Facebook's Token Leak

Reps. Edward Markey and Joe Barton, co-chairs of the House privacy caucus, sent a letter to Facebook on Wednesday regarding a privacy/security vulnerability discovered by Symantec and reported by the Wall Street Journal.

Facebook's hundreds of thousands of applications have apparently been leaking "access tokens" to third parties. Access tokens happen when you install a program and are asked if you will allow the party to access your information, post on your website, etc. Your information represents the tokens, which you have allowed others to access. It seems that Facebook has accidentally been giving third parties its users tokens for a few years, thereby compromising member profiles, photographs, and chats. A data mining goldmine, if you will, for potential bad actors and spammers.

Facebook has fixed the "programming error" that allowed the access and has adamantly denied that that third parties have misused the information. It noted that any application provider must also also comply with contractual obligations and terms.

What does this mean? Well, two things.

First, privacy is almost impossible to achieve in a medium designed to make each individual a broadcaster of their own story, sharing personal details, photos, videos, and intimate moments with hundreds of their closest (and not so closest) friends.

Second, to the degree that a user depends solely on facebook to protect his or her privacy, that person shouldn't. Regardless of the token leak, the technological discussion behind it reveals much more -- one's relationship is not only with facebook but with the hundreds of thousands of applications that interact with the social medium. Not only must you trust facebook with your life details, you have to be ready to trust its contractual partners with information they may or may not have been meant to have.