October 21, 2010
Facebook says apps transmitted user information
NEW YORK (AP) — The latest Facebook (News - Alert) privacy fiasco shows that the world's largest online social hub is having a hard time putting this thorny issue behind it even as it continues to attract users and become indispensible to many of them.
The Wall Street Journal reported Monday that several popular Facebook applications have been transmitting users' personal identifying information to dozens of advertising and Internet tracking companies. Facebook said it is working to fix the problem, and was quick to point out that the leaks were not intentional, but a consequence of basic Web mechanisms.
"In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work," said Mike Vernal, a Facebook engineer, in a blog post Monday.
In a statement, Facebook said there is "no evidence that any personal information was misused or even collected as a result of this issue."
Even so, some privacy advocates said it's problematic that the information was leaked at all, regardless of what happened to it. Facebook needs its users to trust it with their data because if they don't, they won't use the site to share as much as they do now.
"Facebook has been assuring users for a very long time that their personal information will not be available to advertisers," said Marc Rotenberg, executive director of the Washington–based Electronic Privacy Information Center.
At issue are user IDs, the unique identifier tied to every person on Facebook. These IDs can be used to find users' names, gender and any information they've made visible to "everyone" on the Internet through their privacy settings.
"It's their entire friends' lists, their likes, their biographical information," Rotenberg said. "Facebook gets access to it and now it's leaking out to advertisers."
The Journal said these IDs could be included in what's known as "referrers." That is what websites send to other sites to tell them where the user came from. Normally, these wouldn't tell the sites who these users are. But that becomes possible when the referers include a person's social network ID.
In one case, these IDs were then embedded in a "cookie," which tracks users as they navigate the Web, by an online data collection company, the Journal said. That meant that Facebook users' names and browsing habits could be linked up.
The company, Rapleaf, said this did not happen intentionally and it has since fixed the problem.
"As of last week, no Facebook ids are being transmitted to ad networks in conjunction with the use of any Rapleaf service," the company said in a blog post Sunday.
Facebook's more than 500 million users share varying amounts of private information online, and over the years the company has come under fire from privacy advocates for pushing people to reveal more about themselves to everyone on the Internet. At the same time, the company also allows users to set up privacy settings for nearly everything they share on the site.
There are some exceptions, though. Users' names, profile photo and gender if they specify it are always public. For a slew of other details, Facebook gives users controls so that they can hide friends list, photos, work information and e–mail addresses.
Facebook said the knowledge of a user's ID does not give anyone access to that user's private information. But that's not the problem, said Peter Eckersley, senior staff technologist for the digital rights group Electronic Frontier Foundation.
"The problem is that ad companies can know who you are at all," he said.
Eckersley said the "referer" problem isn't new, nor is it necessarily limited to Facebook. The Journal did not mention other social networks such as MySpace (News - Alert), which is owned by News Corp., like the Journal.
"We urgently need investigations to determine how many other social networks may be suffering from this type of data leak," he said.
MySpace did not have a comment.
Some, such as media critic Jeff Jarvis, came to Facebook's defense. He called the Journal report an overreaction because the user information was already publicly available.
"The White Pages reveal I use the phone. So?" Jarvis wrote on Twitter. He said in an interview later that traditional media and marketing companies have long exposed far more personal information.
"Publications sell their subscriber lists, manufacturers sell their warranty lists, and those have (people's) real names and addresses. That has long existed," Jarvis said. "What's the real harm here is the key question. The worst harm is that someone delivers to you a more targeted ad."