It’s Time For Facebook – Or, At Least, Someone – To Vet Third-Party Applications

It’s no mystery to anyone who’s been on Facebook for more than a week that one of its biggest boons — and, in the finest Zen tradition, one of its most nagging banes — is the plethora of third-party applications that leverage its data.

Virtually all the value in Facebook is crowdsourced — that is, users generate all the content, they create all the connections, they drive interest in whatever direction it may flow, they create scores of memes every hour.

Since Facebook’s primary business model is driven by collecting data about usage, this means that opening its use to the creators of new social media tools makes tremendous success.

Why bother taking Microsoft’s old-school tack — create a standard, then ride it into the grave — when, instead, you can provide users, and let others give them reasons to stick with you? Why bother even taking Google’s approach — create lots and lots of things, in the hope one of them proves popular — when someone else can assume all the risk, presenting you with the opportunity to buy or duplicate his success with your framework?

How many people, do you suppose, would have stopped using Facebook after a few days, had it not been for Mafia Wars, Farmville or Bejeweled? That’s my point.

But every day, there’s also a new crop of the outright obnoxious third-party applications that promise to do the exact opposite: Drive users out for fear of their privacy and security.

Take, for example, the recent spate of “see who’s stalking your profile” applications. As The Register notes, all of them are at best cash-for-clicks scams; at worse, open invitations to load malware onto the computers of tens of thousands of unsophisticated users.

I’d like to expand upon a central tenet of a blog post offered by Rik Furguson of Trend Micro, from which The Register drew its article: That it’s high time Facebook employed some sort of vetting process for third-party applications.

The Typical Facebook User

I consider myself a typical Facebook user, at least in terms of demographic: At 42 years old, about a third of my 220 or so friends are former high school and college classmates; another quarter are clients, former co-workers and work-related acquaintances; current friends and family members, friends of friends, casual friends and people I don’t quite know how I know round out the rest.

I’m different in that I only use a few applications, mostly related to integrating my social media sources (Twitter, MySpace, LinkedIn, etc.) and the client for the Motorola Droid (although, in all honesty, the Android client for Facebook is nearly useless; I generally resort to the Droid’s Web browser, and [vs.]).

I once used more, but the difficulty of sorting wheat from chaff in the news feed, coupled with the fact that I don’t want my name and face plastered all over Facebook to promote people and things I probably don’t actually even know about, nonetheless care to promote, means it’s rare that I use anything other than the core functionality of Facebook.

The biggest difference between most of my friends and myself is that I understand how Web-based software, viruses and malware work. And I can read the Facebook API documentation and understand, from that, what is in the realm of possibilities for third-party applications.

(That my friends might not know much about these things is not a slight against them at all. I have but a passing understanding of how a car works. That does not, and should not, stop me from driving.)

Several of my Facebook friends are the type who retransmit fake Amber Alerts and warnings against adding friends who are hackers /viruses.  (The act of adding a friend on Facebook cannot give you a virus or expose your Facebook account to a hacker; however, if you click links in a friend’s profile, that could compromise your PC or Facebook account).

Most of my Facebook friends are Web dilettantes (which I truly do not mean to sound as pejorative as it does), susceptible to believing whatever they are told about the Internet. And almost all are, to large degree, very concerned about privacy — even though, as the book “Trust Agents” notes, there is no longer such a thing as “privacy” — at least, not in the sense of being able to maintain personal secrets.

It doesn’t take much to exploit these kinds of users. Basically, you employ the same tried-and-true techniques politicians have used for centuries to exploit people. As H.L. Mencken put it:

… the whole aim … is to keep the populace alarmed (and hence clamorous to be led to safety) by menacing it with an endless series of hobgoblins, most of them imaginary.

Given the concern people have, reasonable or not, about Internet privacy; given their limited knowledge about how computers and the Internet work; and given the natural tendency, when in doubt, to err toward safety and security, the way the average Facebook user acts on Facebook tends to be reasonable and appropriate.

A further complicating factor is the way trust works. If one of my friends, whom I respect and trust, does something dumb by installing a rogue app, in the absence of evidence proving what he did was dumb, I don’t tend to assume what he did was dumb. Most people tend to assume that their friends are not doing dangerous or stupid things. (Witness any case of murder, when inevitably, someone claims, “he wouldn’t hurt a fly.”)

This is especially true if many friends are doing the same thing. If 10 of my friends install an application, and it appears to do something I find neat or useful, my first inclination is not to vet the application; it’s to join the party.

In other words, as I’ve said before, you don’t blame chickens for being eaten. You also don’t blame foxes (i.e., Facebook malware developers) for eating chickens. Both are doing what they are supposed to do. Instead, you blame the watchdog (i.e., Facebook) that was supposed to be keeping them apart.

A Henhouse With A Foxhole Built In

Herein lies the problem with the Facebook Platform, as Facebook calls its API and related tools, and the conundrum Facebook faces in what to do about rogue applications.

On the one hand, it affords Facebook to leave the API open to all potential application developers and to allow applications to publish without vetting.

Again, the object is to make their data as useful and valuable to as many people as possible. By allowing open development, Facebook increases its utility to users. That, in turn, keeps it to the fore of a communication channel and tool for researching human behavior. And that is worth a pile of money in and of itself.

That’s before considering the significant human resources costs involved in vetting software, even if it’s from the most basic of standpoints (say, verifying an application is not malware-based and does not misrepresent its purpose / what it can do).

On the other hand, Facebook’s current policies — a collection of half-measures and reliance on end users to exercise caution and discretion — clearly are not working.

As it stands now, anyone can obtain an API key and make anything he likes. An application won’t be listed in the public directory of Facebook apps until it has at least 20 users, but that’s no great feat to overcome, especially when there’s nothing stopping someone from erecting 20 sockpuppet accounts (or just lining up 20 meatpuppets).

To Facebook’s credit, it tends to bring down the banhammer hard and swiftly against crooked applications. Unfortunately, as Ferguson notes, that action requires some degree of victimization to take place first, and this is the Internet — where memes are born and die in the blink of an eye.

I also note that Facebook has a user rating system for applications that are publicly listed. Unfortunately, it’s not nearly loud enough, and most users simply ignore it in the process of installing an application.

The bigger problem, of course, is that Facebook can’t assume its user base can protect itself from malware. In fairness, Facebook has never declared that to be their actual opinion; it’s just what happens as a practical matter under current policies.

But also as a practical matter, most Facebook users lack the sophistication to spot a potentially harmful application. Of those who might be able spot garbage, a significant majority can be snookered, by programming sleight of hand, into allowing a rogue application to do damage. And then, of course, we all have absent-minded moments in which we don’t read the instructions, click “agree” without actually reading terms, etc.

In other words, Facebook can’t leave sorting good applications from bad up to us, because we’re not capable of doing it.We’re chickens, not watchdogs.

A Peer-Review Posse

Now, the last thing I am suggesting here is Apple iTunes App Store-style vetting.

I admit it; I find Apple’s policy of qualifying everything in the App Store quite Orwellian, and not just because of what Apple did in response to Google Voice on the iPhone. (Which, it is worth mentioning, is the primary reason for my defection from the iPhone to the Droid.)

But even if I didn’t mind that approach, I don’t think it serves either Facebook or its users to have a whitelist approach to third-party applications. Again, Facebook is best served by being the channel through which people communicate; and allowing others to determine how to conduct such communication is of benefit to users and Facebook alike.

Nonetheless, the free-for-all has to stop, lest Facebook become nefarious for the garbage it allows and thus be overtaken by some alternative service.

The Register raises the notion that Facebook could allow continued open development, but offer a seal or other imprimatur for applications to assure end users that an application is what it claims to be and / or free from malware or deceptive practices.

That would be fine, save that there are hundreds of thousands of Facebook apps already deployed, and (one would have to assume) hundreds more added every day. Facebook would have to hire a QA team the size of Redmond to go through all of them — and, if we know anything, it’s that even Redmond can’t assure what is examined by tens of thousands of eyeballs isn’t a bug-infested nightmare.

I think it makes the most sense for application vetting to be optional, but for Facebook to limit the access an unvetted application has to the API.

For example, an unvetted application wouldn’t have access to a user’s friend list. Or maybe it wouldn’t be able to publish to his news stream or photos. Or perhaps it would be limited to 100 or so users, or could only publish 300 items per day.

Or, Facebook could require a more intensive installation process, one that specifically notes the application has not been vetted and requires a multiple-step, affirmative response from the end user in order to install it (e.g., you have to click a couple check boxes, enter some text, etc. in order to install the application).

Facebook could even have a couple vetting options. One might be to certify a developer, and thus, all his applications would be approved. Another might be to run “code camps,” and certify anyone who attended as a Facebook approved application developer. Such camps could either be free, or require payment of a registration fee.

Another option would be to allow developers to bank on each other’s trust. In other words, Facebook could certify me as a developer of clean applications. I could, in turn, certify the applications of other developers.

Or perhaps, the developer community could police itself even more intensely.

Facebook might, for example, provide basic support for a coalition of application developers. Those developers, in turn, would create standards and practices by which applications are vetted. For a small developer fee, an application would be certified by the coalition; that fee would be used to pay the coalition members for their time.

Here’s an even more radical approach: Facebook could create its own advertising distribution network, along the lines of the OpenX Market; one that allows both system-wide advertisers and specific-to-application advertisers to target applications they’d like to sponsor.

Facebook, in turn, could require all ad-supported third-party applications to use that ad network only. If you develop malware or act deceptively, you don’t get paid. A small portion of all proceeds from ad-supported apps is retained by Facebook to handle distribution costs and to fund the vetting process. It wouldn’t be all that difficult for Facebook to build page scrapers that determine if some rogue application is trying to get around the ad network restrictions.

These are just some quick ideas off the top of my head.

I’m sure Facebook, and its developer community, are very concerned about rogue apps and their potential to erode confidence in the safety and security of Facebook. Certainly, there’s enough brain power there to find a way to vet applications without impairing either the willingness of third-party developers to participate, or take away either party’s ability to make third-party applications profitable.

All links in this post on


  1. “How many people, do you suppose, would have stopped using Facebook after a few days, had it not been for Mafia Wars, Farmville or Bejeweled?”

    This plants the seed for new phenomena to appear, those not yet on the horizon; all of us who tire of the garbage applications and their constant bombardment will soon vacate to the new, and the cycle repeats. Look to the graveyard of or… hideous places, littered with so many ghosts: those who no longer visit, or those who once did often but presently have migrated elsewhere or dropped out of sight for the aforementioned quoted reasons.
    Understandably, yet self-destructively, the powers that be let the users speak. If the vast majority will allow garbage in, then the rest will migrate, drop out, or (the most ambitious among us) will create an alternative.
    The alternative is the present yet to be and also the past yet to be.
    I am afraid it cannot be escaped. Human intellect and interest drives advertising. And that’s what pays the bandwidth.

  2. @Robert: I’m inclined to agree. I’m a huge proponent of open source, and an adherent of Chris Anderson‘s new-economy theories (“Free“, “The Long Tail“).

    The paradox is manifest. A service needs mass appeal in order to turn a profit, but largely by capitalizing on only a small segment of those to whom you appeal (read: free as in “free beer”); and unless your product is capable of being manipulated by end-users to produce a desired result (read: free as in “free speech”), it won’t, as a rule, survive long. (As witnessed by the worthy demises you cite. Or by the way that Twitter has become more of a conduit for a few to speak to many, rather than many to speak to many; and chinks are appearing in its armor, too.)

    That the Internet rewards the two kinds of freedom so handsomely pleases me to no end. That it does so in ways more mysterious than God only makes me wish I were omnipotent. But if a 17-year-old Russian kid doesn’t need lucre from overnight cash cow Chatroulette, I suppose I can muddle along here just fine, too.

    On a personal note, why don’t you plan to kennel the kids next March and terrorize Austin, TX with me during SXSW?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Check out the Commenting Guidelines before commenting, please!
  • Want to share code? Please put it into a GitHub Gist, CodePen or pastebin and link to that in your comment.
  • Just have a line or two of markup? Wrap them in an appropriate SyntaxHighlighter Evolved shortcode for your programming language, please!