It’s an old adage, sure. But on the Internet, it may as well be a scientific law: You don’t get something for nothing.
I re-learned this most recently when I tried to see what my most used words on Facebook were. Billed as a “quiz” by a South Korean startup named Vonvon, this viral sensation spread across the social web like digital wildfire last week. But when I connected my account to “Most Used Words,” I did what I always do with Facebook apps: denied it access to anything beyond my public profile information. And as a result, the word cloud it returned was blank.
Social media services like Most Used Words have long used personal user information to generate unique, interesting, and sharable posts. But in the case of Vonvon’s content, users have complained that the company stepped over the line by asking for far more data than the quiz seems to need. Specifically, Vonvon requested access to the following user data:
- Name, profile picture, age, sex, birthday, and other public info
- Entire friend lists
- All timeline posts
- All photos and photos the user is tagged in
- Education history
- Both hometown and current city
- Likes
- IP Address
Since Monday, other users began taking notice of the fistfuls of data that Most Used Words seemed to be grabbing at. Then media outlets began reporting on it, with The Huffington Post calling the quiz “a breach of your personal data,” and WIRED dubbing it “a privacy nightmare.” And suddenly, Most Used Words’ meteoric viral climb slowed to a crawl. In its first five days, the quiz attracted 17.5 million users. In the past two, fewer than 300,000 have tried it.
I was among the people jarred by the apparent privacy overreach. But after some digging, I’m no longer sure Vonvon has done anything wrong, yet.
According to Vonvon President David Hahn, Most Used Words requested all of this user info because the company runs a wide range of quizzes, and it hoped people would return to the website daily to take more of them. By asking for permission for all of that user data up front, Vonvon wouldn’t have to repeatedly pester users for it again.
On top of that, Hahn contends, the company cannot store any user data itself. When a Facebook user interacts with Vonvon’s content, their information continues to reside in the social network’s servers, and Vonvon cannot copy the data. In fact, says Hahn, the only bit of data that Vonvon receives from connecting a user to its services is the user’s Facebook ID number, anonymized digits that let returning users access their results on the company’s various quizzes and viral content such as “Are You A Psychopath?” “Who has a crush on you?” and “Which Pixar Superstar Captures You Perfectly?”
In double-checking Hahn’s claims with Jeremy Gillula, staff technologist for the privacy group Electronic Frontier Foundation, it appears that Vonvon is indeed playing it safe with user data. Most Used Words, and the company’s other quizzes, seem to be run within the web browser in JavaScript, which means the data is parsed right there on the user’s computer, not far away in the cloud.
“They are doing it in the most privacy protective way they could, given the limitations of Facebook’s API,” says Gillula. “At the same time, people may not realize that they don’t have to do it that way, and it’s entirely possible that they could have done it another way — a less conscientious developer could have done it differently.”
And that is the problem with my snap judgement. Good apps and nefarious ones can look too similar to the naked or uninformed eye. Even Gillula isn’t completely certain that Vonvon’s content isn’t siphoning data out, somehow. “Without looking at every single line of the code, you can’t be 100% sure,” he says. “There’s certainly no easy way for users to be sure.”
And as a startup trying to establish trust with a growing audience, Vonvon wants the public to see the company in a positive light. To date, Vonvon’s various pieces of viral content have resulted in more than 200 million user interactions across 15 languages since the company launched in March. It has $2.6 million in funding, and has attracted sponsored content partners including Samsung, Australia Tourism, and online gaming platforms. The company has said that it does not collect or sell user data, and that it only generates revenue through these sponsored partnerships and through ads placed within its viral content.
“We are dedicated to create fun, engaging, and innovative contents while respecting our users’ privacy, and we hope our users will trust us in our efforts to creating a fun and safe platform for everyone to use.” says Hahn.
In a move towards better establishing that trust, as of Monday night, Vonvon has changed Most Used Words to now only request access to users’ public information, friends list, and timeline data. The app still works if you deny it access to your friend list — and you should — but that’s a step in the right direction.
Contact us at letters@time.com.
For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails
Sign up to our free breaking news emails
A viral app is able to hoover up all of people’s personal information and is able to sell it on to whoever it wants.
An app called Most Used Words on Facebook has been shared thousands of times but may be taking the information of those who use it.
The quiz is just one of a huge number of Facebook apps that are luring people in with the offer of interesting information or quizzes. The apps then request access to your information and Facebook page before they will give up what they are offering — and sell on the data that they are able to gather.
The Most Used Words on Facebook app is most often seen when a user posts the word clouds that it generates. It pulls information from users’ statuses and finds the words that they have used most, assembling them into a picture that shows the most common ones largest.
The app has been shared over 16 million times, according to Comparitech, which first reported the privacy issues. «That’s over 16 million people who agreed to give up almost every private detail about themselves to a company they likely know nothing about,» the site wrote.
When a user clicks on a post, they will see a quick page offering the option to grant access to their profile so that the app can see what they have posted and analysed. But when the app requests access to your Facebook profile, it also requires that people allow it to hoover up private information from a users’ accounts.
The company said that it was requesting that information so that it didn’t have to ask repeatedly when users clicked on different quizzes. But it told Comparitech that it would be altering that policy, adjusting the scope of each data request «the minimum requirement to produce each separate content».
The app asks for permission to see everything a user has ever liked. It is also able to gather up information about the computer that is being used — including its IP address and what browser they are using, both of which can easily be used to steal further personal information.
The company behind the app, Vonvon, told Comparitech that despite being able to take a vast array of information, it does not gather it or store it on its services. Since it does «not store any personal information», it has «nothing to sell», the company’s CEO Jonghwa Kim told Comparitech.
10 facts you didn’t know about Facebook
Show all 10
Some of the information includes data about a person’s friends, which means that the company may have information about you even if it hasn’t used the app. That includes your entire friends list and all of the photos that you are tagged in.
The app’s terms of service state that all of the information that it takes will continue to be stored even if you shut your account with them, “for any reason whatsoever”. They also point out that the information can be stored “on any of our servers, at any location”, which means that it could be held in locations that have much fewer controls for how it is used.
It isn’t clear what the site is doing with the information. But it makes clear that it can sell the information to anybody that it wants — without giving you any notification — and that simply using the app means that you have given your permission for them to do so.
Once it has sold that data on, it gives no protection for how it is used. The privacy policy “does not apply to the practices of entities Vonvon does not own or control, or to individuals whom Vonvon does not employ or manage, including any third parties to whom Vonvon may disclose Personal Information”, the terms read.
I’m a late night FB scroller and, as such, I’m particularly susceptible to whiling my insomnia away with quizzes and polls. Flooding my feed this week has been one particular quiz, which promises to reveal the words you used most on Facebook in 2015. As a writer and someone who is a self-professed word nerd, how could I pass the opportunity up to break down my social media linguistics? So, today, I’m logging in via the quiz website Vonvon and sharing the journey to discover my most used Facebook words with you, dear readers.
Through what sorcery Vonvon comes up with the random amalgamation of words, I know not. Given how surprisingly simple the process is, one must wonder how accurate the results can be. In full disclosure, though, I re-tested it multiple times — and the only noticeable difference was that the background and text colors changed. Besides, isn’t this the allure of Facebook quizzes to begin with? No one knows why they work; they just do. Somehow, upon learning my favorite caffeinated beverage is a Venti Iced Caramel Macchiato, they can peg my free-spirited Bohemian heart, right down to the way I prefer flared jeans over skinny leg denim. Chalk it up to one of life’s great mysteries. It’s inexplicable, much like how Oxford Dictionaries 2015 Word of the Year was «Face With Tears of Joy» emoji.
So, operating under the premise that this system is sound (and quite possibly of some otherworldly Facebook quiz think tank), let’s walk through it.
1. Log In Using Your Facebook Profile
Clicking on the quiz link takes me to the corresponding page on Vonvon. At the bottom of the page, there is an oblong blue box asking me to log in with Facebook, so I oblige. A tiny square then appears in the upper right hand corner with my profile pic in it.
2. View Result
The oblong blue box has now turned a beautiful shade of pink and has one simple request: View result. When I click on it it, it begins the brief process of tabulating my results.
3. Analyze Your Life
And there you have it, friends — the words I’ve used most often on Facebook in 2015. Interestingly enough, «me» is front and center. I’m honestly not sure what to think of that, but I do like how the words «I’m» and «Just» flank it, as though to say the core sentiment that permeates my Facebook feed is «I’m just me.» At least, that’s how I’m going to choose to look at it. Once I get past the initial shock of «me» staring back at me, though, I have to admit I’m pretty pleased with the words that compose my Facebook cloud.
My other two most prominent words seem to be «Marlow» and «love,» also known as my daughter and the driving force in nearly everything I do, respectively. Jay and Bowen, my husband and my son, are represented; as are Charleston and Folly, my beloved city and local beach. I apparently speak often of «people,» «work,» my «mom,» «women,» «books,» «time,» and «kids.» And those conversations seemingly come from a place of joy — in addition to «love,» my Facebook vernacular is filled with «happy,» «good,» «heart,» «like,» «favorite,» «yes,» «grateful,» and «amazing.» Also, I’d be remiss not to mention the hallowed institution that is «cake.» So, I’ll take it. Facebook sorcery and all.
Which words do you use most on Facebook? Head here to take the quiz yourself!
Images: Julie Sprankles/Bustle (4)
‘Most Used Words’ is far from the only app to have such extensive policies regarding your data, but its recent viral success could mean many more users are at risk than might otherwise be the case. And while it is possible on Facebook and other apps to limit what an app can access, that option it typically overlooked by users, who click through without checking the app’s privacy settings.
As Comparitech highlight, the ‘Most Used Words’ app’s privacy policy says information it gathers can be stored on Vonvon’s servers «at any location» in the world. If a user’s personal data is stored in a different country on one of the company’s servers it may not have the same privacy protections as it did in the country where it was created. The European Court of Justice’s recent ruling that Safe Harbour, which saw a data sharing agreement between the UK and US, is invalid was made because there were not adequate privacy protections for user data in the US.
The privacy policy also says that Vonvon is able to «use any non-personally-identifying information» you provide it with, even after the «termination» of membership with the company or use of its services.
Vonvon also states in its policy that it won’t pass on a person’s information to third party companies — unless it has informed the user of its plans to do so,including telling you about it in the privacy policy: «We do not share your Personal Information with third parties unless We have received your permission to do so, or given you notice thereof (such as by telling you about it in this Privacy Policy), or removed your name and any other personally identifying information from it.»
The policy says the company uses the personal data to provide «age-appropriate and gender-related» adverts, paid for by external companies.
The privacy policy also states that it does not cover what third parties might do with your data: «This Privacy Policy does not apply to the practices of entities Vonvon does not own or control, or to individuals whom Vonvon does not employ or manage, including any third parties to whom Vonvon may disclose Personal Information».
It is unclear if any users’ data has been sold, or what Vonvon.me plans to do with it. But as ever, your best course of action is probably not just to use it. And in case you’re curious, your most used word on Facebook was probably this emoji.
What Are Your Most Used Words? App / Screenshot Credit: Amit Chowdhry
Over 18 million
Facebook
users have tried out an app called “What Are Your Most Used Words on Facebook?” recently. The “What Are Your Most Used Words on Facebook?” app — which was created by a South Korean company named Vonvon — displays a «word cloud» based on your frequently used words in past status messages. The most frequently used words in status messages appear larger and towards the center of the word cloud. “What Are Your Most Used Words on Facebook?” sounds like it is a harmless and fun app to try out, but UK-based VPN company Comparitech warns that it is a “privacy nightmare.”
When a Facebook user signs up to use the app, he or she agrees to give the “What Are Your Most Used Words on Facebook?” app permission to collect your IP address, profile picture, age, friends list, posts, posts you are tagged in, birthday, education history, hometown, likes, photos and more. And this data can be stored on Vonvon’s servers anywhere across the world.
“We may continue to use any non-personally-identifying information in accordance with this Privacy Policy (e.g., for the purpose of analysis, statistics and the like) also after the termination of your membership to this WebSite andor use of our services, for any reason whatsoever,” says Vonvon’s privacy policy. “Vonvon processes Personal Information on its servers in many countries around the world. Such information may be stored on any of our servers, at any location.”
However, Vonvon CEO Jonghwa told Sophos that private data is not stored on company servers, nor is data sold to advertisers. He said that the information is only used for generating results. Kim added that the results of “Word Cloud” is generated in the user’s web browser. “As we do not store any personal information, we have nothing to sell. Period,” said Kim.
In an interview with VentureBeat, Kim said Vonvon is his third startup. Previously he sold a travel blogging website called Wingbus and a social e-commerce website called Dailypick for $9 million in the same year. Vonvon has raised $3 million in funding led by Altos Ventures. And Vonvon has over 40 editors that creates the online quizzes, which are monetized by display ads. Vonvon also makes money by selling branded quizzes on behalf of corporations.
Regardless of how you feel about privacy policies in general, it is good practice to review your Facebook app settings from time-to-time. You can see which apps have authorized access to your public information under the “Logged in with Facebook” section of the Facebook Application Settings. When you hover the cursor over an icon, you will have an option to remove authorization or edit settings for that corresponding app.
Have you used the “What Are Your Most Used Words on Facebook?” quiz app? What are your thoughts? Please leave a comment!
@pabischoff November 22, 2015
UPDATE on November 24 @12:10pm: Vonvon has responded to this article saying it does not sell data to third parties. See the company’s response below. This article has been edited to reflect their statement.
Lately, you’ve probably seen a couple of your Facebook friends post the results of a quiz app that figures out your most-used words in statuses. Or maybe you posted it yourself. It looks something like this:
The “quiz,” created by a company called Vonvon.me, has risen to over 16 million shares in a matter of days. It’s been written about in the Independent, Cosmopolitan, and EliteDaily. Sounds fun, right?
Wrong. That’s over 16 million people who agreed to give up almost every private detail about themselves to a company they likely know nothing about.
“ooo! if i click here and auth in with facebook it’ll scan my entire year of posts, store the data and tell my most used words. sign me up!”
— Saved You A Click (@SavedYouAClick) November 19, 2015
The app, like many Facebook quiz apps, is a privacy nightmare. Here’s a list of the info the quiz requests players disclose to Vonvon.me:
- Name, profile picture, age, sex, birthday, and other public info
- Entire friend list
- Everything you’ve ever posted on your timeline
- All of your photos and photos you’re tagged in
- Education history
- Hometown and current city
- Everything you’ve ever liked
- IP address
- Info about the device you’re using including browser and language
Note: In light of this article, Vonvon has reduced the number of permissions required.
Read more: How to remove apps from Facebook for better privacy
The oxymoronic privacy policy
Even if you take the “I have nothing to hide” approach to privacy, the app also collects a fair bit of info about your friends. Vonvon’s privacy policy leaves a lot to be desired. Let’s walk through it to see why you should steer clear of this quiz or any of the dozens more on Vonvon’s site. First off, for those who have already played the quiz, there’s no take backs:
[…] you acknowledge and agree that We may continue to use any non-personally-identifying information in accordance with this Privacy Policy (e.g., for the purpose of analysis, statistics and the like) also after the termination of your membership to this WebSite andor use of our services, for any reason whatsoever.
Your information could be stored anywhere in the world, including countries without strong privacy laws. A Whois search reveals Vonvon.me was registered in South Korea, but it operates under several languages including English, Vietnamese, Malaysian, and Korean:
Vonvon processes Personal Information on its servers in many countries around the world. Such information may be stored on any of our servers, at any location.
Vonvon is free to sell your data to whomever it pleases for a profit, although they have since confirmed they have no intention of doing this. Vonvon says it will not share personal information with third parties without permission, but just by playing the quiz you’ve technically given it permission because it assumes you’re a responsible person who reads the privacy policy. Of course, most people who play the quiz are not that responsible.
[…] We do not share your Personal Information with third parties unless We have received your permission to do so, or given you notice thereof (such as by telling you about it in this Privacy Policy) […]
Yes, it actually says that. Worst of all, Vonvon skirts responsibility after it has given your data to third parties, who can do whatever the hell they want with it:
[…] this Privacy Policy does not apply to the practices of entities Vonvon does not own or control, or to individuals whom Vonvon does not employ or manage, including any third parties to whom Vonvon may disclose Personal Information […]
Companies who you have never met can now access your entire Facebook profile–friends, photos, statuses and all–and use them in ways you never directly agreed to. By the way, if you edit the permissions before authenticating the app with Facebook, Vonvon won’t allow you to play the quiz. Edit: You can remove all permissions except your public profile and Facebook timeline posts, and still play the quiz. Most people that play probably won’t bother, though.
Abstinence is the best privacy policy
We’ve singled out Vonvon because it recently went viral, but Facebook is full of shady data dealers to masquerade behind viral quiz mills. Facebook is a haven for a large number of such companies and, frankly, hasn’t done enough to educate or warn users about the risks. Social Sweethearts, a similar company based in Germany, creates quiz apps that are so bold as to collect your email address. Hope you like spam, suckers!
So how can you protect yourself? The easiest way is to avoid online quizzes that require Facebook authentication altogether. Go to the apps section of your Facebook profile–where these data miners often reside–and remove anything you don’t 100 percent trust. Many of them can even hijack your Facebook and post on your behalf. Stick to quizzes that just let you share the results without logging in with your Facebook account, such as the ones on Buzzfeed.
If you insist on authenticating a Facebook quiz app, be sure to check the permissions and read the privacy policy or terms of use.
Vonvon’s response:
Hello,
I’m Jonghwa Kim, the CEO of vonvon, inc.
Vonvon is a start-up in Korea, we’ve been around less than a year now but luckily we had good traction all over the world with more than 100M unique visitors from US, UK, France, Brazil, China, Japan, Korea, Thailand, etc. with 15 languages.
Though I understand there could have been misunderstanding, I’m deeply concerned about your false accusation.
1. Do we store your personal information?
We only use your information to generate your results, and we never store it for other purposes. For example, in the case of the Word Cloud, the results image is generated in the user’s Web browser, and the information gathered from the user’s timeline to create personalized results are not even sent to our servers. Also, in the case of our quiz “What do people talk behind my back?” we use user’s school and hometown so that we may pull up close friends rather than pairing random person among your 500 fb friends in the results. We use this information only to process familiarity of friends, and again, the information is never stored in our databases.
2. Why do we request personal information unrelated to the Word Cloud quiz?
As mentioned above, vonvon.me creates a variety of quizzes for entertainment purposes only and leverages various user data to produce the most engaging and customized result. (** WE EMPHASIZE AGAIN WE ONLY USE USER DATA TO PRODUCE CONTENT AND NEVER SAVE THEM**) We have asked our users for a comprehensive list of access privilege so that they can enjoy our vast library of quizzes as smoothly as possible. However, we do realize that some of our users are worried about their privacy protection. To accommodate these concerns proactively,we adjusted our scope of data request to the minimum requirement to produce each separate content as of 9pm KST, Nov. 23.
3. Are we selling your personal information to a third party?
As we do not store any personal information, we have nothing to sell. Period.
4. About the Privacy Policy
It’s seem like you taken words out of context for the sake of your accusation.
—
[…] you acknowledge and agree that We may continue to use any non-personally-identifying information in accordance with this Privacy Policy (e.g., for the purpose of analysis, statistics and the like) also after the termination of your membership to this WebSite andor use of our services, for any reason whatsoever.
-> “Non-personally-identifying” information is not the same with “personal” information. Are we the only company in this planet use analytics tools to better understand our users with cumulative behavioral data?
—
Vonvon processes Personal Information on its servers in many countries around the world. Such information may be stored on any of our servers, at any location.
-> Our service is on the Google App Engine and we are running services in 15 languages including Japanese, French, German. This is also a pretty standard clause in many privacy policies in this age of cloud computing. Don’t you think it’s a little far-fetch idea that we put in this clause to “export” personal information to “counties without strong privacy laws”?
—
[…] We do not share your Personal Information with third parties unless We have received your permission to do so, or given you notice thereof (such as by telling you about it in this Privacy Policy) […]
-> You conveniently omitted the following section which we stated that we share personal information only in case of compliance with law. There’s no clause states that we share personal information to other businesses
—
[…] this Privacy Policy does not apply to the practices of entities Vonvon does not own or control, or to individuals whom Vonvon does not employ or manage, including any third parties to whom Vonvon may disclose Personal Information[…]
—> Again, you omitted ‘(as defined below)’ as in ‘including any third parties to whom Vonvon may disclose Personal Information(as defined below)’, which leads to the same section that states we only share personal information when it’s required by law.
In fact, we did have the clause states that we might share personal information to trusted business partner few month ago – we put it in without much thought since most media sites have similar policies.
But it back-fired in Japan few month ago with the similar rumor that we might sell personal information and we decided to delete the clause since we never sold and have no plan to sell personal information what-so-ever.
Your style mislead the readers and putting great damage to our reputation and trust.
I’d appreciate if you take back this misleading accusation.
Best,
Jonghwa
How can I protect my privacy?
If this article has made you think more critically about your online privacy, good. If you’ve already played Vonvon’s quiz or something similar, you can read our tutorial on how to manage and remove Facebook apps connected to your account. Beyond that, there are several easy steps you can take to boost your privacy and protect your data from corporations, hackers, and governments.
Our top recommendation is to use a VPN. A VPN encrypts all of your computer or smartphone’s internet traffic and routes it through a server in a location of your choosing. The encryption prevents your internet service provider from recording what you do online, and the intermediary server helps anonymize your activity so websites and apps can’t pinpoint your location or device IP address. On top of that, VPNs can also be used to unblock geographically restricted content, such as the US Netflix catalog.
You can also install a handful of extensions on your browser to prevent companies and advertisers from tracking you, such as Privacy Badger or Disconnect. HTTPS Anywhere is another good extension that forces your browser to load the secure, encrypted versions of websites whenever they’re available. If anonymity is what you’re after, look into using the Tor browser.
Finally, always read the fine print. Look over privacy policies to see what information is collected and who it’s shared with. Be critical of app permissions that seem to ask for more information than they need. And never give up personally identifiable information to anyone online that you don’t 100 percent trust.