Out-Law News 2 min. read
18 Oct 2010, 3:32 pm
The Wall Street Journal (WSJ) had reported that the 10 most popular Facebook applications were all transmitting identifying information to third party companies, which is against Facebook's rules.
Facebook has admitted that the information is being passed on, but has said that claims of the seriousness of the problem were exaggerated.
"Developers cannot disclose user information to ad networks and data brokers. We take strong measures to enforce this policy, including suspending and disabling applications that violate it," said a blog post by Facebook's Mike Vernal which a Facebook spokesman said was to act as the company's comment on the issue.
"Recently, it has come to our attention that several applications built on Facebook Platform were passing the User ID (UID), an identifier that we use within our APIs, in a manner that violated this policy," said Vernal. "In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work."
The WSJ found that the 10 most popular applications, including Farmville and Texas HoldEm Poker, were sending user identifications to 25 companies, some of which were advertising firms and some of which built behavioural tracking databases containing information about users' behaviour.
The Facebook user IDs that were being passed on could be used to retrieve a Facebook user's real name and any information on their profile to which access was not restricted by that user's privacy settings.
The WSJ reported that the user ID data was passed on even in the case of users whose privacy settings were set to maximum, meaning that users could do nothing to stop it happening.
Facebook said that reports about the data leaks gave a misleading impression about the scale of the problem.
"Press reports have exaggerated the implications of sharing a UID," said Vernal. "Knowledge of a UID does not enable anyone to access private user information without explicit user consent."
The WSJ had not claimed, though, that the user ID allowed a company to gain access to material protected by Facebook's privacy settings, but that it was in itself information that users would not expect to be passed on to companies dealing in identities.
"We are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy," said Vernal.
Vernal said that it could be days before the company has a solution to the problem. The company did not respond to a query asking if any applications had been suspended while it investigates.
"We are talking with our key partners and the broader Web community about possible solutions. We will have more details over the course of the next few days," said Vernal.
Facebook's policy for developers of applications forbids the passing on of any information, including user IDs, to third parties.
"You must not use user data you receive from us or collect through running an ad, including information you derive from your targeting criteria, for any purpose off of Facebook, without user consent," said the policy.
"You will not directly or indirectly transfer any data you receive from us to (or use such data in connection with) any ad network, ad exchange, data broker, or other advertising related toolset, even if a user consents to such transfer or use. By indirectly we mean you cannot, for example, transfer data to a third party who then transfers the data to an ad network. By any data we mean all data obtained from the Facebook API, including aggregate, anonymous or derivative data," it said.
