According to the WSJ, a number of Facebook applications have been sharing information about users that they should not have. Many apps on Facebook, some quite popular, have been “transmitting identifying information—in effect, providing access to people’s names and, in some cases, their friends’ names—to dozens of advertising and Internet tracking companies.” According to WSJ, “Tens of millions of Facebook app users” appear to be at risk, even those who have chosen the absolute strictest privacy settings.
Facebook has responded by saying that the problem is being blown out of proportion. What’s happening is that the UID’s of users accessing Facebook apps have been passed on to 3rd parties by some applications. This UID is just a number that uniquely identifies your profile on Facebook. Knowing the ID itself doesn’t actually get you access to anything special. As Facebook puts it:
Recently, it has come to our attention that several applications built on Facebook Platform were passing the User ID (UID), an identifier that we use within our APIs, in a manner that violated this policy. In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work.
The main issue with passing around this UID is that it can later be combined with other data floating around the Internet about you. RapLeaf, a company that compiles data about web users and sells it, was able to connect these UID’s with data they already had. This allowed them to form a better picture of the individuals they were tracking. This data collection is really where the privacy issue lies.
Facebook already had policies in place against sharing UID’s and many of the apps in violation were disabled. LOLApps went offline briefly because of this issue, but has since been restored. According to their blog, they unintentionally shared information (which is pretty easy to do because of how browsers work). Apparently, when they found out what had happened, someone got fired:
When we were informed of the issue the relationship that put us into this category was immediately dissolved. Since Lolapps was founded in 2008, we have always been committed to Facebook’s platform policies and will continue to be as we grow.
While some of the most popular apps on Facebook (Farmville, Frontierville, Texas HoldEm Poker) were affected, it doesn’t appear that they were disabled. The 12 companies that did receive user information from RapLeaf say they did not use or store the information and RapLeaf says the data was shared unintentionally. So, as the privacy ball bounces out of bounds, it looks like everyone involved has thrown up their hands.
That’s to be expected, but this may not be the end for Facebook. This latest episode in the Facebook privacy saga will certainly be drug out as long as possible. Those aware of the breach will find ways to exploit it and frighten Facebook users. At this point, I’m not so sure it’s worth closing up the farm or shutting down the cafe over.