That “most used words” Facebook quiz is a privacy nightmare
Published by on November 22, 2015 in VPN & Privacy

vonvon quiz

UPDATE on November 24 @12:10pm: Vonvon has responded to this article saying it does not sell data to third parties. See the company’s response below. This article has been edited to reflect their statement.

Lately, you’ve probably seen a couple of your Facebook friends post the results of a quiz app that figures out your most-used words in statuses. Or maybe you posted it yourself. It looks something like this:

vonvon fb ss

The “quiz,” created by a company called Vonvon.me, has risen to over 16 million shares in a matter of days. It’s been written about in the Independent, Cosmopolitan, and EliteDaily. Sounds fun, right?

Wrong. That’s over 16 million people who agreed to give up almost every private detail about themselves to a company they likely know nothing about.

The app, like many Facebook quiz apps, is a privacy nightmare. Here’s a list of the info the quiz requests players disclose to Vonvon.me:

  • Name, profile picture, age, sex, birthday, and other public info
  • Entire friend list
  • Everything you’ve ever posted on your timeline
  • All of your photos and photos you’re tagged in
  • Education history
  • Hometown and current city
  • Everything you’ve ever liked
  • IP address
  • Info about the device you’re using including browser and language
Note: In light of this article, Vonvon has reduced the number of permissions required.

Read more: How to remove apps from Facebook for better privacy

The oxymoronic privacy policy

Even if you take the “I have nothing to hide” approach to privacy, the app also collects a fair bit of info about your friends. Vonvon’s privacy policy leaves a lot to be desired. Let’s walk through it to see why you should steer clear of this quiz or any of the dozens more on Vonvon’s site. First off, for those who have already played the quiz, there’s no take backs:

[…] you acknowledge and agree that We may continue to use any non-personally-identifying information in accordance with this Privacy Policy (e.g., for the purpose of analysis, statistics and the like) also after the termination of your membership to this WebSite and\or use of our services, for any reason whatsoever.

Your information could be stored anywhere in the world, including countries without strong privacy laws. A Whois search reveals Vonvon.me was registered in South Korea, but it operates under several languages including English, Vietnamese, Malaysian, and Korean:

Vonvon processes Personal Information on its servers in many countries around the world. Such information may be stored on any of our servers, at any location.

Vonvon is free to sell your data to whomever it pleases for a profit, although they have since confirmed they have no intention of doing this. Vonvon says it will not share personal information with third parties without permission, but just by playing the quiz you’ve technically given it permission because it assumes you’re a responsible person who reads the privacy policy. Of course, most people who play the quiz are not that responsible.

[…] We do not share your Personal Information with third parties unless We have received your permission to do so, or given you notice thereof (such as by telling you about it in this Privacy Policy) […]

Yes, it actually says that. Worst of all, Vonvon skirts responsibility after it has given your data to third parties, who can do whatever the hell they want with it:

[…] this Privacy Policy does not apply to the practices of entities Vonvon does not own or control, or to individuals whom Vonvon does not employ or manage, including any third parties to whom Vonvon may disclose Personal Information […]

Companies who you have never met can now access your entire Facebook profile–friends, photos, statuses and all–and use them in ways you never directly agreed to. By the way, if you edit the permissions before authenticating the app with Facebook, Vonvon won’t allow you to play the quiz. Edit: You can remove all permissions except your public profile and Facebook timeline posts, and still play the quiz. Most people that play probably won’t bother, though.

Abstinence is the best privacy policy

We’ve singled out Vonvon because it recently went viral, but Facebook is full of shady data dealers to masquerade behind viral quiz mills. Facebook is a haven for a large number of such companies and, frankly, hasn’t done enough to educate or warn users about the risks. Social Sweethearts, a similar company based in Germany, creates quiz apps that are so bold as to collect your email address. Hope you like spam, suckers!

So how can you protect yourself? The easiest way is to avoid online quizzes that require Facebook authentication altogether. Go to the apps section of your Facebook profile–where these data miners often reside–and remove anything you don’t 100 percent trust. Many of them can even hijack your Facebook and post on your behalf. Stick to quizzes that just let you share the results without logging in with your Facebook account, such as the ones on Buzzfeed.

If you insist on authenticating a Facebook quiz app, be sure to check the permissions and read the privacy policy or terms of use.

Vonvon’s response:

Hello,

I’m Jonghwa Kim, the CEO of vonvon, inc.

Vonvon is a start-up in Korea, we’ve been around less than a year now but luckily we had good traction all over the world with more than 100M unique visitors from US, UK, France, Brazil, China, Japan, Korea, Thailand, etc. with 15 languages.

Though I understand there could have been misunderstanding, I’m deeply concerned about your false accusation.

1. Do we store your personal information?

We only use your information to generate your results, and we never store it for other purposes. For example, in the case of the Word Cloud, the results image is generated in the user’s Web browser, and the information gathered from the user’s timeline to create personalized results are not even sent to our servers. Also, in the case of our quiz “What do people talk behind my back?” we use user’s school and hometown so that we may pull up close friends rather than pairing random person among your 500 fb friends in the results. We use this information only to process familiarity of friends, and again, the information is never stored in our databases.

2. Why do we request personal information unrelated to the Word Cloud quiz?

As mentioned above, vonvon.me creates a variety of quizzes for entertainment purposes only and leverages various user data to produce the most engaging and customized result. (** WE EMPHASIZE AGAIN WE ONLY USE USER DATA TO PRODUCE CONTENT AND NEVER SAVE THEM**) We have asked our users for a comprehensive list of access privilege so that they can enjoy our vast library of quizzes as smoothly as possible. However, we do realize that some of our users are worried about their privacy protection. To accommodate these concerns proactively,we adjusted our scope of data request to the minimum requirement to produce each separate content as of 9pm KST, Nov. 23.

3. Are we selling your personal information to a third party?

As we do not store any personal information, we have nothing to sell. Period.

4. About the Privacy Policy

It’s seem like you taken words out of context for the sake of your accusation.


[…] you acknowledge and agree that We may continue to use any non-personally-identifying information in accordance with this Privacy Policy (e.g., for the purpose of analysis, statistics and the like) also after the termination of your membership to this WebSite and\or use of our services, for any reason whatsoever.

-> “Non-personally-identifying” information is not the same with “personal” information. Are we the only company in this planet use analytics tools to better understand our users with cumulative behavioral data?


Vonvon processes Personal Information on its servers in many countries around the world. Such information may be stored on any of our servers, at any location.

-> Our service is on the Google App Engine and we are running services in 15 languages including Japanese, French, German. This is also a pretty standard clause in many privacy policies in this age of cloud computing. Don’t you think it’s a little far-fetch idea that we put in this clause to “export” personal information to “counties without strong privacy laws”?


[…] We do not share your Personal Information with third parties unless We have received your permission to do so, or given you notice thereof (such as by telling you about it in this Privacy Policy) […]

-> You conveniently omitted the following section which we stated that we share personal information only in case of compliance with law. There’s no clause states that we share personal information to other businesses


[…] this Privacy Policy does not apply to the practices of entities Vonvon does not own or control, or to individuals whom Vonvon does not employ or manage, including any third parties to whom Vonvon may disclose Personal Information[…]

—> Again, you omitted ‘(as defined below)’ as in ‘including any third parties to whom Vonvon may disclose Personal Information(as defined below)’, which leads to the same section that states we only share personal information when it’s required by law.

In fact, we did have the clause states that we might share personal information to trusted business partner few month ago – we put it in without much thought since most media sites have similar policies.

But it back-fired in Japan few month ago with the similar rumor that we might sell personal information and we decided to delete the clause since we never sold and have no plan to sell personal information what-so-ever.

Your style mislead the readers and putting great damage to our reputation and trust.
I’d appreciate if you take back this misleading accusation.

Best,
Jonghwa

158 thoughts on “That “most used words” Facebook quiz is a privacy nightmare

  • If you have a fb, your stuff is already out there for the world to see and anyone could access it even if you have the best privacy settings. People hack fb all of the time. I don’t care if they get my info. Do you have something to hide? Lol. It is a quiz and nothing more.

  • Uh….

    * Name, profile picture, age, sex, birthday, and other public info
    How can the exposure of “public info” be a privacy violation? “But they revealed all my public data!” That’s a contradiction.

    * Entire friend list
    That would be public info. People exchange that info at the grocer’s: “Hey, did you know Paul and Jerry are friends?”

    * Everything you’ve ever posted on your timeline
    Because I only post things I don’t want other people to see, right? Even if you share only within a narrow circle of Facebook “friends,” you can’t rely on their privacy settings, so you must work under the assumption that everyone can see what you’ve posted. You’d have to be pretty naive not to work that out for yourself.

    * All of your photos and photos you’re tagged in
    This isn’t private information, for the reason stated above.

    * Education history
    This isn’t private information by definition. My employer knows it, the government knows it, my mortgage-holder knows it. I’m pretty sure my university knows it. I wear T-shirts advertising the name of my university out in public. I guess I like to live dangerously.

    * Hometown and current city
    Again, how is this private information? People can look me up in the phone book, on LinkedIn, or in property records, or any number of other search vectors. If you know my name and have access to a search engine, you can find me. Somehow it’s now worse because that’s on Facebook (assuming I filled in the info in the first place)? [See below for a caveat about children on Facebook.]

    * Everything you’ve ever liked
    The consequences of which are…? For one thing, that should be “liked” in quotes, since there are lots of things I like that don’t end up on Facebook–a Facebook “like” is a virtual thing, and they could have picked any number of verb synonyms. Even so, I don’t understand how this is private, or why it matters. Certainly, if you’ve been “liking” lots of photos of naked underage girls, I think it’s okay if people find out about that so we can bundle you off to prison where you belong.

    * IP address
    Your IP address goes EVERYWHERE. That’s how the Internet works. (In order to view this blog, your IP had to go to the server.) It’s not private, any more than your postal address is private. If you’re behind a firewall (and you are in most cases, and sometimes more than one), then the simple IP address isn’t enough to backtrack to your computer. It will go to your modem or router, and is distributed from there. (Pro tip: if you’re on a direct connection to the Internet without a real hardware firewall–don’t be that person. This has nothing to do with Facebook and everything to do with how Wide Area Networks function. They’re inexpensive and you can get them at any large office supply store.)

    * Info about the device you’re using including browser and language
    Again, your browser sends this information on purpose. It helps optimize your experience because the server side can tell whether you’re using Chrome or Firefox and send back the best possible layout, format, and scripting to handle the differences between browsers. This information was NEVER private, was never intended to be private, and isn’t broadly exploitable from a privacy standpoint. Yes, hackers can exploit the information to choose specific scripting techniques to attack your computer, but that information doesn’t have to be uploaded to a server in order to be used. Simply downloading a web page–AT ALL, FROM ANYWHERE–provides the opportunity for this information to be gathered and used without any server-side activity beyond returning the page. The “in-private” browsing modes of modern browsers don’t prevent the info from being garnished from within the page. (How do I know? I just tested it. I’m a web developer with almost two decades of experience.)

    Facebook, Google, Amazon, and myriad others collect information all the time, directly or indirectly. We share this information in order to receive a benefit, one assumes. Perhaps sometimes we do it naively because we don’t understand the technology, I suppose, but ‘o caveat emptor’ applies everywhere, does it not? (Perhaps there should be a license for using the Internet the way there’s a license for driving a car–proof of knowledge and skill before being handed the keys.) The whole idea of sharing information with vendors is to receive better service–to become a “preferred customer.” Facebook isn’t *exactly* a vendor, but presumably people perceive a benefit from using it, even if that benefit is largely intangible. Since nothing is ever free, the price of admission is a certain amount of information, either asked for or inferred, coupled with targeted advertising.

    In a commercial culture, just as in a totalitarian society, information is power. Information about ones likes and dislikes can be a very powerful tool in terms of marketing goods and services, and anyone who hasn’t realized that needs some education. The moment one subscribes to Facebook, the assumption of absolute privacy should be abandoned. The horse is out of the barn, the train has left the station, and the horse was on that train. That being said, your actual private data (income level, bank account and credit-card numbers, tax records, and health data) isn’t on Facebook unless you put it there on purpose for everyone to see. I’m betting you didn’t do that–or all of that. We tell people about our illnesses over casual cups of coffee, again with no assumption that they won’t totter off and tell nine other people the next day. Facebook just makes that unintended network larger.

    I agree that there is a possible vector of attack for pedophiles knowing in what town your children are and what schools they attend. That’s why children shouldn’t be on Facebook until they’re old enough to understand what kind of Bad People exist in the world, and have been educated on what and what not to show on Facebook. Children’s activities on Facebook (and on the Internet in general) should be supervised and managed with care and diligence. Posting photos of yourself on vacation WHILE you’re on vacation is a bad idea, too, since it potentially alerts criminal types that you’re not home–remember, you have to assume that anyone with an Internet connection can see them, and might have access to your home address. Post those awesome photos after you return, right?

    Beyond that, the pictures of you having a picnic at the lake during your university homecoming, your “like” of a local restaurant page, or sharing picture of a friend’s new puppy, aren’t particularly valuable or interesting outside your local context. Having those facts available to a third-party quiz on Facebook isn’t going to bring down civilization.

  • http://time.com/4126945/facebook-most-used-words-vonvon

    Quote:

    “In double-checking with Jeremy Gillula, staff technologist for the privacy group Electronic Frontier Foundation, it appears that Vonvon is indeed playing it safe with user data. Most Used Words, and the company’s other quizzes, seem to be run within the web browser in JavaScript, which means the data is parsed right there on the user’s computer, not far away in the cloud.”

    “They are doing it in the most privacy protective way they could, given the limitations of Facebook’s API,” says Gillula. “At the same time, people may not realize that they don’t have to do it that way, and it’s entirely possible that they could have done it another way — a less conscientious developer could have done it differently.”

    • so if they’re claiming they don’t store your info why would they say this?? I’ve been skeptical of sites that ask for access to certain info.
      and if a friend used nametests or something similar is my info now being observed?

    • so if they’re claiming they don’t store your info why would they say this?? I’ve been skeptical of sites that ask for access to certain info.
      and if a friend used nametests or something similar is my info now being observed?

      this reply was originally posted on the wrong comment

  • Thank you for the article and especially for including the response from the developer. It is nice to get warnings out there about potential security concerns, and I am glad that the company is above the questionable practices.

    • nice comment – reveals emotional and mental immurity. please seek appropriate counseling.

  • The biggest loser in this is Facebook. They spend billions on creating and maintaining a social media site, and use data mining as one of their major revenue streams. Then Von-von wrote one cheap little app, and got free access to a sizable chunk of Facebook’s collected data. I’m kinda surprised that Facebook would grant this kind of access.

  • Vonvon; now the proud owner of the most boring data in the world (mine). They’ll erase it within a month in favour of someone with a life, I’m sure…

  • The “most used words” Facebook quiz collects public profile, friend list, and timeline posts. As a developer I understand why they need this to produce the word cloud.

    • So, they *need* the data to produce the ‘word cloud’. Had you considered that the word cloud was not the primary objective – they want the data and have to offer something so they cobble together a report of useless info to make the ‘quiz’ seem benign.

      As a developer, I’d expect you to be more intelligent.

  • Unless they are using your identity for fraudulent or other illegal purposes why should anyone actually care? GCHQ are monitoring us, WITHOUT ANY PERMISSION! and no one seems to care about that.

  • I wish there was a site that explained all these contracts including Apple, Adobe, Facebook, Twitter, etc. from the consumer’s point of view. Kind of a Snoopes and NOLO legal info all in one.

    • @Tami,
      From which consumer’s point of view? The ignorant, paranoid consumer that hates anyone that knows more about them than they do (which probably isn’t that hard), or the consumer that actually reads a license before they agree to it? Better question: how important is this word-cloud to you? Is it worth the half-hour it takes to read the license? If you’re not willing to read the license, the product probably isn’t that important. Its not worth perjuring oneself by lying about reading a license for a word-cloud.

      Legal verbiage is as general as it can be. If you try to summarize legalese, you are inevitably going to make false or misleading statements, just like the guy who wrote this fear-mongering article to boost his ratings.

      Keep wishing, and maybe it will come true!

  • I would just like to take this time to say that each and every thing on that list is available to anyone on your friends list anyway. Aside from IP address and Which browser you’re using. Those two things are info taken by literally every website in existence. Whether it’s used for statistics info or something else, it’s still taken. Also, that bit about:
    Name, profile picture, age, sex, birthday, and other public info
    Entire friend list
    Everything you’ve ever posted on your timeline
    All of your photos and photos you’re tagged in
    Education history
    Hometown and current city
    Everything you’ve ever liked

    If you have your setting set to public, which most people do, then anyone in the world can access this information. Seriously.

  • Interesting article Paul. Can you elaborate on the potential consequences of all your points. I’m in the camp of head in sand because if I think about it, I’ll have to worry about it, then I’ll have to do something about it. And putting tinfoil round my head and spending precious time in app settings isn’t as fun as doing quizzes about what type of cat I’m most suited to.

  • I emailed vonvon and asked how to delete my data. This is the reply I got. Whether it actually deleted my data or not, I have no idea.

    David Hahn, Nov 22, 13:21

    Hi

    While our content is provided for fun and entertainment purposes only, we take our users’ privacy matters very seriously. Before you can disconnect from our service, we ask you to login one last time.

    To permanently delete any personal information from our servers,

    Visit the website http://en.vonvon.me
    Click on “Log-in” on the upper right corner of the page.
    Click on “Remove” on the very bottom of the page.
    Confirm your decision.

    Please be advised that this deletes all personal information we have on our servers, and is irreversible. After you have removed yourself, we won’t be able to restore your information.

    Vonvon Customer Care

  • ok I was one of non responsible ones. I went to facebook in settings but didn’t see it Von.von listed there. Am I looking in the right place. Thanks for setting us straight!!!!

    • There’s two lists of connected apps in Facebook. When you click on “see more” in the left sidebar, that’s one list. Then there’s another button that says “settings”, which is the full list of everything you’ve authenticated. It should be there. Not sure why Facebook does that.

  • While I think this is a well written article, I don’t understand why someone having my Facebook info is a problem. Mostly what I post is re-posted inspirational stuff and pictures of my dog. Please enlighten me. Thanks!

    • Advertisers mine data. They use social psychology. psychology, and analytics to figure out how to best get your money, and to maximize the amount of money they get. For example, analytics may show that a red “buy” button generates 38% higher revenue than a blue one, or if it is 10% to the left of center, you are 16% more likely to buy something than navigate away. (Those numbers are random but you get the idea).
      Check out this link, or google: https://en.wikipedia.org/wiki/Analytics

  • Just wanted to say that I took the quiz and edited the permissions so that it could only look at my posts because that was the only thing relevant to the quiz and I thought it was weird that they wanted all the extra information. Anyway, it allowed me to do it. This was 3 or 4 days ago. So, I don’t know if you actually tried it, but you definitely can edit the permissions. Though, I do think it’s still a risk and wish I hadn’t done it at all.

  • I went in and unchecked all boxes but the one basic “required” one…. and the quiz didn’t work. I immediately became suspicious. Why would they need all my information just to play a quiz? Devious practices. I can’t imagine how many people are so quick to give up all their personal information. Sad that we’re that starved for entertainment these days…..

  • privacy…… that’s funny…… read the TOS of ANY online service offered for ‘free’

    we haven’t had privacy since the WWW was formed.

    so, i would suggest that those who actually want privacy simply ‘dis-connect’ from the digital world entirely.

    there is no real ‘private’ anymore, and once something is sent to the internet, it’s there as long as there’s someone looking for it.

    things get lost in the shuffle, but they’re still there.

    • It’s too late to get the data back that you’ve already given up, but you can still remove it from your approved app list in Facebook settings.

  • You only have to let them see your public profile info – which is hopefully locked down quite tightly for most (?) people – and your statuses/posts, which I wouldn’t be worried about anyone seeing anyway. You can remove the rest and it still works fine. Problem is, a lot of people don’t even bother checking what info is shared in the first place!

    • Actually you can’t. When I limited the information they could access, my response was a blank screen. If you don’t give them what you want, they don’t give you what you want.

  • Very interesting article, and I’m not surprised, but…

    Why do I care? How will it actually affect me if a random far eastern company knows my birthday and can see a photo of me in a silly hat from 2009?

  • Ok, but what’s the worst thing you can do to me if you have this information? If they “sell it” I don’t really care if they make money off my name and friend list, but what are you imagining they are doing with this? Hunting down my family with guns?

    • Pretty much how it works. I agree… people are still up in arms about this? If so, don’t post/have a social media account!

  • To be fair, I’m amazed people are still surprised by this. Yes, most facebook apps will steal your data. If you’re posting sensitive data to a social media site though, you’re doing it wrong. The safest bet is to automatically assume that anything you post on the internet will be seen by literally everyone else and plan accordingly.

  • Thanks for writing this, very important information for people to have. Does the permission request come up after you create the picture or before? I did the quiz but did not post it to my timeline. I just looked and i don’t see Vonvon on my app page. I am thinking i probably did the picture, got to the permissions, got uncomfortable, and left, but am not 100% sure. If the permissions comes after the picture – are there any risks to just creating the picture but not agreeing and posting?Would one be able to take a screenshot and save the picture, even post it, without negative repercussions, or would that be against some sort of rules.

    • I didn’t share it either, but the app was located in my settings. It probably won’t show up for you on the left side-bar. It didn’t for me either. But if you do enough digging, you’ll find it.

    • If I recall correctly (Vonvon doesn’t allow you to attempt playing more than once and I’ve run out of Facebook accounts to sacrifice), it asks you to authenticate Facebook prior to playing the quiz. However, some people in the comments say they didn’t share it and the app didn’t show up in their Facebook apps list. As for screenshotting the results, I don’t think you’d get in any trouble.

  • What if you haven’t used your real name on FB in the first place becoz you’re a super paranoid nut. What if you wrote down the wrong birthdate and no longer use face pics for your profile … and have never supplied a phone number …. have suspected these quiz thingies for sometime …. but they are gormless fun.

  • I disabled all of the permissions except for status history (the one it obviously needs in order to work which is no problem at all) and it ran fine.

  • I recognised this, and gave them the details anyway.

    If I put it on facebook *AT ALL* I consider it to be in the public domain.

    Let’s be honest – I have significantly more fear of the misuse that the complete scum who run my country make of my internet history and activity than some random advertising data mining company…

    • Your public profile, which is out there for everyone to see anyway, plus your IP address and device info. If you add your timeline posts, you can still play.

  • If you use Facebook as a “social network” i.e. to share with friends, then you don’t need most of the apps. If you want to play silly games, it becomes your problem.

  • Here’s the deal: if you are deeply concerned about keeping stuff you’ve nonetheless posted to Facebook private (between you, Facebook and anyone Facebook wants to share it with, duh) then don’t use any site which requires access to your Facebook account. You know that, I know that, we all know that.

    So obviously we all accept some risk of disclosure and that’s OK. If we don’t accept *some* risk then the Internet is pretty much out of bounds.

    I can’t even post this comment without giving Comparitech my email address and name and they already have my IP address, browser, language, OS etc.

    • Here’s your scare list with my comments:

      Name, profile picture, age, sex, birthday, and other public info
      “Public”. Nuff said.

      Entire friend list
      I wonder why

      Everything you’ve ever posted on your timeline
      Well yeah that’s how it works. My stuff only goes back 2 years though.

      All of your photos and photos you’re tagged in
      I wonder why

      Education history
      I haven’t entered any.

      Hometown and current city
      I haven’t entered any.

      Everything you’ve ever liked
      Slim pickings there.

      IP address
      Yes that’s how websites work.

      Info about the device you’re using including browser and language
      Ditto

  • I honestly don’t see the problem with this.

    This is the antithesis of the “Privacy Declaration” hoax that’s been roaming around freely over the last five years.

    This app doesn’t bother me in the slightest, because I already know that facebook has catalogued every status update I’ve ever made. How do I know this? Because I can go back on my timeline to any time in the last 8 years and read it all myself without this handy-dandy app.

    I know full well that I signed my rights away to facebook when I signed up for it. So why should I care about giving it up for this?

    First thing it says: “you acknowledge and agree that We may continue to use any non-personally-identifying information”

    Non-personally-identifying sounds pretty anonymous to me.

    I haven’t used this app personally, but if one thinks one has any safety or privacy on the Internet at all, one would be a fool. One would have to have never clicked an “OK” or “I Agree” in their entire lifetime in order to be exempt from this fact.

    The answer here is simple: don’t have any personally sensitive information on facebook to begin with, and there’s no data for it to mine.

    This is alarmist media at its finest.

  • In what ways will these third parties use a name fake birthday and list of random names. Plus a mass of photos and idiotic comments that are already public. It sounds ever so terrifying. What horrors should one expect.

  • This is sort of related to post like ‘What’s your superhero name?’ that ask for details that are often used to verify passwords. Like eg. what street you live on or pet’s name etc….

  • All very well telling people about potential fraudsters on your system. Surely FB has to take responsibility for allowing risk onto your platforms. The banks were chastised for bad risk and due diligence practice. Do something about it please and change your internal practises.

  • My, how alarmist of you… And mildly incorrect.
    Some of us look at the permissions requested, look at what is mandatory vs. optional and don’t grant the optional and thereby grant less info.
    But I’m sure the sky is falling.

  • i disabled all permissions except for posts and it worked for me. “worked”
    they got tons of info but (seemingly) not all they originally were going to take.
    i know it’s bad news.
    when facebook was just becoming popular with my 30-something friends…2006/7?…one friend said ‘they’ve figured out how to get people to give them all their personal information willingly’.
    they sure did, didn’t they?

  • If you did the quiz but didn’t publish it to your page, does that matter? That is what I did but still looked to remove vonvon from my apps to be safe but didn’t see it there.

    • If I recall correctly (Vonvon doesn’t allow you to attempt playing more than once and I’ve run out of Facebook accounts to sacrifice), it asks you to authenticate Facebook prior to playing the quiz. However, some people in the comments say they didn’t share it and the app didn’t show up in their Facebook apps list.

  • Great to draw people’s attention to these things. I’m curious to know if/why you find these privacy issues more concerning then Facebook’s own privacy policy and sharing of personal data.

    • Facebook’s policies are certainly of a concern as well, that’s just not what I happened to be writing about in this piece 🙂

  • I personally thought it looked suspect, however many of my friends played. What data belonging to friends could have been collected?

    • You can go into your Facebook app settings and see what info your friends can disclose about you through third-party apps. Facebook will let you check/uncheck what you want shared.

  • Do they ask for these permissions before starting the quiz or before posting your results to facebook? I took the quiz, but did not post & I am not seeing Von Von in my FB app list.

    • If I recall correctly (Vonvon doesn’t allow you to attempt playing more than once and I’ve run out of Facebook accounts to sacrifice), it asks you to authenticate Facebook prior to playing the quiz. However, some people in the comments say they didn’t share it and the app didn’t show up in their Facebook apps list. As for screenshotting the results, I don’t think you’d get in any trouble.

  • Are there any contact details for Vonvon – where we can email them and ask for the “return” (ie deletion of their records) of our data?

  • I chose to not respond to this quiz. But since some of my friends shared their results, that means they now have access to all my data? Yeah, I was afraid so. Is there any way to protect my own data from quiz-happy friends?

  • So Vonvon knows as much about me as Facebook? Not that it isn’t problematic, but the privacy lid has been off Pandora’s box for a long, long time.

  • I edited the permissions, and it *did* let me “play.”

    All of us know by now that if you don’t want it shared with the world, you don’t put it online anywhere. We also know that anything you put on FB is out of your control even within that environment, because it only takes one careless friend to betray your words everywhere. So while I’m sure there’s some data miner who can squeeze something nefarious out of my cat videos and my snarky comments about hymn tempos in Sunday School and my contempt for Donald Trump, I don’t post it if I can’t live with its misuse. By now, that must be true of anybody who can muster the smarts to log on.

  • Luckily I have never put a correct DOB (or anything not otherwise publicly known) into Facebook. I’m aware that voids any agreements I have with them, but I’d rather run that risk with non-sensitive data than have my real details in there.

  • Apparently, journalistic integrity is of little importance to you.
    Manipulating quotations to suit your narrative is deplorable.
    Vonvon, and other companies, are definitely monetizing their services, and, perhaps, also taking advantage of people’s naïveté, but you have deliberately misquoted their Privacy Policy.

    For those readers who care to see the full policy, which clearly states their completely reasonable policy (far more private than Google ‘ or Facebook’s), read it for youself:
    http://en.vonvon.me/terms/privacy_policy.html?_hv=d797157

  • Please give me the worst possible case scenario of what someone can do with the information obtained from this.

    To me it seems like a collection of rather useless data, but maybe I’m missing something. While I doubt you can walk into my bank and make a withdrawl knowing my facebook history, I’m wondering if there is something useful that can be obtained with that info.

  • I’ve long suspected Facebook exists purely to mine data. And personal data will be the sole currency of the future. Be careful people what you share! (despite having given you my proxy email address to say this, hehe) 😉

  • Well dang. I went to FB and went to vonvon “contact developer” and asked them to remove my info and stop sharing it. FB said “There was a problem — try again later”. What’s up with that?

  • Honestly, their privacy policy lines up with the average one, your’re really providing it permissions to another application you use. The real problem imo, is Facebooks allowing all these random third party sites the ability to allow the end user to sign with their account accross any website that can access the code to do that with little to nothing preventing abuse.

  • If you know from the jump what these things are but your friends have taken these quizzes, how much of your information is potentially compromised?

  • I took the quiz but unchecked everything the app said it was going to collect. Can’t remember the exact list, but I unchecked it all. What’s the deal in that case?

  • okay, so I found the app, but there are no delete or trash options—only various “open”, “share”, and “download” options…please help. Thanks, M.

    • Hi Marcia, go to facebook.com/bookmarks/apps, click the button that says “settings,” and delete apps from there. An “X” should appear when you hover over an app. This is for the desktop version, not mobile.

  • Whilst warning about quizzes, you request an email address in order to post a comment. This is partly to draw attention the that irony and also to see if a real address is required 🙂

    • I have a separate email account for communication with people I don’t know, such as receiving online shopping receipts (and the inevitable deluge of ads that follow even when I uncheck the box that says “email me about future promotions”…I’m looking at you, NEWEGG!), signing up for forums, and commenting on sites like this. I highly recommend doing so.

      Also, there’s a huge difference between giving somebody one means of contacting you, and giving them all the information contained in your Facebook profile.

    • A real email is not required. The main reason we ask for an email is so we can notify you of responses to your comment.

      • That would be nice, if it was true. However, I was unable to post this very comment without entering an email address.

        The error message was: “ERROR: please fill the required fields (name, email).”

  • Thank you for explaining so eloquently what I have suspected all along – that these stupid viral quiz mills are dangerously intrusive. Now I can share this link whenever necessary.

    Thanks!

    • Yes, I would like your browser history. If I could also have your email, your facebook username (and if you could add me to your friends list), and your IP address, that’d be great.

      Please note that by providing me with this information you give me full permission to do whatever I want with it, including using it to gain more information about you and then emailing you all of your dirtiest secrets so you learn to keep your sh*t personal.

    • When you authorize this app (and others) Facebook provides you a list of the data it will share. You can uncheck most of these types of data before you authorize the app.

    • I tried un-checking many of the permission boxes and then get the thing to work but it wouldn’t. I caved and did it anyway. 🙁 Normally I ne’er do these things but this one was intriguing

    • I don’t know of a way to filter the apps so you only see ones that share pics. You’ll have to inspect them individually. On the apps page in Facebook, hit the button that says “Settings”. Here you can delete and edit permissions for everything you’ve authenticated with Facebook. Just below that, there’s also an “Apps others use” section, where you can deselect photos and other categories so you don’t get sucked into apps that your friends use.

    • There’s no taking back the data you’ve already given up, unfortunately. However, to prevent future collection of your data, go to the “apps” section of your Facebook account. On desktop, this is found in the left sidebar. There you can click on the cog icon and remove Vonvon.

      • I did the quiz but I didn’t share it on my wall. I followed your steps on my desktop and couldn’t find “Vonvon” on my app list. Any ideas what this means?

        • Try hitting the button that says Settings on the page with the list of apps to get the full list. For some reason Facebook may not list them all on the main apps page.

  • You can deny most of those permissions, though. I agree it’s problematic but there is a middle ground between “sell soul to unknown developer” and “withdraw completely”.

      • I think the reason capabilities such as sharing your quiz results on your Facebook Timeline with your Friends does not work when you remove certain permissions (e.g. access to your Friends list) is because if they can’t access your Friends list, they can’t share the results with your Friends on your Timeline. Assuming that VonVon follows the Facebook Platform Policy (https://developers.facebook.com/policy/), there should theoretically (and I emphasize “theoretically”) not be a problem with providing access to the Friends list–reason being that in theory, the Friends list can only be used for the person taking the quiz to share the quiz results with your Friends on your Facebook Timeline (“Only use friend data (including friends list) in the person’s experience in your app.”). They are not allowed to use the list for any other purpose. So for folks who have already taken and shared the quiz, let’s hope VonVon honors the Facebook Platform Policy.

      • You’re right. The settings are sneaky because a few times have changed themselves to a new default Facebook set. But you can change them all specifically how you want right after. It would not work for me because of my settings which was a good thing.

      • I disabled permissions of all but posts and it worked. I’m starting to wonder how well you actually researched/investigated this.

        • Hi Oofda, Vonvon has sent us a response saying it has narrowed down the permission requirements to only what’s necessary in light of this article. We’re working on an article update to be published in the very near future, but are having some issues with our backend.

      • I disabled everything except “public profile”, which I figure is, well, already public and available for mining, and the quiz worked just fine for me. If you’re going to play these games, always click on the “edit permissions” button and unclick everything you don’t want them to have.

      • Thanks for the advice. I have also found that if you disable FB, FB does not work.

        More seriously though, why all the hysteria about ‘privacy’ on FB?

        I’m not sure anyone wants to read about my Aunty Catherine’s crochet (it is pretty good though) or trawl through my mate Kevin’s beach holiday photos with that interesting picture of Amy’s mosquito bites on her elbow. Browsing history? News sites, YouTube, restaurants, YAWN.

        Just put up stuff that is only vaguely interesting to your friends, only have FB friends you actually know, block all others, remember it is the Internet and lead a care-free life! If it ain’t there, nothing to share! (or hide).

      • I denied all the permissions except access to my statuses (which obviously it needs to generate the cloud), and it worked just fine.

      • I only allowed VonVon access to my public profile and my posts, and the quiz worked. It took me some time to figure out how to do it, and I can’t remember now so I can’t explain it well, unfortunately. All the same, I have gone to my apps list and removed VonVon. Thank you for your instructions on how to do that.

      • When I took this “quiz” I reviewed what info they were requesting and deselected everything they didn’t need: like my birthday, hometown, current city, and photos, etc. It worked fine.

      • I denyed most of the permissions and it worked. Only allowed pubic profile info and photos. Admittedly I do not know what info is public but I think my profile privacy is pretty strict. I wish I did not give permission to access photos but since the are part of my posts I figured that was going to give me the most accurate results. I did not give permission for anything else – because I did not see how anything else was relevant – and I still got a result for the quiz…

      • Yes, actually it does. I disabled all but access to posts (obvi it needs those) and it worked fine without any of my other information. Posts aren’t private, friends of friends of friends can view them, posts on face book are as private as a public library self.

      • I disabled all of them but public profile (can’t disable that, but it’s public anyway), and your timeline posts. Word cloud generated perfectly fine. It’d make sense that it needs timeline posts, since that’s the data it’s generating off of. Everything else can be disabled without breaking the app.

      • When I did it a few days ago I most certainly could and did disable almost all permissions (everything except my status postings – obviously if one were to disable that it wouldn’t be able to do the word cloud!)

      • I was able to disable everything except my public profile and my status updates (which it would need to find the words), and the quiz worked. When I shared it, I suggested that others unchecked the options as well.

      • I was able to uncheck everything except the posts themselves (which it obviously needs to work) and use the app successfully. I’m not saying that this necessarily makes it a good idea, but it is possible.

      • It worked for me…. and I unticked everything except the access to posts (so they could work out what were the most commonly used words I used). Everything else was unticked.

      • Perhaps they changed it recently, but I was able to uncheck those settings and do the quiz. (Whether the results were as “accurate” or not, I cannot say.)

      • I actually did disable most of the permissions successfully, only allowing it to read my posts, not my friend info or any personal information.

      • I did the quizz. I unchecked my birthday, friends list and everything else, except access to read my previous posts and it worked.

      • I revoked everything but my email address, and it let me use it, although that was some days ago. They may have changed their auth once it went viral. (I make sure not to post anything I want hidden on FB anyway, since I am a web professional – so I didn’t really care if it did take my email address and name.)

      • That’s not true, I disabled all but what was necessary and it worked. People should know by now to check what you’re giving away information -wise and disable anything that’s unnecessary and to fully agree with what you do give out. Afterwards, you should always remove such apps from your Facebook app list so they are unable to interact with it in the future. I thought this stuff was common knowledge? If you’re not checking this stuff it’s your own fault and if it doesn’t work for you with what you’re willing to give out then don’t do it… It’s not rocket science.

      • I don’t know why it didn’t work for you. I disabled everything except public timeline and it worked just fine. It said that it would be better with more permissions, but still have me a result.

      • Actually, it works if you give it permission to access your posting history only and refuse the rest, though admittedly I have no idea if it can access your friends’ information and other stuff via your posting history.

      • I was able to get a “result” (in other words, boring words from public posts and none of the cussin’ that my personal feed is full of) with everything unchecked except public data, but there was also a message below saying something along the lines of “you’ll get better results if you give us access to everything”.

      • If I recall when I tried the app last week I disallowed pretty much everything, and only allowed it to see my posts (which is, after all, the point of the app) and it worked just fine. Without me having to give up my hometown, friends’ names, etc.

      • Yes I suppose you could leave just the profile and timeline permissions and it would work, but that doesn’t change the fact that it asks for way more than it needs and most people won’t bother with permissions.

        • If people don’t bother with permissions then it’s their own stupid fault really. Yeah, they shouldn’t ask for that stuff but honestly… Programs since the dawn of time have been giving the ‘express install’ option that downloads stuff or invades your privacy. Using these apps shouldn’t be any different in your approach to them. You’d think people know this stuff by now, this kind of stuff is nothing new.

          It’s people who are too lazy who are at fault here for giving away data they don’t really want to give away when they have the option not to.

          Now if these companies hacked this information out of you or gathered truly compromising information like passwords or bank details to gain access to your stuff, then yeah it’s fair enough, that’s illegal and wrong.

          But if you’re agreeing to and just giving it to them then it’s all on you, always check the fine print, ALWAYS.

Leave a Reply

Your email address will not be published. Required fields are marked *