My colleague Jonathan Zittrain asks whether Facebook should protect its users from rogue third-party applications, not least given the sensitive personal data it holds.
We talked about the missed opportunity for Facebook to control applications' access to users' data in a presentation last summer at GikII: Stalking 2.0: privacy protection in a leading Social Networking Site. In a nutshell, FB gives applications almost unrestricted access to users' data, even though in most cases it is not needed — and certainly not to turn friends into zombies or werewolves or play Scrabulous. FB holds almost every category of personal data categorised as "sensitive" by the European data protection directive. The best way to stop "rogue" applications from abusing this information is to stop them getting access in the first place.
JZ also compares the privacy impact of Web apps to traditional applications. In practice, while many operating systems (even Windows) allow users to sandbox their applications' access to user data, few applications use this functionality. Why, for example, does a document viewer launched by a mail client need access to anything other than its own application files and the relevant attachment? Restricting access in this way would make it harder for malware to spread through e-mail, but it seems that application writers are not yet putting the basic security principle of "least privilege" into practice.