Facebook Privacy Breach? More Like a Snafu

Inplace #2

facebook_small.jpgADOTAS – Et tu FarmVille? The Wall Street Journal says you’ve been giving my personal information to ad networks! My god, it’s a conspiracy! I knew I couldn’t trust that Zuckerberg! I knew you were a rotten egg Pincus!

Well, maybe it’s not such a nefarious plot — maybe it’s just a loophole in app and browser design… But that’s not nearly as exciting — I demand scandal from my tech news.

As part of its shrieking “What They Know” series, WSJ makes some damning claims this morning: 10 of the most popular Facebook apps leak personal info to advertising and tracking companies, including people’s names and occasionally their friends’ names. On that list is the hottest time-waster in the world, FarmVille, which boasts about 60 million users. Social gaming kingpin Zynga is also held to account for its Texas HoldEm Poker and FrontierVille. Got your privacy settings on high? It doesn’t matter — your name is out there.

The technical side is a bit more complicated. As Facebook’s Mike Vernal explains in a blog post, “several applications built on Facebook Platform were passing the User ID (UID), an identifier that we use within our APIs, in a manner that violated this policy. In most cases, developers did not intend to pass this information, but did so because of the technical details of how browsers work.”

Facebook applications are loaded within iframes — the content inside is controlled by the app developer and is actually located at a different URL than the one the user sees in the address window. This URL may contain the UID — Freedom to Thinker’s Harlan Yu explains, “When your browser goes to fetch the advertisement, it automatically forwards to the third party advertiser ‘referer’ information — that is, the URL of the current page that’s loading the ad.”

Referrers (or referer) are quite handy tools for analytics — publishers want to know where their traffic is coming from. UIDs do not offer access to private user information, but it’s pretty easy to figure out a user’s name from one. With the UID, security and privacy researcher Christopher Soghoian further explains data collectors and ad networks can associate your existing cookies with your real name. If your interests on Facebook are public, they could add those to the profiles that they’re building on all of us!

So who tipped off The Wall Street Journal to this practice? What companies have been collecting user names and compiling them into already established profiles? Who have these miscreants been selling to?

Google’s DoubleClick and Yahoo’s Right Media have apparently been receiving the data — but they say they didn’t realize they had it. Data seller Rapleaf gets called out by name — WSJ says it was sending UIDs right over to its data buyers, but Rapleaf counters that it didn’t known the UIDs were there and it’s now stripping them out. Interestingly Rapleaf CEO Auren Hoffman wrote a long column for AdExchanger explaining why IP tracking is a bad idea.

Wait, there’s not even an anonymous source saying, “Oh yeah, these guys use that info all the time to put names on their profiles”?

The WSJ article right that Facebook was (insignificantly) breaking its privacy policy, but any speculation beyond that is paranoid crap. Although Facebook gets smeared in the headline, the wrongly demonized party actually is online advertising technology companies.

On Twitter, journalism professor and media critic Jeff Jarvis on called it the “continuation of Wall Street Journal’s war against the Internet, and noted that such data is less useful than a copy of the white pages. At the end of July the paper published a laughably hyperbolic screed — it’s hard to get past the title without cracking up: “The New Gold Mine: Your Secrets” — about third-party data collecting that dubbed the practice “spying on Internet users.”

Using a great deal of Ben Edelman’s research WSJ reported on a similar issue with referring URLs in May, subsequently Facebook deleted the offending “ref=profile” URL tags. In its blog response to today’s story, Facebook’s Vernal notes that the situations are similar but the apps case requires a more technical response. However, Yu points out several solutions that are pretty straightfoward. No. 1: developers can stop using UIDs in the HTTP GET arguments or add a hash mark before the UID, which would hide the identifier in the referrer.

Congratulations, WSJ: Mountain constructed from molehill and paranoia enhanced across the Internet. Rupert Murdoch-owned publications never let specifics get in the way of a good headline.