Facebook has disabled a new capability it introduced several days ago that let users share their cell phone numbers and physical addresses with developers of applications they use on the site and with publishers of websites they've linked their accounts to.
The ability to pass this information to external developers and publishers was introduced Friday and promptly triggered complaints and concerns from industry observers who felt that, as implemented, it could compromise users' privacy.
[ Also on InfoWorld: Facebook tools to help data thieves. | Keep up with software development issues and trends with InfoWorld's Fatal Exception blog. | Master the latest in Java development with our JavaWorld Enterprise Java newsletter. ]
For example, some, like security firm Sophos, predicted that rogue developers would try to exploit this new capability by tricking users' into inadvertently granting them access to the data in order to sell the phone numbers and addresses to spammers or to use them for identity theft.
On Monday, Facebook announced that some of the concerns rang valid and that it has thus shelved this new feature so that it can rework its implementation and relaunch it in a few weeks.
"Over the weekend, we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and we are making changes to help ensure you only share this information when you intend to do so. We'll be working to launch these updates as soon as possible," wrote Facebook official Douglas Purdy in a blog post.
Sophos applauded Facebook's decision and offered some suggestions for how to redesign the feature so that users have more clarity and control over it.
"The best solution would be to permit users to provide this data, via a dropdown or checkbox, when they choose to add an application, but it should not be required. Users who want the convenience that Facebook is offering should be able to choose to share their information, but those of us who are more security conscious should be able to opt out and elect to type it in when necessary," Sophos official Chester Wisniewski wrote in a blog post.