users were able to identify the more distinct and well-defined
read permissions, it appears users might actually understand
write permissions better if they were split up.
On April 30, 2014 Facebook announced an update to their
Facebook Login system to be rolled out over the following
months that allows users to reject individual permissions or
log in anonymously [23]. While this is a big step forward, it
appears there is still only one publishing permission and it
is presented with the same vague message that our survey
respondents had trouble understanding. However, it does
provide even more specific details about read permissions.
8. ACKNOWLEDGMENTS
Thanks to Arvind Narayanan for starting us on this re-
search path. Thanks to Steven Englehardt, Dillon Reisman,
Pete Zimmerman, and Christian Eubank for setting us up
with the CITP’s web crawling infrastructure. Steven orig-
inally discovering permissions in the hidden HTML input
elements. Thanks to Markus Huber for providing us with
the AppInspect dataset [18].
9. REFERENCES
[1] Personal correspondence with Facebook Security
representative (Neal), April 2014.
[2] Report of Data Protection Audit of Facebook Ireland,
December 2011.
[3] Facebook Developer Reference—Facebook Login.
https:
//developers.facebook.com/docs/facebook-login/,
2014.
[4] Facebook Developer Reference—Getting Started with
Custom Stories. https://developers.facebook.com/
docs/opengraph/getting-started/, 2014.
[5] Facebook Developer Reference—Graph API
Reference. https://developers.facebook.com/docs/
graph-api/reference/, 2014.
[6] Facebook Developer Reference—Permissions.
https://developers.facebook.com/docs/
reference/fql/permissions/, 2014.
[7] Facebook Developer Reference—Permissions with
Facebook Login. https://developers.facebook.com/
docs/facebook-login/permissions, 2014.
[8] Facebook Developer Reference—Platform Policy.
https://developers.facebook.com/policy/, 2014.
[9] Facebook Developer Reference—Privacy for Apps &
Websites.
https://www.facebook.com/help/403786193017893,
2014.
[10] J. Bonneau and S. Preibusch. The Privacy Jungle: On
the Market for Privacy in Social Networks. In WEIS
’09: Proceedings of the 8
th
Workshop on the
Economics of Information Security, June 2009.
[11] A. Chaabane, Y. Ding, R. Dey, M. A. Kaafar, and
K. W. Ross. A Closer Look at Third-Party OSN
Applications: Are They Leaking Your Personal
Information? In Passive and Active Measurement
Conference (2014), Los Angeles, March 2014. Springer.
[12] L. Chen. Streamlining publish stream and
publish actions permissions. Facebook Blog, April
2012.
[13] P. H. Chia, Y. Yamamoto, and N. Asokan. Is This
App Safe?: A Large Scale Study on Application
Permissions and Risk Signals. In WWW ’12
Proceedings of the 21st International Conference on
the World Wide Web. ACM, April 2012.
[14] S. Egelman. My profile is my password, verify me!:
The privacy/convenience tradeoff of Facebook
Connect. In CHI ’13 Proceedings of the SIGCHI
Conference on Human Factors in Computing Systems.
ACM, 2013.
[15] S. Englehardt, C. Eubank, P. Zimmerman,
D. Reisman, and A. Narayanan. Web Privacy
Measurement: Scientific principles, engineering
platform, and new results. 2014.
[16] M. Frank, B. Dong, A. P. Felt, and D. Song. Mining
Permission Request Patterns from Android and
Facebook Applications. In The 12th IEEE
International Conference on Data Mining. IEEE, 2012.
[17] J. K. Goodman, C. E. Cryder, and A. Cheema. Data
Collection in a Flat World: The Strengths and
Weaknesses of Mechanical Turk Samples. Behavioral
Decision Making, 26(3):213–224, 2013.
[18] M. Huber, M. Mulazzani, S. Schrittwieser, and
E. Weippl. AppInspect: Large-scale Evaluation of
Social Networking Apps. In COSN ’13 Proceedings of
the First ACM Conference on Online Social Networks.
ACM, 2013.
[19] D. Morin. Announcing Facebook Connect. Facebook
Blog, May 2008.
[20] H. Nissenbaum. Privacy as contextual integrity.
Washington Law Review, 79, 2004.
[21] M. S. Rahman, T.-K. Huang, H. V. Madhy, and
M. Faloutsos. FRAppE: Detecting Malicious Facebook
Applications. In CoNEXT ’12 Proceedings of the 8th
International Conference on Emerging Networking
Experiments and Technologies. ACM, 2012.
[22] P. Sovis, F. Kohlar, and J. Schwenk. Security Analysis
of OpenID. In Securing Electronic Business Processes
- Highlights of the Information Security Solutions
Europe 2010 Conference, 2010.
[23] J. Spehar. The New Facebook Login and Graph API
2.0. Facebook Blog, April 2014.
[24] S.-T. Sun and K. Beznosov. The Devil is in the
(Implementation) Details: An Empirical Analysis of
OAuth SSO Systems. In Proceedings of ACM
Conference on Computer and Communications
Security ’12. LERSSE, October 2012.
[25] S.-T. Sun, Y. Boshmaf, K. Hawkey, and K. Beznosov.
A Billion Keys, but Few Locks: The Crisis of Web
Single Sign-On. In NSPW ’10: Proceedings of the 2010
New Security Paradigms Workshop. ACM, 2010.
[26] S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar,
K. Hawkey, and K. Beznosov. Investigating User’s
Perspective of Web Single Sign-On: Conceptual Gaps,
Alternative Design and Acceptance Model. ACM
Transactions on Internet Technology, 2013.
[27] A. Wyler. Providing people greater clarity and
control. Facebook Blog, December 2012.
APPENDIX
A. FULL MESSAGE DECODING TABLES