Who is ultimately responsible for privacy if that privacy is violated through the use of an API? The user of the API? The owner of the API?
I was recently using a photo website that connected to various social networks to display my photos. I found a security issue where if you change the id variable in the url, you can view another person’s pictures. I’ll address this in a separate post. This isn’t even a hack – it’s just changing one number in the url.
So who is responsible for protecting my data?
Is it Facebook? I uploaded my photos to Facebook and Facebook is the source of the third-party photo app. Should Facebook be responsible for checking the apps that connect through it’s API?
Is it the third-party photo app? They’re the one with the security flaw that is exposing my photos.
Is it me, the user? Should I not be posting my photos knowing someone, somewhere, somehow can view them?
I’m leaning towards the third-party application, but it’s not going to look good for Facebook either.