Facebook wants its third-party app login to be your passport to the internet. And to do that, it's taking some much needed steps to protect its users.
As of today, Facebook has two methods of logging in to third-party apps: anonymously, or by connecting your Facebook account. And as part of Facebook's new developer initiative, Facebook-connected apps that that ask for permissions beyond public profile information (which includes name, profile picture, gender and age range), friends list, and email will now be carefully reviewed by employees at the social network before they are allowed to connect to Facebook.
The new push is looking to get Facebook users more comfortable with the way applications are using their data and improve the quality of applications, according to Facebook platform product manager Eddie O'Neil. The basic permissions are going to be good enough for most applications, but for any application looking for deeper information about their users — which apps are increasingly seeking — are going to have to pass an eye test from Facebook.
"Reviews start when developers want to ask for additional information.. information I've shared with my friends, those general pieces of data, all those fine-grained permissions. That's when we want to go through them," O'Neil tells BuzzFeed.
"The public profile, friends and email are basic signals, if you will, about my identity on Facebook," he continues, suggesting that Facebook wants to create a system where, if users are asked for extra information from an app, they know they'll benefit from coughing up the data. "It kind of addresses this concern that people have about, 'I don't understand why the app is asking for this?' This is a theme that we've heard from people — that they feel like apps ask for too many permissions."
App developers will now have to select the permissions they need, and explain exactly why they are using them in the app so reviewers can check them. Developers also have to give Facebook either an ID for an app currently on Facebook or upload a version of the app for Facebook reviewers to test. This is a process O'Neil calls "free testing," which is essentially poking the edge cases of an app — such as logging in when people haven't used the app in a while or have changed passwords — to ensure that logins work correctly.
The whole review process should take about seven business days, O'Neil says. To ensure that the development process still happens quickly, O'Neil says Facebook is encouraging developers to work on the engineering bits of an application while Facebook is also reviewing the app. Facebook won't review updates to an app unless it's asking for new permissions.
"We really want this to be lightweight, and we want developers to have a good experience going through this process," he says. "Sometimes that might slow things down, but I don't expect developers will run into problems where their schedules will be significantly."
Existing apps will have one year to update their applications to be part of Facebook's new standards for Facebook Login — called "the blue button" internally — while new apps will have to go through the process right out of the gate. The goal is to ensure that Facebook users both trust the mechanics of Facebook login and are given a high-quality experience when they share more personal data. That gives a benefit for both the app and for Facebook, which is able to do a lot more with its services and advertising as its users share more data about themselves.
"It's not great when they have login experiences that are just broken or buggy, that's different than sharing their info," he said. "At the end of the day when the investment is ensuring that people have high-quality, bug-free apps, we think that trade is kind of worth it. The better experiences people have in apps, the happier people are in apps, and the happier developers are."
While Facebook is marketing the changes as in the best interest of developers and users, it also seems like a conscious effort to get users more comfortable with sharing during a time when privacy concerns and security breaches abound.
The anonymous login method has a good number of use cases. For example, an app can store settings for an application across devices — such as storing settings for Flipboard that can be shared across a smartphone and a tablet — or for ensuring that a user only takes a survey once. It also places Facebook somewhat in the same breath as recently popular apps like Whisper and Secret, where users are free to share with anonymity. The extending implications are obvious: as Kashmir Hill at Forbes points out, it could even serve as a "gateway drug" to sharing more data.
"The key is people feeling comfortable here with the experiences they have with login, when they click the blue button," O'Neil says. "Putting people in control and having them have comfortable experiences like that, that's where we want to be. There's a lot of apps that have comfortable experiences today, and we want to ensure that's more consistent across the app ecosystem, and they know what's gonna happen when they click on the blue button."
Matthew Lynley is a business reporter for BuzzFeed News in San Francisco. Lynley reports on Silicon Valley and the tech industry.
Contact Matthew Lynley at firstname.lastname@example.org.
Got a confidential tip? Submit it here.