As a Windows Phone user, I absolutely love the People Hub, especially the Facebook integration. However, due to the way that either Microsoft or Facebook have chosen to implement the Facebook integration into the phone, it can become a broken experience depending on choices that your friends have made. The answer to this problem actually lies in a much deeper and what I believe to be murkier feature of Facebook around how 3rd party app permissions work. To explain the whole situation, I'm going to bring out an old friend who I've used in a previous article about Facebook's privacy settings: Johnny Technophobe to help demonstrate what exactly is happening to cause this problem. This article will explain exactly how the Facebook 3rd party apps system accesses your data and then explain how Windows Phone works in relation to this and the problems that stem from that.
The Background Story
On Episode 46 of the excellent Windows Phone Dev Podcast (seriously, if you love Windows Phone, you need to be listening to this weekly podcast), Travis & Ryan told the story of an experience that their friend Daniel Baker had been having with a Windows Phone that Ryan & Travis had given Daniel Baker to test. The problem stemmed to the fact that even when Daniel Baker had correctly linked his Facebook account to the People Hub of the Windows Phone to take advantage of the built in Facebook integration, there was content missing in What's New feed that was showing up on the Facebook website and the Official Facebook app on Windows Phone. Baker did some further research to figure out why this was the case and found evidence that the Facebook integration that Microsoft includes in the People Hub on Windows Phones is treated as a 3rd party app and therefore did not have permission to display some content that was visible on the Facebook website and Official Facebook apps (which are treated as 1st party apps and do not have the same restrictions).
I have known about this problem and what exactly causes it since I first got the Windows Phone 7.5 Beta back in May this year, but unfortunately I forgot about it and so when I heard it mentioned on the latest episode of WP Dev Podcast, I thought I should explain how I found it and why it occurs as well as explore some of the finer details more carefully. In the initial release of Windows Phone, you could use the Pictures Hub to view all of the photos on your phone, on Skydrive & on Facebook from one view. In Windows Phone 7.5, Microsoft expanded this type of functionality to your contacts. So from either the Contact Card of one of your Contacts OR from the Pictures Hub, you can view the Skydrive & Facebook albums of your friends. Unfortunately, this only worked for some of my contacts and not others. The same was happening for Facebook Wall posts for some of these friends too. I could view their photos properly on the Facebook website and on the Official Facebook app on the phone, but not using the integrated experience built into Windows Phone 7. I actually dug around and discovered that this problem is caused by a set of hidden settings that are buried within your Facebook Privacy settings. The people's whose photos & Wall posts were all technically savvy people, so this explained it nicely, they had changed the default privacy settings to a more secure setting and this was breaking the integration. The settings that they changed though I found quite disturbing. To explain them to you, I need to explain a little about how Facebook interacts with 3rd party developers.
How Facebook's 3rd Party App Permission Settings Work
When developers create an app, such as Mafia Wars, Farmville or those Birthday Card apps you see popping up on Facebook constantly, they need to ask your permissions before they can access your profile information. This makes sense and it helps stop rogue apps from collecting information that they shouldn't be. The settings regarding apps that YOU use and their access to YOUR information are pretty clear cut. What is more murkier are the settings that affect apps that YOUR FRIENDS USE but YOU DON'T & their access to YOUR data! Confused? Yes, Facebook apps that you may never have seen before, by default, have access to some of your data simply because your friend uses them. Take the diagrams below (these were mocked up in Paint in about 30 minutes, so sorry for the quality).
In the following diagram your profile is represented by the large circle on the right, two of your Facebook friends are represented by the two triangles on the left and 3 Facebook apps are represented as rectangles in the middle. The coloured lines and arrows represent different type of connections that the apps have between you and your friends. The Green lines represent the approval or your friends have given to certain apps. In this example, you have specifically approved and added the Windows Phone app & the Farmville apps to your profile because you use both of those apps. My friend Sheeds uses the Farmville app too* (we harvest crops together :P ) and my friend Johnny Technophobe uses the annoying Birthday Cards app. The red arrows represent approved data that is transferred between each person's profile and the app and the direction the data can flow. This is all the data that the app needs to function and data can flow between 2 people via an app as long as they both have the app installed. For an arrow to be red (approved) it must also be accompanied by a green line to show that the app has asked for explicit permission to access the data for use in the app. This all works exactly as it is supposed to. My problem is that it isn't as simple as that. This is where the yellow arrows come in.
As crazy as it sounds, Facebook has a feature where if YOUR FRIEND installs an app, then it can get access to a certain amount of YOUR data, without explicitly asking you for permission, even if you have never used the app before. To be fair, it is a subset of the data it could get if you did explicitly allow the app and add it to your own profile, but it is data regardless. In this example let's say that Johnny Technophobe is using the Birthday Cards app and he wants to send out birthday cards to friends that have birthdays. Well, that app can retrieve my birthday, even if I don't have the app installed and it can then use that to send me a birthday card, which the app developer will hope I will open and then subsequently allow the app into my account to view it and then hopefully become a regular user of that app. It might not seem like a big deal, because the app can't retrieve any information that your friend can't access (aka the privacy settings that apply to your friend still kick in), but I still find it creepy. We know Facebook has had many data leaks occur in the past that have been because of the third party app system, so giving third party apps that I've never added or approved before access to my profile just seems wrong. The good thing is, you can actually change these settings (but changing them does have consequences as you'll see).
To find the settings that control the behaviours described you just follow these 3 steps:
1. Click on the arrow at the very top right of the blue bar at the top of Facebook page & choose Privacy Settings
2. Click on the Edit Settings link under the Apps & Websites section.
3. Click the Edit Settings button next to the "How people bring your info to apps they use" section.
You'll then be presented with this screen:
Here are all the different pieces of information that can be shared automatically to other Facebook apps that your friends use. If you were to uncheck all of these and click Save Changes, the following diagram describes the change that would occur.
By disabling all the check boxes on that screen, you essentially cut all of the yellow lines in the diagram (which is what the thick brown lines represent, cuts in non explicit data transmission). One thing to note: these check boxes are for global settings, they apply to ALL third party apps that you do not have installed. Unfortunately, you cannot get to a more granular version of these settings that allow you to turn this on and off for individual apps, because you'd have to know every single app that every single one of your friends uses and Facebook isn't going to give you this information (for a good reason). This is where the problem lies for the Windows Phone Facebook integration.
How The Windows Phone Facebook Integration Works & Why It's Easily Broken?
The Windows Phone Facebook integration works exactly the same way that third party apps on Facebook work. It doesn't have the same permissions that Facebook's iOS, Android & Windows Phone APPS have, because those apps use internal APIs to access information, while the Windows Phone Facebook integration of Wall Posts & Pictures into the People & Pictures Hubs use the same APIs that Farmville, birthday card apps & every single other app on Facebook uses (I am currently unclear on how contact, job, education & other info shown on the Profile Tab is collected & displayed, because it isn't controlled by these settings & display properly regardless of how the settings above are configured). When you first connect your Windows Phone up to your account, it asks for permission to approve an app so that it can access your data on Facebook. The app is called Windows Phone and it is used to access most of the information in your Facebook account. Essentially the problem is, the Windows Phone Facebook integration relies on those yellow lines to get the News Feed & Pictures from your friends who DON'T own Windows Phones into the relevant Hubs on the phone and when the privacy settings are configured to cut the yellow lines off, then it stops displaying that information. Therefore, if one of your privacy conscious friends who doesn't own a Windows Phone decides to disable the My Photos or My Status Updates check boxes, then those items will NOT be accessible in the relevant sections of the Windows Phone Picture & People Hubs. Thanks to some testing with my friend Sheeds, I've been able to conclude that people who have Windows Phones connected to Facebook will have the required apps on their account and these settings won't affect them because they're using the red lines for data transmission and not the yellow lines. So this problem will only occur for people who don't have Windows Phones and have configured their Facebook privacy settings to disable these check boxes.
To give an example of what happens for a Windows Phone user when a friend without a Windows Phone disables these settings on their account, I made an account called Johnny Technophobe and added him on Facebook (I've used Johnny in the past for an article about Facebook privacy). Johhny Techophobe doesn't own a Windows Phone and therefore doesn't have the Windows Phone app on his Facebook page I then went into Johnny's Facebook Account and cleared ALL the boxes in the "How people bring your info to apps they use" dialog and clicked Save Changes.
I picked up my Windows Phone which is connected to my own personal Facebook account then followed the following steps:
1. I opened the Facebook app on the phone, went to the Friends section, scrolled down to Johnny Technophobe and viewed his wall & albums. Everything was fine:
2. I opened the People Hub, scrolled down the Johnny Technophobe and viewed his contact card. Everything appears to be working normally so far.
3. I then swiped over to the What's New Feed and this is what I saw:
4. I then swiped over again to the Pictures and clicked on the Johnny Technophobe's Albums tile. This is what I was presented with:
5. I then went BACK into Facebook and re-enabled the check boxes for My Photos & My Status Updates and repeated the above steps. This time I could see the content.
The Dilemma & The Solution
So, the problem here is, if you increase your privacy settings to prevent questionable apps that your friends choose to use from accessing your data then you'll cut off access to trustworthy companies such as Microsoft who also use the that data to power things like the Facebook integration in the Windows Phone OS. If you own a Windows Phone & change these settings to make your profile more secure, you won't notice anything on your phone and your friends with Windows Phones shouldn't notice anything on their phones either, because the data is being sent via a trusted/approved link that you and your friends have with the Windows Phone app, which gets added to your profile when you sign in on your phone. The problem will occur for privacy concerned friends who DON'T have Windows Phones and who have secured their profiles, because their data that would have traditionally being sent via the yellow lines will be blocked by their settings they configured. Unless you specifically tell them, they won't even realise that they're cutting off access to their Facebook information on your phone. So the dilemma is, what is more important, securing your profile or making sure your friends with Windows Phones can have a seamless experience browsing your profile? Imagine having that awkward conversation with your friend: "Umm, could you please allow certain parts of your profile to be shared with apps that you haven't added to your profile so I can have an easier experience to access your profile on my phone?", you'd seem like a creepy stalker.
The ONLY way that Microsoft & Facebook can fix is, is to let Microsoft access first party APIs, so they can avoid all these privacy settings. Basically, Facebook needs to treat the Facebook Integration in Windows Phone as if it were an official Facebook client and NOT as a third party application. I can only imagine all the legal problems that are preventing this, but this is the ONLY way I can see this problem being fixed. It's a real problem for Microsoft when their excellent Facebook integration doesn't work properly if a user who doesn't use a Windows Phone is smart enough to know where to lock down their privacy settings. In my eyes, Microsoft is currently using a technique to access data that spammy apps use, it's not something that a company such as Microsoft (who own a stake in Facebook) should have to use, they should be given special privileges in this case. I guess the only issue is that if Microsoft was given special permission, then Apple, Google, RIM & probably the people who are building WebOS would also want the same permission for integration Facebook into their OSes, so it becomes an issue of where do you stop?
Conclusion
So that's the problem. It's actually quite a weird and complex problem to describe, BUT hopefully it makes sense now and it is now clear to see where the Windows Phone OS sits in all this. Microsoft & Facebook need to get this sorted out, because the Windows Phone Facebook integration is a BIG selling point & this is a significant blow to that experience. I personally would also like Facebook to change the default settings so that apps can't access your data just because your friend uses an app because I think that's just wrong, but this would be a disaster if the way Facebook integration on Windows Phone works isn't changed. Hopefully this will get sorted out within the next year and all will be well again. Now I guess all we need is for Microsoft to fix this issue & integrate the Messages functionality into the OS, as well as integrate Groups and Lists & there goes the need for a dedicated Facebook app, basically everything else is there!
Finally, if you have any further information you'd like to share with me (or if you have any findings that differ from mine, then please get in contact with me and tell me what you know and what you've found.
* In real life Sheeds & I do not play Farmville together as we have better things to do with our lives :P I'd also like to thank Sheeds for helping me test a few different scenarios that I couldn't test on my own (because I only have 1 phone).
Update: On Episode 47 of the WP Dev Podcast, Ryan & Travis got an email from a listener who had contacted Joe Belfiore about this issue and apparently Microsoft & Facebook are working on it. So that's good news if it's true and hopefully this will be fixed sometime in 2012. The best fix obviously would be one that was just done on the Facebook back end, but it might be the case that the fix won't be delivered until Apollo, because it might require changes to be made to the OS. Hopefully this isn't the case, but it's a possiblity.
