Facebook Single Sign On and Location API: Initial Thoughts

Facebook and other online services evolve at a breathtaking pace. But these new tools and technologies can make it harder than ever to control our own information. We need to understand how our personal information is collected, used, and shared, and we need real control over that information—especially when it might be shared with many different parties.

Today's Facebook announcements highlight these needs. Facebook released another set of extensions to its platforms, including a "Single Sign On" function to link your Facebook account to other services, a greatly extended Location API allowing third party apps and sites to do more with location information, and a "Facebook Deals" site that allows companies to provide rewards or benefits to Facebook users who check in at their Place.

As usual, Facebook's announcement raised several privacy and security questions. In fact, we noticed that the first two questions asked at today's live event were about privacy. (Hopefully Facebook noticed that too!)

But the ACLU of Northern California has some additional questions that need to be answered:

What information is Facebook collecting about its users via Single Sign On?

Single Sign On can save time by allowing you to just have one login and password. But does it also mean that Facebook is able to track even more of your online activities?

If you log on to, say, Yelp using Facebook's Single Sign On, Yelp will have access to your "everyone" information on Facebook as well as any additional information that it explicitly asks for. But how much information is flowing the other way–from Yelp to Facebook? Does Facebook only learn that you signed on to Yelp using your Facebook account, or does it automatically receive details of all of your activity on Yelp once you've signed on?

In addition, how does the Single Sign On button work? Is it like the Like button, which actually tracks your visits to every page it's on even if you don't click on it? Or does Facebook only receive information if and when you actually use Single Sign On to login to another service?

Can third parties access additional location information, including Here Now data?

As we noted when Facebook launched Places, if you use the Here Now feature, the fact that you are at a given Place is completely public. Does Facebook's expanded Location API expose this information to third party apps and sites? If so, are Facebook users who use Here Now potentially being tracked by third party apps that might record this information rather than let it disappear as it does on Facebook (since, as recent events demonstrated, not all of these third parties are trustworthy)?

How can Facebook users control their information across multiple sites and services?

Both Single Sign On and the Location API make it easier for your activities to show up on multiple sites. But can you still control all of your sensitive location info in one place?

For example, when Facebook launched Places, it touted your ability to delete old check-ins as a privacy protection. But how will that work when check-ins are automatically created in multiple places at once? If you check in on Facebook and later delete that check-in, will Yelp or Loopt delete their copy? And if you check in using foursquare or Gowalla and push that out to Facebook, do you have to go to Facebook to delete your check-in there even if you have already deleted it on the original service?

Facebook and other services will continue to grow, collecting and sharing information in ways that many people might never have envisioned. That's why it is so important to have meaningful defaults and controls established by the services we use and strong and up-to-date legal protections to help prevent this data from ending up being used in ways that we don't intend or want.

As we dig deeper into today's changes and test out the new tools and controls, we will continue to share our thoughts on Single Sign On and the Location API. And we will continue to push for stronger privacy practices and protections with Facebook and with lawmakers. We hope you will join us by telling Facebook to give you real control over your own information and by continuing to Demand Your dotRights!