BuzzFeed News

Reporting To You


How Facebook Decides Which Apps Get To Take Your Data

Earlier this year, Facebook implemented a review of apps that use Facebook login. Here are the results.

Last updated on November 11, 2014, at 2:00 p.m. ET

Posted on November 11, 2014, at 2:00 p.m. ET

BuzzFeed / Matthew Lynley

Earlier this year, Facebook implemented a review system for applications that access a user's Facebook data when they log in, as part of a crackdown on rogue apps that were asking for too much personal information.

And so far, it seems like it's working. Outside of the basic permissions every app is given, the average number of extended permissions developers now ask for — such as permission to post messages to a user's wall or what a user has liked — has dropped to two (it used to be five). The team has looked at about 25,000 apps since it implemented the review process, and though that number is still increasing, Product Manager Sean Leow said most applications are able to be reviewed in about a day.

One benefit of this tighter policing of how much data apps ask for: People become more likely to use them. "You just feel lighter going into the app," Leow said. "Anecdotally we see with many apps the actual install rate, if you're seeing less things you need you're gonna install that app more."

Facebook's developer operations team mixes technical expertise with a more human understanding of how their product is used. New recruits have to go through technical questions about databases — the team is constantly looking for ways to streamline the process with the data they gather — as well as walking through specific cases of how an application and a user interact.

"We have a couple principles that are, on a high level, what is the spirit of the law and what is the spirit of how people should use things," Leow said. "You run into gray areas or edge cases; those are the ones where we need to sit down as a group and say, 'Hey this doesn't fall into a bucket,' we talk with our team, the people who build it, and then we record it down in an internal wiki so we have reference on how we made a decision. Everything is still evaluated on a case-by-case basis."


Facebook says the changes are in the best interest of developers and users. But they also seem to be part of a conscious effort to get users more comfortable with sharing their information, even as privacy concerns and security breaches abound. Each app gets access to three basic permissions: your Facebook profile which includes public information, like your profile photo; your email address; and which friends are using the app you are logging into.

But when developers ask for more permissions — like publishing stories to News Feed — it has to run through the company's new app review process. Some examples include access to sensitive parts of a person's profile that aren't public, permission to manage Facebook pages someone manages, or extended permissions that interact with a user's personal profile like publishing stories to a user's news feed.

Each app is reviewed by a member of Leow's team, rather than just going through an automated system, he said. When an application is submitted that uses Facebook login, the developer operations team flips through it to ensure that the app fulfills some of the best practices that Facebook requests for an application. That includes using permissions in the right way, and also making sure the assets and general quality of the app meets Facebook's standards.

Part of that is ensuring it's obvious when and where people are logging into Facebook, and the other part is ensuring users aren't surprised when an application automatically starts publishing stories on their News Feed, for example. The review process can be stringent, with applications going through an internal review system where a member of a team checks how the application actually uses each single permission an app is seeking to use. Users can also reject certain permissions that apps are asking for when they log into the app.

"It's one of the ways we want to make people feel comfortable, when they press login they feel like that's a good experience," he said. "I'm not scared to push this button, they see the dialogue where the app is looking for two pieces of data, that makes sense, it means I'm gonna have that good experience, versus when you go into some apps they may ask you for 50 things, that doesn't feel great."

Sometimes that results in Facebook bouncing the app back to the developer, but that usually includes some commentary about why the app didn't make it through. The login review process began earlier this year after being announced at its developer conference, f8.

Initially, the review period was expected to be about seven days, but the actual process only takes about a day to complete. Still, Facebook is expecting the number of applications asking for permissions to increase over time, especially with a deadline approaching for existing apps using Facebook Login that need to re-submit their apps for review before its next developer conference in 2015.


Developers can still serve ads as part of Facebook's Audience Network without Facebook Login if the user has logged into Facebook in the last 30 days. But as more services use Facebook login, they can expand the overall advertising footprint of the Facebook Audience Network. Developers get their share of that advertising revenue, but it also helps drive Facebook's spectacular growth as it matures into a public company worth hundreds of billions of dollars.

It's a long way from the earliest days of Facebook, where developers like Zynga would create games that relied on viral loops of people publishing stories on their News Feed to gather new friends and progress in the game. The developer operations team has specific relationships with larger developers like Zynga, but part of the push for quality applications has forced Facebook to extend those principles to general app developers. Facebook's Audience Network also didn't exist in the early days, when viral games thrived and developers were still toying with new use cases.

There's one good sign of how successful Facebook's developer outreach has been: Competitors are taking note, and imitating. Twitter recently rolled out its own developer platform that enables applications to use Twitter's login system and serve ads through its mobile advertising network, MoPub.

Twitter also added a new way to log in to applications using phone numbers and text messages to authenticate the login process. It's a reminder that while Twitter CEO Dick Costolo has been pushing analysts away from comparing the company to Facebook, it's still not averse to learning the occasional lesson from the king of the social media hill.

AP Photo/Jeff Chiu, File