log out it'll all be peachy?
You can see a complete list of pre-approved websites on our About Platform page.
Whew, first good piece of news I read, I'll have some URIs to add to my DNS blacklist. Hope they're not sites I frequent otherwise I'm stuffed.
Other sections
Other parts of this new Privacy Policy are dodgy, but not any more than usual. This one about cookies didn't seem right, though perhaps that's just because I've never "interacted" with an advertisement before. TACO might have something to do with that though :P.
We also use [cookies] to confirm that you are logged into Facebook, and to know when you are interacting with […] our advertisements.
The final word(s)
As with many users, I'm really torn when Facebook does crap like this. I already decided last year to stop updating my profile and delete all my applications, but if this goes through I'll delete all my data save for my email address and name (folks from high school still sometimes contact me through it). Surprising though it may seem, I haven't found any way to permanently (though even that's debatable) wipe a Facebook account short of deleting it and starting again.
Sometimes I go to bed feeling great about humanity, most nights I don't.
