Yesterday, In an effort to promote "more transparency and [user] control," Facebook introduced its Off-Facebook Activity feature. The feature allows users to view a summary of third party apps and websites that share information with Facebook and allows users to clear such information if they don't want it shared. The user-controlled feature will affect apps and websites that use various Facebook developer tools, SDKs, and APIs.
The clearest impact of Off-Facebook Activity to third party apps and websites includes those who use the Facebook Login API. If an app user chooses to clear their off-Facebook activity or disconnect from future activity, the token used for login will be invalidated. Accordingly, that user will be automatically logged out of the associated app or website. If that user wants to log back in using Facebook, the user will be presented once again with the App Scoped ID which will return the user to continuity.
Facebook is trying to stay ahead of the problem on both the user and developer front by publishing some best practices:
- Prompt people to log back in: Facebook suggests that app owners prompt users to log back in through the Facebook login if they exercise one of the options to clear or stop Off-Facebook Activity.
- Check access token validity: Facebook suggests that apps check-in to make sure tokens remain valid. If a user clears off-Facebook activity while logged into a third-party app, they might remain logged in with an invalid token
- Review revoked permissions: the new feature gives users more control over permissions. Accordingly, the permissions initially given to apps when Facebook Login was started may no longer be applicable. Facebook suggests ensuring the correct permissions are being complied with.
- Provide users with data control: Finally, Facebook suggests that third-party apps and websites take similar steps to Facebook when it comes to giving people control of their data from a sharing and storing standpoint. For developers intending to continue the use of multiple Facebook APIs and SDKs in third party apps, it might make sense to sync practices up with Facebook's current policies.
Facebook has been pressured on many fronts in the past few years to crack down on the sharing of data with third-party apps and websites. Facebook has put together a strong campaign around the Off-Facebook Activity feature, and it's clearly hoping this will satisfy critics. It is somewhat ironic that as part of its campaign, Facebook is encouraging third-party developers to give users more control over their data; but, given Facebook's lack of control over third parties, strong encouragement is probably the best they can do without completely severing ties. We will see how this pans out in both the consumer and developer communities.