Giving permission and sharing too much

Why you should be cautious about giving web and mobile applications too many permissions.

Decorative Image - permissionsConsider you pay by credit card at a restaurant; you’re sharing your credit card information with them and you’re probably happy to do so. If the restaurant then asks for your date of birth, home address, and permission to use your card whenever they like, you’d probably hesitate. Yet people do this all the time on the web without thinking twice.

Here I’ll try to show how we can unwittingly give away too much, why this might be bad, and how to spot when things aren’t quite right.

This kind of problem occurs all over the web but it is most prevalent with social networks and smart phones like iPhone and Android.  To be fair this type of sharing is often quite useful and is sometimes essential.  However, many app developers go for the easy option and ask for a standard set of permissions when really they only need very few.

If you don’t like the look of the permissions that a website or application is asking for ask yourself a few quick questions; do you really need this app or can I achieve the same goal without it? do you know and trust the developers?  would I trust a stranger with this much information or control?  Don’t always be so hasty to click the Accept or OK button.

Below are some examples of (IMO) application developers asking for more than they need or deserve…

Twtvite PermissionsTwtvite is a website that lets you organise social gatherings and lets invitees RSVP to an event.  On the surface this sounds like a fairly innocent and useful service.  When you click the button to RSVP to an event the website asks for permission to connect to your Twitter account.

I can’t think of any reason why this service would or should make any changes to my Twitter profile and I think the only person that should be able to follow new people from my account is me.  I’m also not too keen on giving someone else permission to post tweets as me any time they feel like it.

In this case I’ll simply post a message myself saying that I’ll be attending the event (or not, whatever).

Mafia Wars PermissionsMafia Wars is a popular Facebook game but you’re asked to hand over a lot of privileges before you’re allowed to sink hours into what is basically a bunch of prettified spreadsheets.

What bothers me most here is the last permission; “Access my friends’ information – Online Presence” which effectively means that even if you’ve never played this game but one of your friends has, a company that you’ve had no dealings with and maybe never heard of will know when you’re on-line.  Does that seem right?

Facebook Android App PermissionsFacebook recently updated their application for Android mobile phones (probably iPhones and others too) and I’ve already posted an article here on why I think this update asked for way too much.
I chose not to accept the update and I’ll use the mobile web version instead which does all of the same things rather well.  The only feature I’ll miss is synchronising my contact lists, which personally I can live with.

Skype PermissionsThe Facebook update was followed closely by an update from Skype that also overstepped the boundaries of what I thought were reasonable requests.

Much like the Facebook update I don’t think that anyone other than me should be able to change my personal details or change settings, certainly ones that will drain my battery in a matter of hours if left enabled.  I’d also like to know why Skype (and indeed Facebook) think they need any level of access to any accounts other than their own.


If you’re thinking “but surely we can trust these big companies right?” remember, this is Facebook that has repeatedly compromised your privacy by releasing new tools, opting you in by default and not telling you, or this is Skype that is now owned by Microsoft who have patented eavesdropping technology, or this is a website or application developer that has no previous reputation.

It’s not all doom and gloom.  Some developers actually seem to care about their customers and their privacy.

Two examples below show websites that ask for only the permissions that they need to provide precisely the service that they offer, no more and no less.  They don’t ask to be able to write any information on your behalf and they don’t ask for access to any more information than is necessary.

  • HardlyWork.in is a neat little website that lets you disguise Facebook as a spreadsheet.  If you can’t think why that’d be useful then I assume you don’t work in an office and you don’t need it.
  • Klout.com purports to measure your influence on social media websites by calculating the ratio of responses and actions that result from your posts.For the record, yes I use both of these services as I have no reason to doubt them and there is very little damage they could do (either maliciously themselves or if they suffered a compromise) with the permissions they have.
HardlyWork.in Klout for Twitter Klout for Facebook
HardlyWork-in Permissions Klout for Twitter Permissions Klout for Facebook Permissions
As always, I hope this helps 🙂