Facebook announced some intended changes to its data use policy to "enhance transparency", according to a Friday post on its Facebook and Privacy page. The updates include better explanations, examples, and "tips" denoted in the text with a lightbulb, as well as some revelations about how third parties deal with users' data.

In the revised data use policy, Facebook makes explicit that any time one of your Facebook friends starts using an app, game, or partner website (that is, a site where you can log in using Facebook credentials), Facebook hands that service all of the "publicly available" information on that user. Information that is always publicly available only includes basic stuff like your name or cover photo, but users can have their entire profile publicly available, and thus handed to a service.

However, Facebook also clarifies that "if you’ve removed an application and want them to delete the information you’ve already shared with them, you should contact the application and ask them to delete it." This implies that, even if you change Facebook's privacy settings since beginning to use a third-party service, or no longer user the service at all, the service may keep your data on hand unless directly asked to delete it. That is, Facebook won't be your middle man in data cleanup; however, Facebook does note in the policy that apps are contractually obligated to delete data if asked.

Not only does this data dance apply to direct users, it seems to apply to users' friends as well. Applications are also able to access the publicly available information of friends of users, and can ask their users to share non-public information from their friends. Facebook provides this example:

Your friend might also want to share the music you “like” on Facebook. If you have made that information public, then the application can access it just like anyone else. But if you’ve shared your likes with just your friends, the application could ask your friend for permission to share them.

There are no special provisions for the storage of this information, either, that separate this, policy-wise, from direct sharing. To our reading, this means unless you contact the app directly for removal, it could hold onto that data forever. Facebook does point out that users can blanket-command Facebook not to share its information on a friends-of-friends basis by turning off all Platform (third-party) applications. But this means you don't get to use any applications of your own choosing, either.

When Facebook was dinged by the FTC and privacy groups in 2009 and 2010 for sharing more information than its privacy policy said it would, the company said it would make changes so information-sharing with third-parties would be "opt-in." The framework described above is, at its base, compliant with opt-in, but saying "I want to play FarmVille, so that app is allowed to have my data" and "I want to play FarmVille, so all the third-party apps my friends use are allowed to have, and retain, my public data, unless I explicitly ask for its removal" are virtually the same thing. It's a subtle relationship, but important for users to grasp.

Facebook also addresses the issue of data retention once users have deleted their or other information—something we've noticed the site has had trouble with in the past, particularly when it comes to photos. Facebook says that while deleted accounts should be gone within 90 days, any content that is external to your account, like posts to a Facebook group or private messages to another person, will be retained in the service.

Further reading

Enhancing Transparency In Our Data Use Policy (Facebook)

Over 3 years later, "deleted" Facebook photos are still online (Ars Technica)

Facebook settles with FTC, under privacy watch for 20 years (Ars Technica)