Facebook Updates Developer Data-Retention Policies, Tries to Stop User Abuse

Until a month ago, developers on Facebook’s platform were not allowed to retain user data for more than 24 hours (even though many did, anyway). Then Facebook said at its f8 developer conference in late April that it would let them store user data indefinitely — provided they continued to follow its policies around data retention.

Yesterday, along with a wider range of privacy changes, like the ability for users to block Platform completely, Facebook updated its developer data policies. From a brief mention in a blog post yesterday:

We added a few clarifications in our simplified data policies to help address some confusion around your rights and responsibilities with respect to user data. For example, our removal of the 24-hour caching policy eliminated a technical burden but does not change the rights you have to data, which continue to be subject to explicit user consent.

We’ve confirmed the specific new wording with Facebook — see below. The gist is that Facebook is concerned that developers are abusing user data; indeed, we have heard reports that some developers and advertisers have been scraping user data via applications and ads, breaking Facebook’s policies to create their own databases of users.

It’s not clear how big of a security issue this is; we think it could be a bigger problem than many other security issues that critics have cited. But the changes to the policies are indicative of the abuse.

III. Storing and Using Data You Receive From Us

1. You must give users control over their data by posting a privacy policy that explains what data you collect, and how you will use, store, and/or transfer their data.

2. You may cache data you receive from the Facebook API in order to improve your application’s user experience, but you should try to keep the data up to date. This permission does not give you any rights to such data (including the right to transfer) absent explicit consent from the users who own the data.

3. Users give you their basic account information when they connect with your application. For all other data, you must obtain explicit consent from the user who provided the data to us before using it for any purpose other than displaying it back to the user on your application. A user’s friends’ data can only be used in the context of the user’s experience on your application.

4. If you stop using Platform or we disable your application, you must delete all data you have received from the Facebook API unless: (a) it is basic account information; or (b) you have received explicit consent from the user to retain their data.

5. You cannot use a user’s friend list outside of your application, even if a user consents to such use. You can use connections between users who have both connected to your application, subject to your privacy policy.

6. You will delete all data you receive from us concerning a user if the user asks you to do so, and will provide an easily accessible mechanism for users to make such a request. We may require you to delete data you receive from the Facebook API if you violate our terms.

Going by the highlights, you can guess what the different methods of potential abuse have been. Per 2, some developers have apparently been using and transferring user data without gaining consent; per 3, they have been re-appropriating user data to use in ways that they lack user permission to do; per 4, they have not been deleting all the data they should have (though with Facebook launching the bulk app deleter yesterday, this clause may have been added commensurate with the launch of this feature).

[Update: Facebook product director Bret Taylor tells us in the comments that the policy changes were not in response to specific abuses. Rather, they were intended to generally clarify how data can be used, following the announcement at f8. Whatever rationale Facebook has for the changes, however, our understanding is that 1) there has been abuse involving developers improperly using and transferring Facebook user data, and 2) Facebook has been taking measures to stop the abuse.]

The problem, for Facebook, is the terms only really matter to the more legitimate developers on the platform. If someone is willing to accept the risk of being taken to court by Facebook, there’s no other mechanism stopping them from abuse. Some countries do not effectively enforce laws against data theft and other security crimes, so it’s possible that the worst abusers are running free, with chunks of Facebook’s social graph at their disposal. We’ll be covering this issue as more evidence emerges about what’s really happening.

Facebook Marketing

Mediabistro Event

Facebook Marketing

Starting January 13, work with the group marketing manager of social media at Microsoft/BingAds to grow your business on Facebook! In this course, you’ll learn how to set up your company page, understand Facebook best practices, and execute a monthly content strategy. Register now!


Leave a Reply

3 Responses to “Facebook Updates Developer Data-Retention Policies, Tries to Stop User Abuse”

  1. Bret Taylor says:

    This was not in response to specific abuse. This was intended to clarify the existing policies because these details were not clear developers when we initially rolled out the new policies. The clarifications represent what was always the intention of the new policies.

  2. Alex says:

    Dream on (as you dreamed with the 24-hour retention). Something that’s got out will flow free no matter what language you choose.

    You are funny, people, really.

  3. Richard says:

    I think it’s great news. I’ve put off finishing at least one app because of the 24-hour limit – it would have cost too much to re-calc so many things daily.

Get the latest news in your inbox
interested in advertising with inside facebook?

Social Media Jobs
of the Day

Assistant Editor

8 Inc.
New York, NY

Copywriter & Editor

Santa Monica, CA

Director of Marketing & Communications

Neumans' Kitchen
New York, NY

Social Community Manager

Tallahassee, FL

Editorial Director

Phoenix House
New York, NY

Featured Company

Join leading companies like this one and recruit from the nation's top media job seekers on the Mediabistro Job Board. Every job post comes with our satisfaction guarantee. Learn More

Our Sponsors

Mediabistro A division of Prometheus Global Media home | site map | advertising/sponsorships | careers | contact us | help courses | browse jobs | freelancers | content | member benefits | reprints & permissions terms of use | privacy policy Copyright © 2014 Mediabistro Inc. call (212) 389-2000 or email us