• Tech
  • apps

Think Twice Before Using This Wildly Popular Facebook App

5 minute read

It’s an old adage, sure. But on the Internet, it may as well be a scientific law: You don’t get something for nothing.

I re-learned this most recently when I tried to see what my most used words on Facebook were. Billed as a “quiz” by a South Korean startup named Vonvon, this viral sensation spread across the social web like digital wildfire last week. But when I connected my account to “Most Used Words,” I did what I always do with Facebook apps: denied it access to anything beyond my public profile information. And as a result, the word cloud it returned was blank.

Social media services like Most Used Words have long used personal user information to generate unique, interesting, and sharable posts. But in the case of Vonvon’s content, users have complained that the company stepped over the line by asking for far more data than the quiz seems to need. Specifically, Vonvon requested access to the following user data:

  • Name, profile picture, age, sex, birthday, and other public info
  • Entire friend lists
  • All timeline posts
  • All photos and photos the user is tagged in
  • Education history
  • Both hometown and current city
  • Likes
  • IP Address
  • Since Monday, other users began taking notice of the fistfuls of data that Most Used Words seemed to be grabbing at. Then media outlets began reporting on it, with The Huffington Post calling the quiz “a breach of your personal data,” and WIRED dubbing it “a privacy nightmare.” And suddenly, Most Used Words’ meteoric viral climb slowed to a crawl. In its first five days, the quiz attracted 17.5 million users. In the past two, fewer than 300,000 have tried it.

    I was among the people jarred by the apparent privacy overreach. But after some digging, I’m no longer sure Vonvon has done anything wrong, yet.

    According to Vonvon President David Hahn, Most Used Words requested all of this user info because the company runs a wide range of quizzes, and it hoped people would return to the website daily to take more of them. By asking for permission for all of that user data up front, Vonvon wouldn’t have to repeatedly pester users for it again.

    On top of that, Hahn contends, the company cannot store any user data itself. When a Facebook user interacts with Vonvon’s content, their information continues to reside in the social network’s servers, and Vonvon cannot copy the data. In fact, says Hahn, the only bit of data that Vonvon receives from connecting a user to its services is the user’s Facebook ID number, anonymized digits that let returning users access their results on the company’s various quizzes and viral content such as “Are You A Psychopath?” “Who has a crush on you?” and “Which Pixar Superstar Captures You Perfectly?”

    In double-checking Hahn’s claims with Jeremy Gillula, staff technologist for the privacy group Electronic Frontier Foundation, it appears that Vonvon is indeed playing it safe with user data. Most Used Words, and the company’s other quizzes, seem to be run within the web browser in JavaScript, which means the data is parsed right there on the user’s computer, not far away in the cloud.

    This Is What Your Facebook Profile Looked Like Over the Last 11 Years

    The Original Facebook Group Page, 2004.
    The Original Facebook Group Page, 2004. Before people realized how awesome pictures are.Courtesy of Facebook
    Facebook Profile Page, 2005.
    Facebook Profile Page, 2005. Back when Facebook looked a little bit like MySpace. Courtesy of Facebook
    Facebook Profile Page Facelift, 2005.
    Facebook Profile Page Facelift, 2005. The "the" is finally dropped.Courtesy of Facebook
    Facebook Profile Page, 2006.
    Facebook Profile Page, 2006. You no longer need to be reminded "this is you" at the top of your profile page.Courtesy of Facebook
    Facebook Profile Page, 2007.
    Facebook Profile Page, 2007. Every profile update still had to begin with "is," forcing you to talk about yourself in the third person. Courtesy of Facebook
    Facebook Profile Page, 2008.
    Facebook Profile Page, 2008. The wall. Courtesy of Facebook
    Facebook Profile Page, 2009.
    Facebook Profile Page, 2009. It only took five years for Facebook to create easy-to-find privacy settings. Courtesy of Facebook
    Facebook Profile Page, 2010.
    Facebook Profile Page, 2010. Facebook starts to get pretty. Courtesy of Facebook
    Facebook Profile Page, 2011.
    Facebook Profile Page, 2011. Zuckerberg realizes that people love pictures, usually of animals.Courtesy of Facebook
    Facebook Profile Page, 2012.
    Facebook Profile Page, 2012. The timeline allows you (or your parents) to trace your life from birth to death.Courtesy of Facebook
    Facebook Profile Page, 2013-2014.
    Facebook Profile Page, 2013-2014. Facebook introduced a new app, Paper, on Monday.Courtesy of Facebook
    Facebook Profile Page, 2014-2015. Facebook updated both the newsfeed algorithm and the privacy settings.
    Facebook Profile Page, 2014-2015. Facebook updated both the newsfeed algorithm and the privacy settings.Courtesy of Alex Fitzpatrick/Facebook

    “They are doing it in the most privacy protective way they could, given the limitations of Facebook’s API,” says Gillula. “At the same time, people may not realize that they don’t have to do it that way, and it’s entirely possible that they could have done it another way — a less conscientious developer could have done it differently.”

    And that is the problem with my snap judgement. Good apps and nefarious ones can look too similar to the naked or uninformed eye. Even Gillula isn’t completely certain that Vonvon’s content isn’t siphoning data out, somehow. “Without looking at every single line of the code, you can’t be 100% sure,” he says. “There’s certainly no easy way for users to be sure.”

    And as a startup trying to establish trust with a growing audience, Vonvon wants the public to see the company in a positive light. To date, Vonvon’s various pieces of viral content have resulted in more than 200 million user interactions across 15 languages since the company launched in March. It has $2.6 million in funding, and has attracted sponsored content partners including Samsung, Australia Tourism, and online gaming platforms. The company has said that it does not collect or sell user data, and that it only generates revenue through these sponsored partnerships and through ads placed within its viral content.

    “We are dedicated to create fun, engaging, and innovative contents while respecting our users’ privacy, and we hope our users will trust us in our efforts to creating a fun and safe platform for everyone to use.” says Hahn.

    In a move towards better establishing that trust, as of Monday night, Vonvon has changed Most Used Words to now only request access to users’ public information, friends list, and timeline data. The app still works if you deny it access to your friend list — and you should — but that’s a step in the right direction.

    More Must-Reads from TIME

    Contact us at letters@time.com