Friday, November 5, 2010

Wall Street Journal probe finds Facebook apps reveal user info

The Wall Street Journal investigated the privacy of Facebook users, finding that popular applications, such as FarmVille, send a user's personal information to marketing companies in a violation of Facebook privacy rules.
The Wall Street Journal published its findings Monday in a reveal exposing how marketers collect data about consumers -- when those same consumers are not aware their data is being "grabbed." More than one of the companies receiving personal information about users was selling that data, said Wall Street journalists Emily Steel and Geoffrey A. Fowler.

Steel and Fowler said they became interested in seeing if a user's personal information really was protected earlier this month after

"... Facebook created a control panel that lets users see which apps are accessing which categories of information about them."

Facebook, along with at least one of the companies that had received personal data, as well as a few bloggers have downplayed the privacy breach, saying the Wall Street Journal "over-reacted." The breach, they say, is not new, does not represent a conspiracy, and isn't something to worry about. Forbes blogger, Kashmir Hill wrote that the "breach" was nothing more than a design flaw, pointing out that My Space has the same issue. Hill thought the Wall Street Journal was unfairly singling out Facebook.

The Washington Post's Rob Pegoraro also had a similar analysis to Hill's. There's nothing new to the information Facebook reveals, Pegoraro said, while asserting that the information that is commonly revealed about Facebook users every day, even when those users opt for maximum privacy, is not private information.

In a statement posted Sunday on Facebook's Developer Blog, representative Mike Vernal wrote

"... Recently, it has come to our attention that several applications built on Facebook Platform were passing the User ID (UID), an identifier that we use within our APIs, in a manner that violated this policy. In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work.
Press reports have exaggerated the implications of sharing a UID. Knowledge of a UID does not enable anyone to access private user information without explicit user consent. Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy.
We have experience addressing this sort of issue previously, although the technical challenges here are greater. We are talking with our key partners and the broader Web community about possible solutions. We will have more details over the course of the next few days."

The Wall Street Journal reported that Facebook had shut down some applications over the weekend in response to the probe, but said some applications have since been reinstated on Facebook.

Steel and Fowler assert some of the data gathered from the ten top Facebook applications was sold to other companies. Approximately 500 million Facebook users use Facebook applications. The report also states that at least three of the applications not only sent out info on the user, but also sent out information about the user's friends.
One of those companies, RapLeaf Inc. issued a statement in response to the Wall Street Journal stating

"... When we discovered that Facebook ids were being passed to ad networks by applications that we work with, we immediately researched the cause and implemented a solution to cease the transmissions. As of last week, no Facebook ids are being transmitted to ad networks in conjunction with the use of any Rapleaf service. The transmissions, when they occurred, were not a result of any purposefully engineered process by Rapleaf. Instead, they were due to broader issues — as discussed in the article — concerning site referrer URLs, which are managed by sites themselves and ad networks."

The Wall Street Journal exposed a similar situation earlier this year where a user's private information was sent to advertisers when users clicked on Facebook ads, prompting Facebook to correct what it called an "unintentional oversight." At the time, Facebook said

"... in a rarely occurring case, advertisers knowledgeable about the structure of Facebook's URLs could use the referrer to determine when someone who clicked on an ad had been viewing his or her own profile, thus potentially enabling them to infer the user ID of that person. We have no reason to believe that any advertisers were exploiting this, and doing so would have been a violation of our terms. To our knowledge, none did."

For those wishing to learn more about how they can protect their privacy on Facebook, the Huffington Post has published three tips.
The addition of new privacy concerns for users of Facebook come just as Facebook has created a new application for Facebook users with Bing. The partnership means on-line Facebook searches will be "more personal," reported Network World.

Facebook's privacy policies have received strong criticism in the past, causing Facebook to revise options in an attempt to protect user's identifies and privacy. In September, Canada's Privacy Commissioner said she had completed a review of Facebook's privacy concerns, stating in a press release that Facebook had resolved the issues. However, Jennifer Stoddart said she still had concerns with Facebook, saying

"... However, our work with Facebook is not over."

The National Post reported Monday that Stoddart was considering launching another investigation into Facebook's privacy following Wall Street Journal's report.
Techland has posted an article that outlines the user identity issue in greater depth, using plain English.

1 comment:

Anonymous said...

I ran across this in search of tools to help with security features with Facebook, you may want to try it out it worked for me.

Free Cloakguard plugin for Facebook available from:
Download -
Demo -