Employees playing Facebook quizzes could put their employers at risk

Paul Bischoff explains that companies should educate their employees on the importance of Facebook privacy and other data-gathering apps that can potentially compromise both personal and company security.

Paul Bischoff, technology reporter and staff writer, Comparitech
Paul Bischoff, technology reporter and staff writer, Comparitech

A Facebook quiz app that creates word clouds from users' status updates recently went viral. Facebook users could play the quiz in exchange for, well, almost all their personally-identifying information available on Facebook. Shortly after, another article went viral on tech review site Comparitech, warning users of the overzealous request for permissions and some ambiguous language that would indicate the quiz maker, a South Korean company called Vonvon, could potentially sell data to third parties.

Fortunately, a bit of investigating by the Electronic Frontier Foundation showed that Vonvon was not abusing user data. But the fact remains that millions of people accepted the terms and played the quiz, oblivious of what personal data was being collected and the potential consequences.

Businesses at risk

The risks of blindly accepting terms and conditions don't just apply to individual users, but can extend to the businesses they work for. Let's say an employee has access to his or her employer's public Facebook page. An app can request that employee's email as well as a lot of other personal information. In the wrong hands, a hacker can use such data to build a profile of that employee, learning who he or she communicates with and what his or her interests are.

Hackers can then send said employee a tailored phishing email, possibly posing as a friend or acquaintance from Facebook, to steal his or her password. If the employee falls for it, hackers now have an email and password to access the company's Facebook page, not to mention the employee's private chats and other info where he or she may have disclosed more private information.

To take this hypothetical illustration a step further, since many will ask what's the worst that could happen, let's presume this employee is lazy. He or she uses the same password for all his or her online accounts, including web tools that the employer uses to pay staff, make purchases, or store confidential information. Hackers could gain access to all of those accounts, too.

Sounds like a long shot, right? But hackers today are not just single nerds with laptops typing out code in dark rooms. They often work in sophisticated collectives as part of a large black market ecosystem. With access to enough data, they are fully capable of finding the irresponsible needles in the big data haystack.

Securing the company Facebook page

Facebook apps aren't just limited to silly quizzes and Farmville knockoffs, either. Businesses can leverage a wide variety of Facebook-connected apps to boost marketing, engage customers, and add functionality to their websites and Facebook pages. These must also be carefully vetted. They include apps for social media management, adding ecommerce features to a Facebook page, and holding contests. Unscrupulous app makers can potentially turn around and sell user data collected from these apps to third parties. Those third parties are not required to abide by the same privacy policies as the original company.

To be clear, Facebook doesn't approve of this. Its platform policy clearly states, “Don't sell, licence, or purchase any data obtained from us or our services.” But Facebook can't police every update to every app connected to its platform, and punishment likely won't extend beyond an after-the-fact banishment.

All Facebook pages for businesses are public by default, and there's no option for just friends or friends of friends. Though Facebook allows businesses to limit audiences by age and country, whatever is posted is essentially free for the world to view.

What to look for in a Facebook app

That leaves it up to users to stay vigilant, understand the permissions, and read privacy policies and/or terms of use. Privacy policies usually have two key sections worth examining closely: a list of the information the app collects and who it shares that data with. Terms of use tend to be more difficult to read than privacy policies for those without legal degrees.

As an example, I'm going to connect Hootsuite to Facebook to help manage social media for a blog I'm working on.

After I click “Sign in with Facebook,” I'm redirected to a Facebook page asking me to authenticate. This is where most people fail at being careful. It's enticing just to click the big blue “Okay” button. But before doing that, I'll click on the less obvious “Review the info you provide” link.

Here you can see Hootsuite only requires a single permission: custom friend lists (different than an entire friend list). I don't have any custom friend lists, so that's fine with me. At the bottom of this window are two links for Hootsuite's privacy policy and terms of use. Hootsuite's privacy policy looks fairly airtight, collecting the minimum amount of info necessary and assuring it will only disclose my information to law enforcement if I abuse the service. Hootsuite is also a well-known, reputable company, so any misuse of my data could seriously damage its reputation.

Best practices

Be wary of apps that ask for more than what they need. The more a user discloses, the more vulnerable they become. If you're a business owner, encourage employees to not only be careful when authenticating new apps, but removing old, unused ones. Many Facebook users would probably be surprised to see how many apps they've authenticated in the past and forgotten about. Once an app is authenticated, there's no expiration date. It remains connected to a Facebook account until the user says otherwise.

These old apps are especially risky if the company that originally made them merged, was acquired, or went out of business and sold off data to recoup losses. Most privacy policies specifically state that in such cases, data is passed on to the subsequent company and the old privacy policy is nullified. That means the new company has free reign to do what it wants with users' data.

To get rid of Facebook apps, click the “More” link in the left sidebar next to “Apps" on the desktop browser version. Then hit the button that says “Settings.” Here users can remove and edit permissions for all the apps connected to an account. While we're at it, scroll down a bit to edit the “apps others use”, where you can limit the info third party apps used by friends can see on your profile.

Finally, follow best practices for creating strong passwords. Perhaps most importantly, request that employees don't use the same passwords for their personal accounts as their work-related accounts.

The virality of the Comparitech article regarding Vonvon's “most used words” quiz proves that the problem with online privacy is not that people are apathetic, but that they are simply unaware. Business leaders can help their staff better understand the risks and raise awareness about the necessary precautions to protect both themselves and those for whom they work.

Contributed by Paul Bischoff, technology reporter and staff writer, Comparitech

Sign up to our newsletters