Facebook privacy for web developers: a guide

Now that one-twelfth of the planet is on Facebook, you might be thinking there’s possibly something to it. And perhaps you’ve thought there might be an audience out there for your own great social game idea.

The potential rewards are huge. Kristian Segerstrale recently sold Playfish to Electronic Arts for over $200m. Not a bad price for his 11million Daily Active Users (DAU). Yet he’s still dwarfed by Mark Pincus’ Zynga with its 70million DAU playing FarmVille, Texas Holdem Poker and FrontierVille.

Facebook is a massive platform for games and apps, and according to founder Mark Zuckerberg, we’ve really only just scratched the surface of what’s possible. But in social web design it’s all about the user and their friends’ data, which means that inevitably the subject of privacy raises its head. So how do the privacy settings work, and what impact do they have on developers?

Privacy management

Despite all the controversy, Facebook actually has a very good privacy management system. No other social network gives you such control over the privacy of content. This flexibility is necessary because we all have different privacy requirements for different types of information. For instance, I’m happy for my blog posts to be open to the world, while only my friends see my status updates.

For developers, navigating data privacy could be a minefield, but Facebook does most of that for us. When you call the Facebook API, for example, for a list of photo albums from friends, it only returns the albums that your current user has access to. As a developer, it’s the same thing: you can’t get any more data than an individual user can get themselves via the standard web interface.

Your applications can get access to data and to do actions on behalf of a user using ‘extended permissions’. These are the list of permissions that every app asks the user for when they first allow the app to access their data. Once it’s been granted a permission, the application can then continue to act in this way until the user revokes it.

There are several to choose from. The principle should be to only ask for those permissions you really need in order to provide the user the features they’re expecting. You can ask for further permissions later with a separate dialog box. When a user wants to receive a weekly digest email of their scores and games in play, that’s the time to ask for permission to email them.

You can find a full list of the permissions on Facebook. The most important ones are:

  • email: gets you their email address.
  • read_stream: so your app can view any stories posted by their friends to their stream, such as recent status updates or new photos.
  • offline_access: so your app can do stuff for your users on their behalf.
  • friends_birthday: if you want to make a birthday reminder app, it’s essential to find out when friends’ birthdays are!

The Developers section of the Facebook website contains all you need to get started, from libraries, documentation and web testing tools to a vibrant community forum

Your responsibilities

When releasing an application, developers must comply with the legal framework Facebook has put in place. There are three documents explaining what developers must adhere to, found at developers.facebook.com/policy:

The Statement of Rights and Responsibilities

This applies to every user and includes requirements such as only creating one user account and not falsifying any information.

The Principles (the ‘spirit of the law’)

These are summarised as:

  • Be trustworthy, respect privacy
  • Don’t mislead or surprise users
  • Don’t spam – encourage authentic communications
  • Create a great user experience
  • Build social and engaging applications
  • Give users choice and control
  • Help users share expressive and relevant content

Users control their privacy over what they share with friends; as a developer you can only access the same information that your user can

The Policies

These include some useful examples of what you can’t do (the ‘letter of the law’). Areas covered here include:

  • Stream Stories: what you can post to a user and their friends’ wall is restricted
  • Content: you must provide ‘report this’ buttons for UGC and avoid fraudulent or prohibited material
  • Application Integration Points: you’re largely prevented from encouraging users to spam their friends
  • Like Button and Like Box Plugin: Facebook details where the popular ‘Like’ button can and can’t be used
  • Advertisements: Facebook explains what sort of content you can display in advertisements, especially those you serve in your own app

Accepted boundaries

Facebook’s principles and policies are detailed. The service has active automated enforcement mechanisms that track infringements, so watch out! A typical Facebook takedown notice is sent directly to the developer via email and you’re given 24 hours (at best) to rectify the problem.
Unless you’re a big developer with your own Facebook account manager, the only choice you have is to comply and hope it doesn’t destroy your application. Facebook takes a very dim view of developers who try to game their ecosystem and can in some cases shut down an entire developer.

Mark Zuckerberg encourages developers to create great apps on his platform. Here, Steve Folkes and he share a discussion on an app under development at June's Facebook Hackathon event in London

For users, the key is to maintain the ‘be trustworthy’ principle. Avoid misleading users, surprising them with unexpected results or encouraging them to spam their friends. Mostly this is common sense, but many developers test the boundaries of the Facebook system with less than popular practices. Gone, thankfully, are the days in which we had to invite 10 friends before we got the answer to the ‘What Harry Potter character am I?’ quiz.

Industry bodies

For the Facebook developer industry, there are few recognised bodies that can create standards beyond those of Facebook itself. At Facebook Developer Garages there is a useful gathering of industry participants.

Facebook’s own Preferred Developer Consultant programme helps highlight the trustworthy developers, while The Direct Marketing Association is working on an industry code of conduct for social media agencies as a whole.

Within European jurisdiction we’re bound by strong data protection legislation. Follow it! This includes declaring all user data you’re storing to the data registrar. Your users are reassured that you’re taking their privacy seriously. When launching a new app, include a good privacy policy about what data you’re storing on a user and how users can access data you store on them.

Get help

Anyone wanting to develop an app for Facebook should go to a Facebook Developer Garage near them – they’re held frequently. I founded the London garage back in 2007 and it’s been regularly attended by around 100 people every month ever since. You’ll find everyone from hardened Facebook developers to entrepreneurial enthusiasts with a great social game idea.
But if you prefer to go it alone, then the Facebook developers’ resources online are a rich seam of both documentation and tools to try out API calls directly from your web browser.