Facebook API Now Requires Review for user_friends Permission

April 05, 2018

Looking at the Facebook Developer API documentation yesterday, I noticed a subtle change in the permissions that they give to developers without review on the graph API. Somewhere between March 21 and March 28th 2018 they removed unreviewed access to the user_friends permission. I doesn't take much to put together that this change is probably due to the impact of the Cambridge Analytica saga they are dealing with.

When you go here: https://developers.facebook.com/docs/facebook-login/permissions/#reference-user_friends it currently states:

Basic permissions, (public_profile and email) do not require Review, but all other permissions do.

Because that was different than what I recalled, I used the way back machine to check if they had made a change, and sure enough on March 21, 2018 it read:

Basic permissions, (public_profile, user_friends, and email) do not require Review, but all other permissions do.

The user_friends permission does not mean that you have access to the info about all friends of a user in your application, it is limited to only those users who have also logged in with the same app and mutually granted the user_friends permission to the application. That limitation of mutual app access was added back in 2014 or 2015, it was not there when Facebook first released their API, which is what companies like Cambridge Analytica were able to use to get data on millions of people.

It appears that apps that were registered before this change will keep their user_friends permissions, this is just a change that applies to new apps being created. This is similar to how Facebook handled that change in what friends are avaliable - older apps were apparently allowed to keep accessing all friends (not just mutual app user friends) after the changed the rules.

Like this? Follow me ↯

This entry was:

Post a Comment


Foundeo Inc.