Monday, October 18, 2010

Facebook in yet another privacy SNAFU

Facebook is involved in yet another privacy SNAFU. A Wall Street Journal investigation has revealed that many Facebook apps are transmitting Facebook User IDs (which are unique profile IDs that Facebook uses in its APIs) to advertising and internet tracking companies.

This, the WSJ reported on Monday, is also the reason social gaming company LOLapps saw its apps removed from Facebook last Friday. The apps are now back, and the "relationship" that caused the issue has been dissolved, LOLapps said in a blog post. In other words, whatever tracking company they were working with previously, they aren't any longer. Here's what LOLapps said:
It has been a big weekend in the news for privacy and Facebook applications. As tonight’s Facebook developer blog post states, ‘In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work.” This statement applies to Lolapps.

When we were informed of the issue the relationship that put us into this category was immediately dissolved. Since Lolapps was founded in 2008, we have always been committed to Facebook’s platform policies and will continue to be as we grow.
That Facebok Developer Blog post adds:
Knowledge of a UID does not enable anyone to access private user information without explicit user consent. Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy.
What that is Facebook's stance, that UIDs in and of themselves do not reveal a user's true identity, the WSJ found that outside firms could connect the dots:
Defenders of online tracking argue that this kind of surveillance is benign because it is conducted anonymously. In this case, however, the Journal found that one data-gathering firm, RapLeaf Inc., had linked Facebook user ID information obtained from apps to its own database of Internet users, which it sells. RapLeaf also transmitted the Facebook IDs it obtained to a dozen other firms, the Journal found.
RapLeaf said the transmission of information to other firms was accidental.

While LOLapps saw its apps taken down, the heaviest of heavy hitters on Facebook, Zynga (e.g., Farmville), although also linked by the Wall Street Journal to the transmission of UIDs, was not did not see its apps disabled. One could only imagine the outcry and withdrawal symptoms that would have occurred.

While this fits into the category of "there is no such thing as complete privacy any longer," something Google has said before, Facebook has had privacy issues before, and always takes heavy criticism when a new one arises.

This past spring, the WSJ had discovered a similar issue: that, under some circumstances, when an ad was clicked, Facebook was transmitting UID numbers to advertising companies itself. Facebook discontinued the practice, but a spokesman said this would not be so easy. He told the WSJ:
"This is an even more complicated technical challenge than a similar issue we successfully addressed last spring on Facebook.com, but one that we are committed to addressing."


No comments: