Facebook admits ‘inadvertent’ privacy breach
Published 18/10/2010 | 11:20
Facebook has confirmed that some of its most popular applications transmitted identifying information, such as user names, to advertising and internet-tracking companies.
The admission follows a Wall Street Journal investigation which uncovered evidence that some popular Facebook apps have shared user data with internet tracking organisations.
The Wall Street Journal said the breach affects tens of millions of Facebook users, including those who have set their profiles to the most secure and robust privacy settings.
Facebook insists the breach does not expose any private user information.
The Journal’s investigation found that all 10 of the most popular Facebook apps – including well-known games such as FarmVille, Mafia Wars and Texas Hold’em – transmitted Facebook user identities, known as UIDs, to advertising and internet-tracking companies, in contravention of the social networking site’s rules.
Facebook’s policies state that developers cannot disclose user information to advertising networks or data brokers, and that no one can access private user data without explicit user consent.
User identities are unique numbers assigned to every Facebook user on the site.
Facebook IDs are “public”, meaning that users can search for a person using their Facebook ID.
In some instances, profiles will be secured, and so not viewable, but in many cases, searching by user ID brings up photos and information that a user has set to share with “everyone”.
The news raises fresh doubts about Facebook’s privacy policies, and its ability to keep user information secure.
However, Facebook stressed that the passing on of UIDs by developers to third-party organisations was “inadvertent”, and accused the press of exaggerating the scale and significance of the incident.
“In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work,” wrote Mike Vernal, a Facebook engineer, on the company blog.
“Press reports have exaggerated the implications of sharing a UID. Knowledge of a UID does not enable anyone to access private user information without explicit user consent.
“Nevertheless, we are committed to ensuring that even the inadvertent passing of UIDs is prevented and all applications are in compliance with our policy.”
Facebook has around 500 million users and a thriving app platform, with millions of people playing social games on the networking site.
The Wall Street Journal found that three of the top 10 apps, including FarmVille, had not only transmitted UIDs to outside companies, but also personal information about users’ friends.
The Journal said that the apps it examined were sending user ID numbers to at least 25 advertising and data firms.
One firm, RapLeaf, was found to have linked Facebook user data gleaned from its catalogue of apps to its own database of internet users. RapLeaf said the data breach was unintentional.
Zynga, the company behind FarmVille, said it would work with Facebook to refine web control technologies to better ensure the preservation of personal information.
Some of the apps at the centre of the controversy were offline over the weekend, as developers sought to resolve the issue.